Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11197
Views
45
Helpful
21
Replies

VPN Error

benolyndav
Level 4
Level 4

‎05-21-2022 11:21 PM

Hi

Amy ideas whats causing this please |i have recently added a new Cert on the other end of the tunnel RTR. ??

 

.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1

 

.May 21 16:48:31.577: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range:0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535

 

.May 21 16:48:31.725: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database

Labels:
0 Helpful
21 Replies 21

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎05-23-2022 01:01 PM

Hi

Couple of things 

do i have to generate a new RSA key pair everytime i go through the CSR or can I still use the esisiting keys.??

 

also I have just noticed that the router which I enrolled for a new cert has a 1024 bit keys for its identity cert where as the other router that work are 2048 bits, could this cause issues.??

 

appreciated

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎05-23-2022 01:08 PM

@benolyndav no you do not need to recreate the RSA key, you can just run "enroll". Use 2048 bit.

Did you actually receive a new certificate?

Run "show crypto pki certificates" to confirm if you have a new identity cert.

Check your trustpoint isn't do a CRL check, if it is make sure the CRL server is accessible, if not it will fail.

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎05-23-2022 01:21 PM

Hi 
Yes when i run show crypto pki certs v I see the cert which is 1024 bits, how do i stipulate the key length I see wher I can stipulate the keys but no length.??

Thanks

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎05-23-2022 01:23 PM

@benolyndav here is an example:

crypto key generate rsa modulus 2048 label VPN_KEY

 

0 Helpful

benolyndav
Level 4
Level 4
In response to Rob Ingram

‎05-23-2022 01:56 PM

Hi

Yes I created new keys now im getting the below ????

May 23 20:55:11.307: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

 

May 23 20:55:18.972: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request

 

May 23 20:55:18.996: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired

0 Helpful

Rob Ingram
VIP
VIP
In response to benolyndav

‎05-23-2022 02:06 PM

@benolyndav authentication is still failing, please provide your configuration of both devices and the output of "show crypto pki certificates" from both devices.

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎05-23-2022 02:08 PM

Yes you can hide the Public IP and share config 

0 Helpful
Customers Also Viewed These Support Documents