11-17-2008 09:06 PM - edited 02-21-2020 04:02 PM
Hi everyone,
I am having troubles with authenticating both peers with use of RSA certificates.
The error message I get is:
%CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed
The "Cisco IOS 12.3 T CRYPTO Messages" guide says the following:
Explanation A public key or private key query attempt that used a subject name has failed.
Recommended Action Check the subject name in the certificate.
I am not sure how to troubleshoot it then. On both routers I have subject names as the names of the RSA public key.
Thanks for all your suggestions.
Remy
11-24-2008 07:29 AM
Make sure that the subject name on both the devices are the same as a mismatch in the subject name may cause this error.Also the subject name should be the same as that of the certificate.Also the keys used should be identical.In many cases, a simple typo can be to blame when an IPsec VPN tunnel does not come up. For example, on the security appliance, pre-shared keys become hidden once they are entered. This obfuscation makes it impossible to see if a key is incorrect.Be certain that you have entered any pre-shared-keys correctly on each VPN endpoint. Re-enter a key to be certain that it is correct.also check the configuration again as any eror in configuration can cause this error.
11-24-2008 01:19 PM
Thanks for the advice. I will check these and get back to you.
You know, I can't find anywhere whether the CA must be acessible to the VPN peers authenticating via certs, at all times? I understand once you enrolled for a certificate to the CA and once you authenticated it, the peers don't need to contact the CA. Is that the case?
Thanks.
11-25-2008 07:00 AM
Awarded 3 points.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide