[c-nsp] CRYPTO-3-IKMP_QUERY_KEY : Querying key pair failed ?
Peter Rathlev
peter at rathlev.dk
Wed Feb 27 14:39:49 EST 2008
Hi Matthew,
I'm not sure about the logged message, but I've seen the
"TP-self-signed" certificates when I enable "ip http secure-server" and
IOS generates a certificate for this. If you don't use the certificates
you can could just remove them and see if that helps.
I couldn't figure out from your mail whether the VPN succeeds. Is that
message the only thing it says from a debug? I'm not very familiar with
VTI, having only used IPSec/GRE, but does a "debug crypto isakmp" gives
you any meaningful information?
Regards,
Peter
On Wed, 2008-02-27 at 08:44 -0800, matthew zeier wrote:
> Trying to setup a VTI IPSEC VPN between a 3845 and an 1841. The 3845
> has a couple vpns already up and working, one of which is a VTI to a 2800.
>
> The log just spits out:
>
>
> CRYPTO-3-IKMP_QUERY_KEY : Querying key pair failed.
>
> Cisco says -
>
> Explanation: A public key or private key query attempt that used a
> subject name has failed.
>
> Recommended Action: Check the subject name in the certificate.
>
> I'm not sure what cert it's talking about or how to fix that. The 1841
> does have
>
> crypto pki trustpoint TP-self-signed-2501804736
> enrollment selfsigned
> subject-name cn=IOS-Self-Signed-Certificate-2501804736
> revocation-check none
> rsakeypair TP-self-signed-2501804736
>
> crypto pki certificate chain TP-self-signed-2501804736
> ...
>
> Neither of those exist on any of my other routers and I'm not familiar
> with them.
>
> Any clues?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list