need help with IPSec
i am setting up a ipsec tunnel using a 2003 server as the ca
this is the dubug i get, any ideas what the problem could be/what i ned to change?
i know the clocks are set ok so its not that.
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): processing CERT payload. message ID = 0
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): processing a CT_X509_SIGNATURE cert
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): peer's pubkey isn't cached
Nov 7 17:06:49.838: ISAKMP0:44:SW:1): failed to find usage restriction in ext
.
Nov 7 17:06:49.854: ISAKMP0:44:SW:1): OU = Telemetry
Nov 7 17:06:49.894: ISAKMP0:44:SW:1): processing SIG payload. message ID = 0
Nov 7 17:06:49.894: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Nov 7 17:06:49.894: ISAKMP (0:134217772): process_rsa_sig: Querying key pair f
ailed.
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Old State = IKE_R_MM5 New State = IKE_R
_MM5
Nov 7 17:06:49.894: ISAKMP (0:134217772): incrementing error counter on sa, att
empt 1 of 5: reset_retransmission
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_E
RROR
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Old State = IKE_R_MM5 New State = IKE_R
_MM4
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 7 17:06:50.798: ISAKMP (0:134217771): incrementing error counter on sa, att
empt 5 of 5: retransmit phase 1
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): retransmitting phase 1 MM_KEY_EXCH
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): sending packet to 10.169.1.232 my_port
500 peer_port 500 (R) MM_KEY_EXCH
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 7 17:06:50.894: ISAKMP (0:134217772): incrementing error counter on sa, att
empt 2 of 5: retransmit phase 1
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): sending packet to 10.169.1.232 my_port
500 peer_port 500 (R) MM_KEY_EXCH
Nov 7 17:06:59.858: ISAKMP (0:134217772): received packet from 10.169.1.232 dpo
rt 500 sport 500 Global (R) MM_KEY_EXCH
Nov 7 17:06:59.862: ISAKMP0:44:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 7 17:06:59.862: ISAKMP0:44:SW:1):Old State = IKE_R_MM4 New State = IKE_R
_MM5
this is the dubug i get, any ideas what the problem could be/what i ned to change?
i know the clocks are set ok so its not that.
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): processing CERT payload. message ID = 0
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): processing a CT_X509_SIGNATURE cert
Nov 7 17:06:49.830: ISAKMP0:44:SW:1): peer's pubkey isn't cached
Nov 7 17:06:49.838: ISAKMP0:44:SW:1): failed to find usage restriction in ext
.
Nov 7 17:06:49.854: ISAKMP0:44:SW:1): OU = Telemetry
Nov 7 17:06:49.894: ISAKMP0:44:SW:1): processing SIG payload. message ID = 0
Nov 7 17:06:49.894: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Nov 7 17:06:49.894: ISAKMP (0:134217772): process_rsa_sig: Querying key pair f
ailed.
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_M
AIN_MODE
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Old State = IKE_R_MM5 New State = IKE_R
_MM5
Nov 7 17:06:49.894: ISAKMP (0:134217772): incrementing error counter on sa, att
empt 1 of 5: reset_retransmission
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Input = IKE_MESG_INTERNAL, IKE_PROCESS_E
RROR
Nov 7 17:06:49.894: ISAKMP0:44:SW:1):Old State = IKE_R_MM5 New State = IKE_R
_MM4
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 7 17:06:50.798: ISAKMP (0:134217771): incrementing error counter on sa, att
empt 5 of 5: retransmit phase 1
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): retransmitting phase 1 MM_KEY_EXCH
Nov 7 17:06:50.798: ISAKMP0:43:SW:1): sending packet to 10.169.1.232 my_port
500 peer_port 500 (R) MM_KEY_EXCH
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH...
Nov 7 17:06:50.894: ISAKMP (0:134217772): incrementing error counter on sa, att
empt 2 of 5: retransmit phase 1
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): retransmitting phase 1 MM_KEY_EXCH
Nov 7 17:06:50.894: ISAKMP0:44:SW:1): sending packet to 10.169.1.232 my_port
500 peer_port 500 (R) MM_KEY_EXCH
Nov 7 17:06:59.858: ISAKMP (0:134217772): received packet from 10.169.1.232 dpo
rt 500 sport 500 Global (R) MM_KEY_EXCH
Nov 7 17:06:59.862: ISAKMP0:44:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 7 17:06:59.862: ISAKMP0:44:SW:1):Old State = IKE_R_MM4 New State = IKE_R
_MM5
Comments
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□Have you already gotten your keys from the CA? Did you install SCEP on the CA?The only easy day was yesterday!
-
CraigA Member Posts: 3 ■□□□□□□□□□yeah, we have, ive managed to get the cisco router and out remote router (a Westermo router)
to both request certificates, the both got there ca certificate and there certificate request signed but when i try to get the 2 routers to talk to each other they cannot bring the ipsec tunnel up.
any more ideas
any help apreciated. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□Nov 7 17:06:49.894: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Seems to indicate the subject name in the certificate does not match, in this case it looks like you're using "Telemetry"The only easy day was yesterday!