12-27-2002 09:31 AM - edited 02-20-2020 10:27 PM
Hi all,
I'm trying to setup a *simple* Windows to Pix VPN connection. Rather than have each client download the VPN Client (on a dialup connection, this could take quite a while and if I'm supposed to dial-in and fix something NOW, that wouldn't work), I'm trying to get it setup to support the built-in Windows VPN features.
I have the VPN working using a pre-shared key. XP supports this rather easily, but with 2k it's a pain to use a pre-shared key (you have to configure it through MMC, etc.). To bypass all of this, I'm attempting to configure the Pix to use a certificate rather than a pre-shared key.
The only directions I've been able to find so far reference using the certificate server with Windows 2k, not the one with NT4. Is there a way to use the certificate server with NT4 or am I fighting a hopeless cause?
I've followed the directions given at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/excas.htm#51035 but get the following error on the Pix:
Pix(config)# ca identity VPNClients 10.1.5.3:/certsrv/mscep/mscep.dll
Pix(config)# ca authenticate VPNClients
msgsym(GETCARACERT, CRYPTO)!
%Error in connection to Certificate Authority: status = FAIL
I've looked on the NT4 server and the certsrv directory exists but there's no mscep directory and no dll by that name. Is there a way to communicate with NT4's certificate server from the Pix?
Thank you in advance for your time and help,
Tim C
12-28-2002 09:58 PM
The MSCEP stuff comes as a separate DLL to be installed, even with the 2K CA server. It's included in the Win2K Resource Kit, s onot sure if it'll install on a NT4.0 server, can't say I've ever tried.
If you can't find the DLL, search for it in google, it's available in various places around the trapd, although funnily enough, it doesn't seem to be on MS's web site. If you still can't find it and can wait till next week, I can email you a copy of it off-line (I'm currently at home and don't have access to my server).
Once the DLL is installed you should be able to browse to the URL just from a browser and you'll get a certificate fingerprint. Until you can get that the PIX won't be able to download the cert properly.
Also make sure you set the enrollment mode to RA.
12-30-2002 08:49 AM
Thank you for your response! I'm not sure that the MSCEP would work on NT4, but I'm willing to try it! I've looked on the net, but like you said, Microsoft doesn't have it on their site (there are lots of references to the Corporate Update site, but they removed that site). Could you send me the file(s) needed to install and make MSCEP work? The preferred email address is tclegg@ovhd.com.
Thank you for your help,
Tim C
12-30-2002 10:09 AM
I found the SCEP on Yahoo! Group cciesecurity and tried installing it on NT4, but it wouldn't fully load. Are there any other ways of getting the Pix to get a certificate with NT4? Moving to W2k isn't really an option at this point with our certificate server.
Thank you for your help,
Tim C
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide