Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
0
Helpful
3
Replies

Problems with new VPN setup with rsa-sig

nathanchoate
Level 1
Level 1

‎11-10-2006 01:03 PM

Greetings,

I am setting up my first vpn with digital certificates on a Ive got a Cisco ISR 2851 IOS 12.4(3d). I got the shared-key to work. I have successfully imported with cut and paste from SDM the CA's key and the Router's key and the import went without error. When I test the connection I get this error. I thought when digital certificates were used, a preshared key was not needed?

Also, I found a links with an SDM example configuration with "cut n paste" in another post, but its a dead one. anyone know where I can get to it now?

5. Cut-n-Paste Style Certificate Enrollment to a Cisco IOS CA Configuration Example

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a008021568b.shtml

Test Activity Summary

Activity Status

Checking interface status... Successful

Checking the configuration... Failed

Test Activity Details

Activity Status

Checking interface status... Successful

Interface :ATM1/0.101

Interface physical status :Up

Line protocol status :Up

Checking the configuration... Failed

Checking IPSec

Dynamic IPSec policy name : SDM_DYNMAP_1

Mode configuration : Configured

User authentication Configured

IPSec configuration status : Valid

Checking IKE

IKE Policies : Configured

Policies with RSA signature authentication method : Configured

Digital certificate(s) : Not configured

IKE configuration status : Invalid

Checking AAA

AAA status : Enabled

AAA authorization : Configured

AAA authentication : Configured

Checking Local Group Policies

Global address pool : Not configured

Group Name : group1

Key : Not configured

Local address Pool : Configured

Troubleshooting Results Failure Reason(s) Recommended Action(s)

There are IKE policies configured with RSA signature authentication method but there is no digital certificate configured on this router. If the other end VPN device is configured with a digital certificate then this router must be configured with a valid digital certificate. To configure a digital certificate go to 'Configure->VPN->VPN Components->Public Key Infrastructure->Certificate Wizards'.

Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.

Labels:
0 Helpful
3 Replies 3

nathanchoate
Level 1
Level 1

‎11-10-2006 02:11 PM

Update...

in relation to:

"Group policy group1 does not have a configured key. Group policies must be configured with a Pre-Shared key because this router does not have a configured digital certificate. Go to Configure->VPN->Easy VPN Server->VPN Components->Group Policies. Select the group policy group1 and add a key.

"

Perhaps I have some confusion about the preshared-key in the group policy. As I read the docs, the pre-shared key is not required for digital certificates. My group1 policy is not checked for preshared. Do I still need to set a preshared key even with rsa-sig?

0 Helpful

nathanchoate
Level 1
Level 1
In response to nathanchoate

‎11-10-2006 02:24 PM

in relation to:

"Digital certificate(s) : Not configured "

There are digital certs on the router...is there some place to point IKE to one of these?

0 Helpful

nathanchoate
Level 1
Level 1
In response to nathanchoate

‎11-10-2006 02:50 PM

I got it, I thought the router key was imported, started over and got it to go!

0 Helpful
Customers Also Viewed These Support Documents