I'm trying to set up a Site-to-Site VPN between to Cisco Routers with one of them (a 1812) acting as Certification Authority. The Certifcate Enrollment seems to work so far, but when I configure the Virtual Tunnel Interfaces I get the following error message:
"%CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at
10.10.66.69 is missing"Why should there be a Pre-shared key be missing as I have configured rsa-sig as Authentificationmethod
In addition debugging on the CA-Router delivers this message: "CRYPTO_PKI: Found a issuer match %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.10.66.23 is bad: CA request failed"
show crypto session leads to this result: Interface: Tunnel1 Session status: DOWN-NEGOTIATING Peer: 10.10.66.23 port 500 IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 Active SAs: 0, origin: crypto map
Here are the relevant parts of the Configurations CA-Router:
crypto pki server Cisco1800 issuer-name CN = test.de lifetime certificate 6
crypto pki trustpoint Cisco1800 revocation-check crl rsakeypair Cisco1800
ip domain name test.de
crypto isakmp policy 5 encr aes 256 group 2 lifetime 28800
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac ! crypto ipsec profile VPNprof set transform-set VPN
interface Tunnel1 ip address 192.168.2.2 255.255.255.0 tunnel source FastEthernet1 tunnel destination 10.10.66.23 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPNprof
Remote-Router:
crypto pki trustpoint Cisco1800 enrollment url http://Cisco1800:80 revocation-check crl
crypto isakmp policy 1 encr aes 256 group 2 lifetime 28800
crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac ! crypto ipsec profile VPNprof set transform-set VPN
interface Tunnel1 ip address 192.168.1.1 255.255.255.0 tunnel source 10.10.66.23 tunnel mode ipsec ipv4 tunnel destination 10.10.66.69 tunnel protection ipsec profile VPNprof
sh crypto pki certificate on CA-Router:
CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=test.de Subject: cn=test.de Validity Date: start date: 11:14:52 CET Jun 15 2010 end date: 11:14:52 CET Jun 14 2013 Associated Trustpoints: Cisco1800
sh crypto pki certificate on remote-router
Certificate Status: Available Certificate Serial Number (hex): 03 Certificate Usage: General Purpose Issuer: cn=test.de Subject: Name: RTRA.test.de hostname=RTRA.test.de Validity Date: start date: 13:52:41 CET Jun 15 2010 end date: 13:52:41 CET Jun 21 2010 Associated Trustpoints: Cisco1800
CA Certificate Status: Available Certificate Serial Number (hex): 01 Certificate Usage: Signature Issuer: cn=test.de Subject: cn=test.de Validity Date: start date: 11:14:52 CET Jun 15 2010 end date: 11:14:52 CET Jun 14 2013 Associated Trustpoints: Cisco1800