From: Martin Jendritza on
I'm trying to set up a Site-to-Site VPN between to Cisco Routers with
one of them (a 1812) acting as Certification Authority.
The Certifcate Enrollment seems to work so far,
but when I configure the Virtual Tunnel Interfaces I get the following
error message:


"%CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at
10.10.66.69 is missing"

Why should there be a Pre-shared key be missing as I have configured
rsa-sig as
Authentificationmethod

In addition debugging on the CA-Router delivers this message:
"CRYPTO_PKI: Found a issuer match
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.10.66.23 is bad:
CA request failed"

show crypto session leads to this result:
Interface: Tunnel1
Session status: DOWN-NEGOTIATING
Peer: 10.10.66.23 port 500
IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive
IKE SA: local 10.10.66.69/500 remote 10.10.66.23/500 Inactive
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Here are the relevant parts of the Configurations
CA-Router:

crypto pki server Cisco1800
issuer-name CN = test.de
lifetime certificate 6

crypto pki trustpoint Cisco1800
revocation-check crl
rsakeypair Cisco1800

ip domain name test.de

crypto isakmp policy 5
encr aes 256
group 2
lifetime 28800

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VPNprof
set transform-set VPN


interface Tunnel1
ip address 192.168.2.2 255.255.255.0
tunnel source FastEthernet1
tunnel destination 10.10.66.23
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNprof


Remote-Router:

crypto pki trustpoint Cisco1800
enrollment url http://Cisco1800:80
revocation-check crl

crypto isakmp policy 1
encr aes 256
group 2
lifetime 28800

crypto ipsec transform-set VPN esp-aes 256 esp-sha-hmac
!
crypto ipsec profile VPNprof
set transform-set VPN

interface Tunnel1
ip address 192.168.1.1 255.255.255.0
tunnel source 10.10.66.23
tunnel mode ipsec ipv4
tunnel destination 10.10.66.69
tunnel protection ipsec profile VPNprof


sh crypto pki certificate on CA-Router:

CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=test.de
Subject:
cn=test.de
Validity Date:
start date: 11:14:52 CET Jun 15 2010
end date: 11:14:52 CET Jun 14 2013
Associated Trustpoints: Cisco1800


sh crypto pki certificate on remote-router

Certificate
Status: Available
Certificate Serial Number (hex): 03
Certificate Usage: General Purpose
Issuer:
cn=test.de
Subject:
Name: RTRA.test.de
hostname=RTRA.test.de
Validity Date:
start date: 13:52:41 CET Jun 15 2010
end date: 13:52:41 CET Jun 21 2010
Associated Trustpoints: Cisco1800

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=test.de
Subject:
cn=test.de
Validity Date:
start date: 11:14:52 CET Jun 15 2010
end date: 11:14:52 CET Jun 14 2013
Associated Trustpoints: Cisco1800