11-10-2006 01:03 PM
Greetings,
I am setting up my first vpn with digital certificates on a Ive got a Cisco ISR 2851 IOS 12.4(3d). I got the shared-key to work. I have successfully imported with cut and paste from SDM the CA's key and the Router's key and the import went without error. When I test the connection I get this error. I thought when digital certificates were used, a preshared key was not needed?
Also, I found a links with an SDM example configuration with "cut n paste" in another post, but its a dead one. anyone know where I can get to it now?
5. Cut-n-Paste Style Certificate Enrollment to a Cisco IOS CA Configuration Example
Test Activity Summary
Activity Status
Checking interface status... Successful
Checking the configuration... Failed
Test Activity Details
Activity Status
Checking interface status... Successful
Interface :ATM1/0.101
Interface physical status :Up
Line protocol status :Up
Checking the configuration... Failed
Checking IPSec
Dynamic IPSec policy name : SDM_DYNMAP_1
Mode configuration : Configured
User authentication Configured
IPSec configuration status : Valid
Checking IKE
IKE Policies : Configured
Policies with RSA signature authentication method : Configured
Digital certificate(s) : Not configured
IKE configuration status : Invalid
Checking AAA
AAA status : Enabled
AAA authorization : Configured
AAA authentication : Configured
Checking Local Group Policies
Global address pool : Not configured
Group Name : group1
Key : Not configured
Local address Pool : Configured
Troubleshooting Results Failure Reason(s) Recommended Action(s)
There are IKE policies configured with RSA signature authentication method but there is no digital certificate configured on this router. If the other end VPN device is configured with a digital certificate then this router must be configured with a valid digital certificate. To configure a digital certificate go to 'Configure->VPN->VPN Components->Public Key Infrastructure->Certificate Wizards'.
Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.
11-10-2006 02:11 PM
Update...
in relation to:
"Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.
"
Perhaps I have some confusion about the preshared-key in the group policy. As I read the docs, the pre-shared key is not required for digital certificates. My group1 policy is not checked for preshared. Do I still need to set a preshared key even with rsa-sig?
11-10-2006 02:24 PM
in relation to:
"Digital certificate(s) : Not configured "
There are digital certs on the router...is there some place to point IKE to one of these?
11-10-2006 02:50 PM
I got it, I thought the router key was imported, started over and got it to go!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide