Re: Authenticating the CA

network27 · ‎07-11-2007

I got this error:

Router1(config)#crypto ca authenticate SCIS-E36A410855

% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

Any ideas?

Thanks

Here?s the config:

Router1#show run

hostname Router-Main

!

clock timezone GMT 8

!

ip domain name routermain.com

ip host certserver 192.168.50.3

!

crypto ca trustpoint SCIS-E36A410855

enrollment retry count 3

enrollment retry period 5

enrollment mode ra

enrollment url http://192.168.50.30:80/certsrv/mscep/mscep.dll

crl optional

!

interface FastEthernet0/0

ip address 192.168.50.1 255.255.255.0

!

interface FastEthernet0/1

ip address 192.168.100.1 255.255.255.0

!

router rip

network 192.168.50.0

network 192.168.100.0

jaffer_sathik2010 · ‎07-13-2007

Hi,

Please make sure the following things..

1. Check whether CA server moule is up at the url http://192.168.50.30:80/certsrv/mscep/mscep.dll

2. The machine with the ip 192.168.50.30 is accessible form the router.

If aboube things are perfect, then enable the command 'debug crypto pki transactions'on the router and try to authenticate the CA server. It will give you some sort of debugging mesage.

Post the debug message.

--Jaffer

network27 · ‎07-16-2007

Hi Jaffar,

Thank you for your reply. Ive managed to bypass the CA server stage and now facing another problem, its got to do with configuring an IOS Router Site-to-Site VPN Using Digital Certificates

Could some one please give me a hand?

Here is my network topology:

R1------R2-------R3

|

VPNCA

I got this error message when enable debug:

R1# Jul 15 22:07:10.651: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /255.255.255.255, src_addr= 192.168.10.2, prot= 17

I could ping from R1 to R3 without crypto map and ACL.

Attacched is my show run and debug configs for the 2 routers.

Thanks in advance,

network27 · ‎07-17-2007

Nobody can (or want) help?