Just a quick note on VPN with certificates. Most of you probably already know this but one very important piece to doing certificate authentication on your crypto tunnels is ensuring that the time is accurate. What would you think if you saw this error message in the logs?

*Aug 31 13:26:48.970: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

RSA keypair issues maybe? Not a chance…

Well possibly but I bet your first thought would not be “Let me check if the router time is correct.” I saw this issue today when configuring a simple site to site VPN tunnel. This error seemed to overtake the screen making me think I had a RSA issue. I then when ahead and checked my RSA key and it was there. I also checked the trustpoint to make sure I referenced it properly. It also was correct. I then decided to blow away the trustpoint and recreate it. This time I let the router automatically generate the RSA key and I still saw the same error. I went back to the debugs, paid a bit more attention and saw the following:

*Aug 31 13:26:39.470: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 136.1.123.12 is bad: CA request failed!
Rack1R3(config)#
*Aug 31 13:26:40.632: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
*Aug 31 13:26:41.798: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Rack1R3(config)#
*Aug 31 13:26:42.964: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Rack1R3(config)#
*Aug 31 13:26:45.468: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 0x61EFC13D00000000000B) is not yet valid Validity period starts on 20:19:12 UTC Aug 31 2009

Well obviously at this point I new this was most likely a clock issue. I configured ntp on the router and Wallah! Everything worked as expected.