As per the title, my goal is to establish a 2830<->2860 IPSec site-to-site VPN authenticated by X.509 certificates.

Flushed with my recent success :lol: at authenticating Phones/Tables & Windows PCs using X.509 certificates, I thought I'd have a go at migrating my site-to-site VPN to do likewise. It's not turning out to be that easy

I found this set of instructions , for the 2910 <--> Vigorpro 5500. They're from 2007, but conceptually, seem a better fit than everything else, which tend to refer to the 3900; The 3900 uses radically different mechanisms...

Conceptually, I don't understand why the site initiating the VPN (the 2860 in my case), has to specify a "Peer ID" and a certificate to use. The target 2830 seems to have to validate the incoming information against a Peer Id entry - just as it would for a 'Dial-in User'. That part seems reasonable, but nothing's working: the connection fails very early in the IPSec conversation.

Edited section of 2860 Syslog (initiating link)

Code:

Dialing Node1 (Experiment) : Initiating IKE Aggressive Mode to 82.__.__.140 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0 [IPSEC/IKE][L2L][1:Experiment][@82.__.__.140] ignored: [IPSEC/IKE][L2L][1:Experiment][@82.__.__.140] ignored: DropVPN() VPN : L2L Dial-out, Profile index = 1, Name = Experiment, ifno = 10 [L2L][DOWN][IPsec][@1:Experiment] [IPSEC][L2L][1:Experiment][@82.__.__.140] IKE release: state linking

Edited section of 2830 (web) syslog (target)

Code:

Responding to Aggressive Mode from 82.__.___.171 IKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0 IKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x4, Message ID = 0x0

(Repeats for ever... :? )

So...can anyone offer any pointers :?: