cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
335
Views
0
Helpful
2
Replies
cypher.jay
Beginner

Site-to-site Authentication with CA

The lab is set up with Central and Remote enrolling with CA. Both successfully obtained their respective digital cert from the CA. However, both failed during the IKE negotiation. The debug is as below:

%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from 192.168.1.21 failed its sanity check or is malformed

03:26:09: ISAKMP (0:1): sending packet to 192.168.1.21 my_port 500 peer_port 500 (I) MM_KEY_EXCH

03:26:09: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

03:26:09: ISAKMP (0:1): Old State = IKE_I_MM6 New State = IKE_I_MM5

03:26:10: ISAKMP (0:1): received packet from 192.168.1.21 dport 500 sport 500 Global (I) MM_KEY_EXCH

03:26:10: ISAKMP (0:1): Notify has no hash. Rejected.

03:26:10: ISAKMP (0:1): Unknown Input: state = IKE_I_MM5, major, minor = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

03:26:10: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 192.168.1.21

The Central has int s0/0 as the dirty interface with IP 192.168.1.21 while the Remote int s0/0 connected to the Central is 192.168.1.25.

Thanks in advance.

2 REPLIES 2
berndtonn
Beginner

Hello,

did you check the time settings ? The certificates contain information about the first and the last point of time where they are valid. In case the VPN endpoints' local times are not within that time frame the certificates are rejected.

Please let me know if that resolves your issue.

Best regards,

Bernd

Hi,

Yes i've checked the time settings and ensured that both sides are configured for the same time frame. It may however differ by only maybe a few seconds. But overall the certificates are valid. By the way, both routers got their certificates from the same CA.

Thanks in advance!

Create
Recognize Your Peers
Content for Community-Ad