Re: Microsoft CA server and Cisco IPSEC IOS ?

duchesne_ced · ‎05-29-2002

Does anybody use a Microsoft CA server for their IPSEC connection between IPSEC routers.

I've got problems with the CRL check .....

vzufferey · ‎05-30-2002

Perhaps could you find some informations on the message I post about CRL(May 24) .

#############################

CRL Distribution Point on IOS

On IOS router - 12.2(8)T1, I want to configure the CRL Distribution Point in a Microsoft Windows 2000 environment (CA and ldap directory).

By default, the ldap URL include on certificate by the CA has the following syntax:

URL=ldap:///CN=Mobile-CA4,CN=htmob15s,...

With this certificate my IOS router search the CRL with a broadcast request:

ldap search: server=255.255.255.255, base=CN=Mobile-CA4,...

The router use a broadcast request even if I configure the "crl query URL" in the trustpoint definition:

crypto ca trustpoint Mobile-CA4

enrollment mode ra

crl query ldap://10.252.1.115

The only way I find to download the CRL is to change on the CA the default ldap URL include in certificate by the following:

URL=ldap://10.252.1.100/CN=Mobile-CA4,CN=htmob15s,...

My questions are:

1) Witch CRL Distribution Point are use by the router (URL define on "crl query URL", or the URL include on certificate)?

2) Is it a way for configures the CRL download with de default CA setting?

Any suggestions will also be appreciated.

Thanks.

duchesne_ced · ‎05-30-2002

We don't want to deploy an LDAP server and we use instead an http server for the CRL URL.

You can change this in the CA server.

By the way did you get any answers for your questions ?

vzufferey · ‎06-03-2002

I'm still looking for an answer. I will appreciate if you have some idea.