Hi ,
it has been many days trying to establish vpn remote access based on certificates.
i have cisco royuter 1900 and im trying to use it as remote access vpn based on certificate not based on preshared key.
actually i followed a video to help me in configuring CA server based on windows 2008 R2
https://www.youtube.com/watch?v=E-Rsy5iWrpk
i configured domian controller and CA service and i can access
http://my ip server/certsrv
and i can access it and request CA and then identity certificate.
im fine here
but my issue is ,
how to get certificate and put it in my cisco easyvpn client ???!!!!
i tried to enroll it from my client but no luck !!!
so ,
i download manually CA & identity certificate and i imported them in my easy vpn cient:
now i can see a certificate when i try to make connection on my easy vpn
but ,
the vpn is not working !!!
here is my easyvpn log :
Cisco Systems VPN Client Version 5.0.05.0290
Copyright (C) 1998-2009 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 6.1.7600
Config file directory: C:\Program Files\Cisco Systems\VPN Client\
1 17:34:48.453 07/08/14 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)
2 17:34:48.453 07/08/14 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)
3 17:34:48.453 07/08/14 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)
4 17:34:48.453 07/08/14 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)
5 11:13:09.871 07/09/14 Sev=Warning/3 CERT/0xA3600028
Unexpected end of Header.
6 11:13:10.449 07/09/14 Sev=Warning/2 CERT/0xE3600016
Failure on: PKCS#10 Request Generation.
7 11:36:16.579 07/09/14 Sev=Warning/3 CERT/0xA3600028
Unexpected end of Header.
8 11:36:17.591 07/09/14 Sev=Warning/3 CERT/0xA3600028
Unexpected end of Header.
9 21:08:26.294 07/09/14 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)
10 21:08:26.294 07/09/14 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)
11 21:08:26.294 07/09/14 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)
12 21:08:26.294 07/09/14 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)
==============================
here is my issue that im stuck in !!
can anyone help me hwo fix it ??
i will show here also my config for my router for vpn , note that i could enroll the CA and the identity on my router and i have no issues:
cisco900#
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authentication login AUTH local
aaa authentication ppp DRVIRUS local
aaa authorization exec default local
aaa authorization network DRVIRUS local
aaa authorization network VPN_CLIENT_GROUP local
aaa authorization network AUTH local
!
!
!
!
ip domain name cisco900.com
ip host win2008 x.x.79.13
ip name-server 8.8.8.8
!
m
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1296895960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1296895960
revocation-check none
rsakeypair TP-self-signed-1296895960
!
crypto pki trustpoint win2008
enrollment mode ra
enrollment url http://win2008:80/certsrv/mscep/mscep.dll
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1296895960
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323936 38393539 3630301E 170D3134 30323032 30333437
34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393638
39353936 3030819F 30jh0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C287 3A3D8545 48E04187 0A64C08E F215DA6E 77B897D9 7B4C051D B99F53BF
9907D29E 4879A60A 84D0D659 78236289 55B0526B EC4412CD E47F6F1E A242BE25
04A38A6C 42E8B9CF 825B12CC CA51DB11 CAEF652B FE055213 AB25ED4E 17E52FE1
837B1C73 4C893BA2 16F479D1 E5581987 B112D596 1F6222E4 2C70EBAE F0966EBB
864D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14D3CA37 2B7C53C7 BD65854C C54BA199 19EB09D4 3E301D06
03551D0E 04160414 D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E 300D0609
2A864886 F70D0101 05050003 8181008D A055CFCB 6D14F998 339A54FD A987E1DE
8EDC8DCF 4BBA24B8 BA5FC21A E7B05CF0 BE559325 9F25E08D BC16C5F9 A0B7C103
DA687526 ECB1571C D6F9948D 7960F06C 20E89702 1686EBBA 377B2169 80D8867B
E12B370B 419B9F6B B73F3B3F B4D1B390 3ACB15A9 763CAEFE 8041B24A AD2247E1
C3C4D905 C6C3AE0F 3F6D7D36 3CBC8A
quit
crypto pki certificate chain win2008
certificate ca 2CBE859734E2B09C4A3C0FFA28D9EABB
30820371 30820259 A0030201 0202102C BE859734 E2B09C4A 3C0FFA28 D9EABB30
0D06092A 864886F7 0D010105 0500303F 31153013 060A0992 268993F2 2C640119
16057A61 65656D31 14301206 0A099226 8993F22C 64011916 0461686D 64311030
0E060355 04031307 77696E32 30303830 1E170D31 34303730 37313230 3434345A
170D3139 30373037 31323134 34315A30 3F311530 13060A09 92268993 F22C6401
1916057A 6165656D 31143012 060A0992 268993F2 2C640119 16046168 6D643110
300E0603 55040313 0777696E 32303038 30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101 00D7D1C6 99D14D28 502551B6 9F241B35
78FABCE8 81551F08 9C76929E 9j335B 09F9C173 30FD8A7E 3B03515E B1CF8F20
29340F53 B7272F76 574DB551 0536C9DD 703CC311 C1F1B842 74CAB369 B39E107A
B4EF9681 F3CF67F9 A91D70B6 D1EE771E F481FC64 DE04AF85 81D636A0 A724DEC5
3CA81A7B 0220CDD6 96E9419E D9DF90E2 B568B51B 0B19E877 37F71D47 C5296D17
54E448E5 BB7D8A3B 16801963 1EE3BCD4 E9CD94FD FE9D9556 16C61C87 F74EBC58
E0582C8A AD0A92FE 30AD81EB 5502EB33 5CE9B520 8B2C831B 1A33884C ED694273
AF8FC520 DCA20F46 B0782609 E7C30C40 E4268044 B8D6E38D 064AE350 22AB37F5
B92E75A0 4A085DC1 0DFEACB3 CB401913 B1020301 0001A369 30673013 06092B06
01040182 37140204 061E0400 43004130 0E060355 1D0F0101 FF040403 02018630
0F060355 1D130101 FF040530 030101FF 301D0603 551D0E04 16041432 D37D2CD5
8900273B 84AA8B03 B4CB04CF CD5EB930 1006092B 06010401 82371501 04030201
00300D06 092A8648 86F70D01 01050500 03820101 00094995 D82A30D4 33192F2F
692DD9E9 AA4DA633 C27D44BB 1870DB72 63BAC5F6 BA1665FA C080EBF1 86B478B8
38DBE3D5 5AC9B1F5 2C597FBF F746D407 6C54E840 773F2255 75040641 B1237DBB
D930246E 82A294AE 48530F21 73BFF6C4 88B5E028 970C8C6B D39C7ABF B45A7721
EBB888FD A731DD25 F8D0BD16 8F7DB3DA 549F69F6 B0ECF347 D4B53C43 1515BEC0
880DE15F F1B4FB20 5077760A 89FFB6F9 2F4E3C3D A408C555 C0796556 663724FD
44C8A1F7 B1C29AF1 9C2BE78D F2B5336D 49BBCDBC 7298F997 6AC1710B 0BDEB854
530098C5 00432D23 9AF4FE31 9068AF84 270533C3 1DAF9259 71B800D0 80788900
9BC2E11B E5E974F3 8079300A B14F66C0 C8ECDD58 93
quit
voice-card 0
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5
!
crypto isakmp client configuration group EZ_VPN_CLIENT
dns 8.8.8.8
domain abc.com
pool EZVPN_POOL
pfs
max-logins 5
netmask 255.255.255.0
banner ^C
heyyyyyyyyyyyyyyyyy
^C
crypto isakmp profile EZVPN_PROFILE
self-identity fqdn
ca trust-point win2008
match identity group EZ_VPN_CLIENT
isakmp authorization list AUTH
client configuration address respond
!
!
crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac
!
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime seconds 28800
set transform-set ESP_AES_256_SHA
set pfs group2
set isakmp-profile EZVPN_PROFILE
reverse-route
!
!
!
crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
!
!
!
!
!
i
!
interface GigabitEthernet0/0
ip address xxxxxxxxxx
ip pim dense-mode
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_MAP
!
i
!
!
!
ip local pool PPTP 10.11.12.1 10.11.12.100
ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210
ip local pool EZVPN_POOL 172.16.100.32 172.16.100.63
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
!
!
!
!
Any help ????
any suggestion ?
