05-21-2022 11:21 PM
Hi
Amy ideas whats causing this please |i have recently added a new Cert on the other end of the tunnel RTR. ??
.May 21 16:48:11.108: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0x4E128779(1309837177), srcaddr=X.X.X.X, input interface=Dialer1
.May 21 16:48:31.577: %IKEV2-5-OSAL_INITIATE_TUNNEL: Received request to establish an IPsec tunnel; local traffic selector = Address Range: 0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535 ; remote traffic selector = Address Range:0.0.0.0-255.255.255.255 Protocol: 256 Port Range: 0-65535
.May 21 16:48:31.725: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to locate an item in the database
05-23-2022 01:01 PM
Hi
Couple of things
do i have to generate a new RSA key pair everytime i go through the CSR or can I still use the esisiting keys.??
also I have just noticed that the router which I enrolled for a new cert has a 1024 bit keys for its identity cert where as the other router that work are 2048 bits, could this cause issues.??
appreciated
05-23-2022 01:08 PM
@benolyndav no you do not need to recreate the RSA key, you can just run "enroll". Use 2048 bit.
Did you actually receive a new certificate?
Run "show crypto pki certificates" to confirm if you have a new identity cert.
Check your trustpoint isn't do a CRL check, if it is make sure the CRL server is accessible, if not it will fail.
05-23-2022 01:21 PM
Hi
Yes when i run show crypto pki certs v I see the cert which is 1024 bits, how do i stipulate the key length I see wher I can stipulate the keys but no length.??
Thanks
05-23-2022 01:23 PM
05-23-2022 01:56 PM
Hi
Yes I created new keys now im getting the below ????
May 23 20:55:11.307: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
May 23 20:55:18.972: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
May 23 20:55:18.996: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Failed to receive the AUTH msg before the timer expired
05-23-2022 02:06 PM
@benolyndav authentication is still failing, please provide your configuration of both devices and the output of "show crypto pki certificates" from both devices.
05-23-2022 02:08 PM
Yes you can hide the Public IP and share config
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide