here is my running : !aaa

Dr.X · ‎07-11-2014

helllo ,
im trying to use my router as remote access vpn with certificates , but still no luck

i have implemented windows 2003 as CA , i have issued CA  & identy certificates on my vpn client and it enrolled successfully

also , i enrolled CA & idnetity cert to my router and it enrolled successfull.

but when i try to connect based on the certificate on the client , it dont work and it  say that the router "didnt respond " ??!!!!
on the router logs , i have :
Jul 11 20:28:54.051: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: CA request failed!
Jul 11 20:28:55.175: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: certificate invalid
Jul 11 20:30:08.163: IPSEC(key_engine): got a queue event with 1 KMI message(s)

couple of days with no luck !
===============
i will paste the config of my router :
===============

!
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authentication login AUTH local
aaa authentication ppp DRVIRUS local
aaa authorization exec default local
aaa authorization network DRVIRUS local
aaa authorization network VPN_CLIENT_GROUP local
aaa authorization network AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip multicast-routing
!
!
ip domain name cisco900.com
ip host win2008 xx.79.13
ip host win2003 xx.79.16
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  pr
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1296895960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1296895960
revocation-check none
rsakeypair TP-self-signed-1296895960
!
crypto pki trustpoint win2003
enrollment mode ra
enrollment url http://win2003:80/certsrv/mscep/mscep.dll
serial-number
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1296895960
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323936 38393539 3630301E 170D3134 30323032 30333437
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393638
  39353936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C287 3A3D8545 48E04187 0A64C08E F215DA6E 77B897D9 7B4C051D B99F53BF
  9907D29E 4879A60A 84D0D659 78236289 55B0526B EC4412CD E47F6F1E A242BE25
  04A38A6C 42E8B9CF 825B12CC CA51DB11 CAEF652B FE055213 AB25ED4E 17E52FE1
  837B1C73 4C893BA2 16F479D1 E5581987 B112D596 1F6222E4 2C70EBAE F0966EBB
  864D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14D3CA37 2B7C53C7 BD65854C C54BA199 19EB09D4 3E301D06
  03551D0E 04160414 D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E 300D0609
  2A864886 F70D0101 05050003 8181008D A055CFCB 6D14F998 339A54FD A987E1DE
  8EDC8DCF 4BBA24B8 BA5FC21A E7B05CF0 BE559325 9F25E08D BC16C5F9 A0B7C103
  DA687526 ECB1571C D6F9948D 7960F06C 20E89702 1686EBBA 377B2169 80D8867B
  E12B370B 419B9F6B B73F3B3F B4D1B390 3ACB15A9 763CAEFE 8041B24A AD2247E1
  C3C4D905 C6C3AE0F 3F6D7D36 3CBC8A
quit
crypto pki certificate chain win2003
certificate 111C4AA0000000000011
  308203CF 308202B7 A0030201 02020A11 1C4AA000 00000000 11300D06 092A8648
  86F70D01 01050500 300F310D 300B0603 55040313 04636572 74301E17 0D313430
  37313131 35343930 365A170D 31353037 31313135 35393036 5A303C31 14301206
  03550405 130B4643 5A313633 32433556 38312430 2206092A 864886F7 0D010902
  13156369 73636F39 30302E63 6973636F 3930302E 636F6D30 819F300D 06092A86
  4886F70D 01010105 0003818D 00308189 02818100 8455B1EF DDC5DF88 E4D5091B
  92C63762 34CFCCAD D736376D 8FA4F9C4 F5C05FE3 750F623F 6FFA4CF7 D9960432
  931EB086 C3B100BB 74C90D18 5CAEF069 2DE72234 EE911C1A 5C15498D 3F8D988B
  D6CFB73D 882D4635 91E5D540 C4FA62E3 E7559D69 C49023C9 DEB27927 A7433171
  BE7B7D69 CEB5741D 573B26AD 27026B1C 85AF835F 02030100 01A38201 82308201
  7E300B06 03551D0F 04040302 05A0301D 0603551D 0E041604 1414BD1F 2A27D537
  FC92C81C C1919772 DB15AE19 09301F06 03551D23 04183016 80145EFB 7EDC6795
  00CEAD58 F96E3E82 B119A2F9 4DEB3053 0603551D 1F044C30 4A3048A0 46A04486
  1F687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 2E63726C
  86216669 6C653A2F 2F5C5C63 6572745C 43657274 456E726F 6C6C5C63 6572742E
  63726C30 7406082B 06010505 07010104 68306630 3006082B 06010505 07300286
  24687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 5F636572
  742E6372 74303206 082B0601 05050730 02862666 696C653A 2F2F5C5C 63657274
  5C436572 74456E72 6F6C6C5C 63657274 5F636572 742E6372 74302306 03551D11
  0101FF04 19301782 15636973 636F3930 302E6369 73636F39 30302E63 6F6D303F
  06092B06 01040182 37140204 321E3000 49005000 53004500 43004900 6E007400
  65007200 6D006500 64006900 61007400 65004F00 66006600 6C006900 6E006530
  0D06092A 864886F7 0D010105 05000382 01010050 F13B1BC4 DA3143D7 91B58BD1
  8490EF35 CEF8F080 37E6D62D A3F3474C 138EC2D6 19D94817 EDCDE4F4 7C638AC9
  51956038 984189CB 9F0EBAF9 FECF0434 0028F534 65F2EBC2 9BDCE952 71A14979
  4609D958 14C7ADC4 5340DDBD 784A8F12 A71FEA74 CC6CC6B2 5C1C673E 0903206C
  1B7AB2B3 CFF053D0 4F70D0C0 527A9C52 C68CED94 0404B65A BA79A6FD 4F09B9A2
  BA18E88F 6723429A 260DE77A 2E7F3386 889B7250 0289159A 17EFD6BC 551F38AF
  DA92C48A 4D9662ED 341A547D 0C86629A F411CA62 B2652349 26B910AC E6DE412C
  90AE2D7F F64425AF 5ADD7B43 B9E0D364 D0BC3789 1B652C43 803F2799 1F1026CA
  646E8F0F DDBC8D61 60AC3055 D42EA85D DA6F96
quit
certificate ca 4DB8E7F344319392444ADC1DFF12209B
  30820350 30820238 A0030201 0202104D B8E7F344 31939244 4ADC1DFF 12209B30
  0D06092A 864886F7 0D010105 0500300F 310D300B 06035504 03130463 65727430
  1E170D31 34303731 31313034 3431305A 170D3139 30373131 31303531 32395A30
  0F310D30 0B060355 04031304 63657274 30820122 300D0609 2A864886 F70D0101
  01050003 82010F00 3082010A 02820101 00A31734 F2C925EE 25015A31 9A1EA353
  9DBABA4E EB7B839E 5170F810 5AF9FE8D 132FE955 C0E7B500 4DE48838 D0A583D4
  7D9480E9 95C27430 1733F968 B2E0C31F 5EC77B63 6213C9EA 9856ED90 66910420
  41857EE5 9342EF7A DB06DF97 FC1821CA 0CE8EADD 1CAC81AF BEBEE09D 7274D819
  8C4DF21D 1A632DD3 08EA5489 5A9C1187 9DBD61EA 5C4BE321 8EDCBA80 A1B4AF91
  B4AA0A40 C5A49129 E87AC560 F7046608 9830EDF8 C80502EB 3D80C0DD 7BB1A9A9
  0E59EBB4 94960D38 4611851B 7C50F738 7C118F5A 9ECAE17F 98BFC4AC BF9C8180
  A86976C5 16E1BBE3 2E23DCC5 8BBD0F4B EA7C7CE7 C692D87C 167CA3E3 9A5F723B
  F65A827F 1FC45DB9 9991FA63 5693D6DD F5020301 0001A381 A73081A4 300B0603
  551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  0E041604 145EFB7E DC679500 CEAD58F9 6E3E82B1 19A2F94D EB305306 03551D1F
  044C304A 3048A046 A044861F 68747470 3A2F2F63 6572742F 43657274 456E726F
  6C6C2F63 6572742E 63726C86 2166696C 653A2F2F 5C5C6365 72745C43 65727445
  6E726F6C 6C5C6365 72742E63 726C3010 06092B06 01040182 37150104 03020100
  300D0609 2A864886 F70D0101 05050003 82010100 8FB13DDF 32D56714 2A2D97FF
  59F8F46D FD4BFE5C 455D6BEB 96629987 EB4CB503 63ED6ED6 5CE149D5 0B04B19A
  8F34BD38 89B69FC7 87C1B672 8A376E9F DDC126E1 F77DB8B3 C39634C1 902D374D
  FA067950 D3EDD29B B530AF53 35CF1FF5 99CF5FA1 2A7D9901 7ACF5561 475D839C
  0832C548 30338250 225B6736 02F897A7 C7FF9B99 3BD7AA7A B52E5080 0E6B4184
  D1A08ACC 07FAB699 DBB9F972 668152D8 A6631039 5ACFBED6 EA05E454 B5932A86
  EE190F5D E6AF4B43 C3FBBFD3 5285F177 02885940 869D772F 9C075DD4 2BB37152
  A356B586 3C55EE79 9817F642 C4794AB2 4CBD08A0 B8541E3D D8390107 3B2D153E
  0465AABC 08B97A3F 13D42DF7 17C1B05B 4759F3F7
quit
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1632C5V8
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
username xxx privilege 0 password 7 xxx
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5
!
crypto isakmp client configuration group EZ_VPN_CLIENT
dns 8.8.8.8
domain abc.com
pool EZVPN_POOL
pfs
max-logins 5
netmask 255.255.255.0
banner ^C
heyyyyyyyyyyyyyyyyy
^C
crypto isakmp profile EZVPN_PROFILE
   self-identity fqdn
   ca trust-point win2003
   match identity group EZ_VPN_CLIENT
   isakmp authorization list AUTH
   client configuration address respond
!
!
crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac
!
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime seconds 28800
set transform-set ESP_AES_256_SHA
set pfs group2
set isakmp-profile EZVPN_PROFILE
reverse-route
!
!
!
crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
!
!
!
!
!
i
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address zzzz 255.255.255.0
ip pim dense-mode
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_MAP
!
!
ip local pool PPTP 10.11.12.1 10.11.12.100
ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210
ip local pool EZVPN_POOL 172.16.100.32 172.16.100.63
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
!
!
!
!
!

cisco900#
=============================

here is some verification on my certificates on the router :

cisco900#
cisco900#
cisco900#sho crypto pki certificates verbose
Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 111C4AA0000000000011
  Certificate Usage: General Purpose
  Issuer:
    cn=cert
  Subject:
    Name: cisco900.cisco900.com
    Serial Number: FCZ1632C5V8
    hostname=cisco900.cisco900.com
    serialNumber=FCZ1632C5V8
  CRL Distribution Points:
    http://cert/CertEnroll/cert.crl
  Validity Date:
    start date: 15:49:06 UTC Jul 11 2014
    end   date: 15:59:06 UTC Jul 11 2015
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: 46027481 691F481C D2FAA9CB 468D075E
  Fingerprint SHA1: 38F97C00 689F56FA D3619AD1 55450A5F 771875FE
  X509v3 extensions:
    X509v3 Key Usage: A0000000
      Digital Signature
      Key Encipherment
    X509v3 Subject Key ID: 14BD1F2A 27D537FC 92C81CC1 919772DB 15AE1909
    X509v3 Subject Alternative Name:
        cisco900.cisco900.com
    X509v3 Authority Key ID: 5EFB7EDC 679500CE AD58F96E 3E82B119 A2F94DEB
    Authority Info Access:
  Associated Trustpoints: win2003
  Storage: nvram:cert#11.cer
  Key Label: cisco900.cisco900.com
  Key storage device: private config

CA Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 4DB8E7F344319392444ADC1DFF12209B
  Certificate Usage: Signature
  Issuer:
    cn=cert
  Subject:
    cn=cert
  CRL Distribution Points:
    http://cert/CertEnroll/cert.crl
  Validity Date:
    start date: 10:44:10 UTC Jul 11 2014
    end   date: 10:51:29 UTC Jul 11 2019
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (2048 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: CDDDE878 90927F76 657B3ADF E1CB5B0D
  Fingerprint SHA1: D9925BC2 5D19FBB2 25E78B25 E4A85E82 FC29A02E
  X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 5EFB7EDC 679500CE AD58F96E 3E82B119 A2F94DEB
    X509v3 Basic Constraints:
        CA: TRUE
    Authority Info Access:
  Associated Trustpoints: win2003
  Storage: nvram:cert#209BCA.cer

Router Self-Signed Certificate
  Status: Available
  Version: 3
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-1296895960
  Subject:
    Name: IOS-Self-Signed-Certificate-1296895960
    cn=IOS-Self-Signed-Certificate-1296895960
  Validity Date:
    start date: 03:47:43 UTC Feb 2 2014
    end   date: 00:00:00 UTC Jan 1 2020
  Subject Key Info:
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
  Signature Algorithm: SHA1 with RSA Encryption
  Fingerprint MD5: C4A5FA8A F94892D0 B786D359 804B996F
  Fingerprint SHA1: 8745F674 0C73D562 35F771D9 CB976840 A43698E5
  X509v3 extensions:
    X509v3 Subject Key ID: D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E
    X509v3 Basic Constraints:
        CA: TRUE
    X509v3 Authority Key ID: D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E
    Authority Info Access:
  Associated Trustpoints: TP-self-signed-1296895960
  Storage: nvram:IOS-Self-Sig#2.cer

Certificate
  Subject:
    Name: cisco900.cisco900.com
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: 00000000 00000000 00000000 00000000
   Certificate Request Fingerprint SHA1: 00000000 00000000 00000000 00000000 00000000
   Associated Trustpoint: win2003

cisco900#
cisco900#
cisco900#
cisco900#
cisco900#sho crypto key mypubkey rsa
% Key pair was generated at: 03:47:43 UTC Feb 2 2014
Key name: TP-self-signed-1296895960
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C2873A
  3D854548 E041870A 64C08EF2 15DA6E77 B897D97B 4C051DB9 9F53BF99 07D29E48
  79A60A84 D0D65978 23628955 B0526BEC 4412CDE4 7F6F1EA2 42BE2504 A38A6C42
  E8B9CF82 5B12CCCA 51DB11CA EF652BFE 055213AB 25ED4E17 E52FE183 7B1C734C
  893BA216 F479D1E5 581987B1 12D5961F 6222E42C 70EBAEF0 966EBB86 4D020301 0001
% Key pair was generated at: 20:18:15 UTC Jul 6 2014
Key name: key-set-1
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00D0EDBE
  1BB275A4 7800C7C7 FD064DE3 7599D016 C3C828B2 BBC97431 3B749009 77852E9D
  3B055386 A1CE06AA 384EC3C2 F11430FA 2E3A9701 EFC63A5D 5AB53FEA 21231A15
  AA84EF20 F2312BEB 00EAF7DA 6D8D6082 4888CD79 8BEA2502 E45D6455 B3C76F2C
  CDE83DEA 783F35F0 9D7D9D93 52BDCF32 0DEFF52A D2817BA8 6DDC9B2B 9D020301 0001
% Key pair was generated at: 14:38:33 UTC Jul 11 2014
Key name: cisco900.cisco900.com
Key type: RSA KEYS
Storage Device: private-config
Usage: General Purpose Key
Key is not exportable.
Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 008455B1
  EFDDC5DF 88E4D509 1B92C637 6234CFCC ADD73637 6D8FA4F9 C4F5C05F E3750F62
  3F6FFA4C F7D99604 32931EB0 86C3B100 BB74C90D 185CAEF0 692DE722 34EE911C
  1A5C1549 8D3F8D98 8BD6CFB7 3D882D46 3591E5D5 40C4FA62 E3E7559D 69C49023
  C9DEB279 27A74331 71BE7B7D 69CEB574 1D573B26 AD27026B 1C85AF83 5F020301 0001
% Key pair was generated at: 19:56:29 UTC Jul 11 2014
Key name: TP-self-signed-1296895960.server
Key type: RSA KEYS
Temporary key
Usage: Encryption Key
Key is not exportable.
Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00EB3AD7 13D30788
  3A4FC63C 960DE5DE 65A137BC FB533042 936E0F8E 8E869A74 F346DC92 732F08E5
  E7AA58B8 F6D6184F FEF739CC 574EB98B E4BFA828 BED54D2B F22F203D 1370BCCF
  44E4C22D 6BE6F9A0 A3AB49D6 009F85F4 B4A3464F E8C7BD96 01020301 0001
cisco900#

===========================

is there anything wrong on router ??

any suggest , any help ??!!!

Marcin Latosiewicz · ‎07-13-2014

CA request failed! <--- problem reaching or getting a valid response from CA.

I bet ya it's your CRL.

Have a look at your CDP

X509v3 CRL Distribution Points:

URI:http://cert/CertEnroll/cert.crl <--- how does router know what "cert" is? Use a IP address of FQDN (ideally). And make sure DNS resolution works.

URI:file://\\cert\CertEnroll\cert.crl <---- you do not want to keep this one, I guess?

Get the certs in order or disable CRL checking.

Dr.X · ‎07-13-2014

im sorry to say that ,

before you reply me above.... i removed all the config of vpn and removed certificates in nvram.

now agian , im trying to get back the sameconfig ,

i issued a new CA and new identiy on router..

but now its still not work and now it only says when i debug ipsec :

Jul 13 13:01:10.805: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 13 13:01:20.017: IPSEC(key_engine): got a queue event with 1 KMI message(s)

did i make something wrong when delted the ceritificated from nvram and from running config ??

wish to help !!

Marcin Latosiewicz · ‎07-13-2014

I don't think you've done anything wrong ... let's get some more debugs ;-)

debug crypto isakmp

debug cry pki m

debug cry pki t

debug cry pki v

Dr.X · ‎07-13-2014

intel#
intel#
intel#
Jul 13 13:58:02.673: ISAKMP (0): received packet from 176.58.66.1 dport 500 sport 13359 Global (N) NEW SA
Jul 13 13:58:02.673: ISAKMP: Created a peer struct for 176.58.66.1, peer port 13359
Jul 13 13:58:02.673: ISAKMP: New peer created peer = 0x2BCFF128 peer_handle = 0x80000061
Jul 13 13:58:02.673: ISAKMP: Locking peer struct 0x2BCFF128, refcount 1 for crypto_isakmp_process_block
Jul 13 13:58:02.673: ISAKMP: local port 500, remote port 13359
Jul 13 13:58:02.673: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 30734A20
Jul 13 13:58:02.673: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 13 13:58:02.673: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1

Jul 13 13:58:02.673: ISAKMP:(0): processing SA payload. message ID = 0
Jul 13 13:58:02.673: ISAKMP:(0): processing vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID is XAUTH
Jul 13 13:58:02.673: ISAKMP:(0): processing vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID is DPD
Jul 13 13:58:02.673: ISAKMP:(0): processing vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0): processing IKE frag vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jul 13 13:58:02.673: ISAKMP:(0): processing vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID is NAT-T v2
Jul 13 13:58:02.673: ISAKMP:(0): processing vendor id payload
Jul 13 13:58:02.673: ISAKMP:(0): vendor ID is Unity
Jul 13 13:58:02.673: ISAKMP : Scanning profiles for xauth ... EZVPN_PROFILE
Jul 13 13:58:02.673: ISAKMP:(0): IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 176.58.66.1)
Jul 13 13:58:02.673: ISAKMP:(0): PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 176.58.66.1)
Jul 13 13:58:02.673: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Jul 13 13:58:02.673: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.673: ISAKMP: hash SHA
Jul 13 13:58:02.673: ISAKMP: default group 5
Jul 13 13:58:02.673: ISAKMP: auth XAUTHInitRSA
Jul 13 13:58:02.673: ISAKMP: life type in seconds
Jul 13 13:58:02.673: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.673: ISAKMP: keylength of 256
Jul 13 13:58:02.673: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!
Jul 13 13:58:02.673: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.673: ISAKMP:(0):Checking ISAKMP transform 2 against priority 10 policy
Jul 13 13:58:02.673: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.673: ISAKMP: hash MD5
Jul 13 13:58:02.673: ISAKMP: default group 5
Jul 13 13:58:02.673: ISAKMP: auth XAUTHInitRSA
Jul 13 13:58:02.673: ISAKMP: life type in seconds
Jul 13 13:58:02.673: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.673: ISAKMP: keylength of 256
Jul 13 13:58:02.673: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 13 13:58:02.673: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.673: ISAKMP:(0):Checking ISAKMP transform 3 against priority 10 policy
Jul 13 13:58:02.673: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.673: ISAKMP: hash SHA
Jul 13 13:58:02.673: ISAKMP: default group 5
Jul 13 13:58:02.673: ISAKMP: auth RSA sig
Jul 13 13:58:02.673: ISAKMP: life type in seconds
Jul 13 13:58:02.673: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.673: ISAKMP: keylength of 256
Jul 13 13:58:02.673: ISAKMP:(0):Diffie-Hellman group offered does not match policy!
Jul 13 13:58:02.673: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.673: ISAKMP:(0):Checking ISAKMP transform 4 against priority 10 policy
Jul 13 13:58:02.673: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.673: ISAKMP: hash MD5
Jul 13 13:58:02.673: ISAKMP: default group 5
Jul 13 13:58:02.673: ISAKMP: auth RSA sig
Jul 13 13:58:02.673: ISAKMP: life type in seconds
Jul 13 13:58:02.673: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.673: ISAKMP: keylength of 256
Jul 13 13:58:02.673: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 13 13:58:02.673: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.673: ISAKMP:(0):Checking ISAKMP transform 5 against priority 10 policy
Jul 13 13:58:02.673: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.673: ISAKMP: hash SHA
Jul 13 13:58:02.673: ISAKMP: default group 2
Jul 13 13:58:02.673: ISAKMP: auth XAUTHInitRSA
Jul 13 13:58:02.673: ISAKMP: life type in seconds
Jul 13 13:58:02.673: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.673: ISAKMP: keylength of 256
Jul 13 13:58:02.673: ISAKMP:(0):Xauth authentication by RSA offered but does not match policy!
Jul 13 13:58:02.677: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.677: ISAKMP:(0):Checking ISAKMP transform 6 against priority 10 policy
Jul 13 13:58:02.677: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.677: ISAKMP: hash MD5
Jul 13 13:58:02.677: ISAKMP: default group 2
Jul 13 13:58:02.677: ISAKMP: auth XAUTHInitRSA
Jul 13 13:58:02.677: ISAKMP: life type in seconds
Jul 13 13:58:02.677: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.677: ISAKMP: keylength of 256
Jul 13 13:58:02.677: ISAKMP:(0):Hash algorithm offered does not match policy!
Jul 13 13:58:02.677: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jul 13 13:58:02.677: ISAKMP:(0):Checking ISAKMP transform 7 against priority 10 policy
Jul 13 13:58:02.677: ISAKMP: encryption AES-CBC
Jul 13 13:58:02.677: ISAKMP: hash SHA
Jul 13 13:58:02.677: ISAKMP: default group 2
Jul 13 13:58:02.677: ISAKMP: auth RSA sig
Jul 13 13:58:02.677: ISAKMP: life type in seconds
Jul 13 13:58:02.677: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
Jul 13 13:58:02.677: ISAKMP: keylength of 256
Jul 13 13:58:02.677: ISAKMP:(0):atts are acceptable. Next payload is 3
Jul 13 13:58:02.677: ISAKMP:(0):Acceptable atts:actual life: 86400
Jul 13 13:58:02.677: ISAKMP:(0):Acceptable atts:life: 0
Jul 13 13:58:02.677: ISAKMP:(0):Fill atts in sa vpi_length:4
Jul 13 13:58:02.677: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Jul 13 13:58:02.677: ISAKMP:(0): IKE->PKI Start PKI Session state (R) MM_NO_STATE (peer 176.58.66.1)
Jul 13 13:58:02.677: CRYPTO_PKI: Identity not specified for session A0642
Jul 13 13:58:02.677: ISAKMP:(0): PKI->IKE Started PKI Session state (R) MM_NO_STATE (peer 176.58.66.1)
Jul 13 13:58:02.677: ISAKMP:(0):Returning Actual lifetime: 86400
Jul 13 13:58:02.677: ISAKMP:(0)::Started lifetime timer: 86400.

Jul 13 13:58:02.677: ISAKMP:(0): vendor ID is NAT-T v2
Jul 13 13:58:02.677: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 13 13:58:02.677: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1

Jul 13 13:58:02.677: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jul 13 13:58:02.677: ISAKMP:(0): sending packet to 176.58.66.1 my_port 500 peer_port 13359 (R) MM_SA_SETUP
Jul 13 13:58:02.677: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jul 13 13:58:02.677: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 13 13:58:02.677: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2

Jul 13 13:58:02.841: ISAKMP (0): received packet from 176.58.66.1 dport 500 sport 13359 Global (R) MM_SA_SETUP
Jul 13 13:58:02.841: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 13 13:58:02.841: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3

Jul 13 13:58:02.841: ISAKMP:(0): processing KE payload. message ID = 0
Jul 13 13:58:02.869: ISAKMP:(0): processing NONCE payload. message ID = 0
Jul 13 13:58:02.869: ISAKMP:received payload type 20
Jul 13 13:58:02.869: ISAKMP (1086): His hash no match - this node outside NAT
Jul 13 13:58:02.869: ISAKMP:received payload type 20
Jul 13 13:58:02.869: ISAKMP (1086): His hash no match - this node outside NAT
Jul 13 13:58:02.869: ISAKMP:(1086):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 13 13:58:02.869: ISAKMP:(1086):Old State = IKE_R_MM3 New State = IKE_R_MM3

Jul 13 13:58:02.869: ISAKMP:(1086): IKE->PKI Get configured TrustPoints state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:02.869: ISAKMP:(1086): PKI->IKE Got configured TrustPoints state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:02.869: ISAKMP:(1086): IKE->PKI Get IssuerNames state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:02.869: ISAKMP:(1086): PKI->IKE Got IssuerNames state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:02.869: ISAKMP (1086): constructing CERT_REQ for issuer cn=cert
Jul 13 13:58:02.869: ISAKMP:(1086): sending packet to 176.58.66.1 my_port 500 peer_port 13359 (R) MM_KEY_EXCH
Jul 13 13:58:02.869: ISAKMP:(1086):Sending an IKE IPv4 Packet.
Jul 13 13:58:02.869: ISAKMP:(1086):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 13 13:58:02.869: ISAKMP:(1086):Old State = IKE_R_MM3 New State = IKE_R_MM4

Jul 13 13:58:03.105: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:03.105: ISAKMP:(1086):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 13 13:58:03.105: ISAKMP:(1086):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jul 13 13:58:03.105: ISAKMP:(1086): processing ID payload. message ID = 0
Jul 13 13:58:03.105: ISAKMP (1086): ID payload
next-payload : 6
type : 9
Dist. name : cn=v
protocol : 17
port : 0
length : 22
Jul 13 13:58:03.105: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jul 13 13:58:03.105: ISAKMP:(0):: peer matches *none* of the profiles
Jul 13 13:58:03.105: ISAKMP:(1086): processing CERT payload. message ID = 0
Jul 13 13:58:03.105: ISAKMP (1086): processing a CT_PKCS7_WRAPPED_X509 cert
Jul 13 13:58:03.105: ISAKMP:(1086): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.105: CRYPTO_PKI: Adding peer certificate
Jul 13 13:58:03.105: ../cert-c/source/certobj.c(853) : E_INPUT_DATA : invalid encoding format for input data
Jul 13 13:58:03.105: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): BER/DER decoding of certificate has failed
Jul 13 13:58:03.105: CRYPTO_PKI: Adding peer certificate as x509 failed
Jul 13 13:58:03.105: CRYPTO_PKI: Trying peer certificate as a PKCS7
Jul 13 13:58:03.109: The PKCS #7 message has 2 certs.
Jul 13 13:58:03.109: CRYPTO_PKI: Added x509 peer certificate - (852) bytes
Jul 13 13:58:03.113: CRYPTO_PKI: Added x509 peer certificate - (1013) bytes
Jul 13 13:58:03.113: ISAKMP:(1086): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.113: ISAKMP:(1086): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.113: ISAKMP:(1086): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.113: ISAKMP:(1086): peer's pubkey is cached
Jul 13 13:58:03.113: ISAKMP:(1086): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.113: CRYPTO_PKI: ip-ext-val: IP extension validation not required
Jul 13 13:58:03.113: CRYPTO_PKI: validation path has 1 certs

Jul 13 13:58:03.113: CRYPTO_PKI: Check for identical certs
Jul 13 13:58:03.113: CRYPTO_PKI: Create a list of suitable trustpoints
Jul 13 13:58:03.113: CRYPTO_PKI: Found a issuer match
Jul 13 13:58:03.113: CRYPTO_PKI: Suitable trustpoints are: now,
Jul 13 13:58:03.113: CRYPTO_PKI: Attempting to validate certificate using now
Jul 13 13:58:03.113: CRYPTO_PKI: Using now to validate certificate
Jul 13 13:58:03.113: CRYPTO_PKI: Deleting cached key having key id 98
Jul 13 13:58:03.113: CRYPTO_PKI: Attempting to insert the peer's public key into cache
Jul 13 13:58:03.113: CRYPTO_PKI:Peer's public inserted successfully with key id 99
Jul 13 13:58:03.121: CRYPTO_PKI: Expiring peer's cached key with key id 99
Jul 13 13:58:03.121: CRYPTO_PKI: Certificate is verified
Jul 13 13:58:03.121: CRYPTO_PKI: Checking certificate revocation
Jul 13 13:58:03.125: CRYPTO_PKI: Starting CRL revocation
Jul 13 13:58:03.125: CRYPTO_PKI: Deleting cached key having key id 99
Jul 13 13:58:03.125: CRYPTO_PKI: Attempting to insert the peer's public key into cache
Jul 13 13:58:03.125: CRYPTO_PKI:Peer's public inserted successfully with key id 100
Jul 13 13:58:03.133: CRYPTO_PKI: Expiring peer's cached key with key id 100
Jul 13 13:58:03.133: CRYPTO_PKI: Certificate validated
Jul 13 13:58:03.133: CRYPTO_PKI: chain cert was anchored to trustpoint now, and chain validation result was: CRYPTO_VALID_CERT
Jul 13 13:58:03.133: CRYPTO_PKI: Validation TP is now
Jul 13 13:58:03.133: CRYPTO_PKI: Certificate validation succeeded
Jul 13 13:58:03.133: ISAKMP:(1086): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.145: ISAKMP:(1086): Unable to get DN from certificate!
Jul 13 13:58:03.145: ISAKMP:(1086): Cert presented by peer contains no OU field.
Jul 13 13:58:03.145: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jul 13 13:58:03.145: ISAKMP:(0):: peer matches *none* of the profiles
Jul 13 13:58:03.145: ISAKMP:(1086): processing CERT_REQ payload. message ID = 0
Jul 13 13:58:03.145: ISAKMP:(1086): peer wants a CT_X509_SIGNATURE cert
Jul 13 13:58:03.145: ISAKMP:(1086): peer wants cert issued by cn=cert
Jul 13 13:58:03.145: CRYPTO_PKI: Trust-Point now picked up
Jul 13 13:58:03.145: CRYPTO_PKI: 1 matching trustpoints found
Jul 13 13:58:03.145: CRYPTO_PKI: Identity selected (now) for session B0643
Jul 13 13:58:03.145: Choosing trustpoint now as issuer
Jul 13 13:58:03.145: CRYPTO_PKI: unlocked trustpoint now, refcount is 7
Jul 13 13:58:03.145: CRYPTO_PKI: locked trustpoint now, refcount is 8
Jul 13 13:58:03.145: CRYPTO_PKI: Identity bound (now) for session A0642
Jul 13 13:58:03.145: ISAKMP:(1086): processing SIG payload. message ID = 0
Jul 13 13:58:03.157: ISAKMP:(1086): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0x30734A20
Jul 13 13:58:03.157: ISAKMP:(1086):SA authentication status:
authenticated
Jul 13 13:58:03.157: ISAKMP:(1086):SA has been authenticated with 176.58.66.1
Jul 13 13:58:03.157: ISAKMP:(1086):Detected port floating to port = 13360
Jul 13 13:58:03.157: ISAKMP: Trying to find existing peer 85.252.160.200/176.58.66.1/13360/
Jul 13 13:58:03.157: ISAKMP:(1086):SA authentication status:
authenticated
Jul 13 13:58:03.157: ISAKMP:(1086): Process initial contact,
bring down existing phase 1 and 2 SA's with local 85.252.160.200 remote 176.58.66.1 remote port 13360
Jul 13 13:58:03.157: ISAKMP: Trying to insert a peer 85.252.160.200/176.58.66.1/13360/, and inserted successfully 2BCFF128.
Jul 13 13:58:03.157: ISAKMP:(1086):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jul 13 13:58:03.157: ISAKMP:(1086):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jul 13 13:58:03.157: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jul 13 13:58:03.157: ISAKMP:(1086): IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP:(1086): PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP:(1086):Unable to get router cert or routerdoes not have a cert: needed to find DN!
Jul 13 13:58:03.157: ISAKMP:(1086):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Jul 13 13:58:03.157: ISAKMP (1086): ID payload
next-payload : 6
type : 1
address : 85.252.160.200
protocol : 17
port : 0
length : 12
Jul 13 13:58:03.157: ISAKMP:(1086):Total payload length: 12
Jul 13 13:58:03.157: ISAKMP:(1086): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP:(1086): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP (1086): unable to build cert chain
Jul 13 13:58:03.157: ISAKMP (1086): FSM action returned error: 2
Jul 13 13:58:03.157: ISAKMP:(1086):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Jul 13 13:58:03.157: ISAKMP:(1086):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Jul 13 13:58:08.357: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:08.357: ISAKMP:(1086): phase 1 packet is a duplicate of a previous packet.
Jul 13 13:58:08.357: ISAKMP:(1086): retransmitting due to retransmit phase 1
Jul 13 13:58:08.357: ISAKMP:(1086): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Jul 13 13:58:13.429: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:13.429: ISAKMP:(1086): phase 1 packet is a duplicate of a previous packet.
Jul 13 13:58:13.429: ISAKMP:(1086): retransmitting due to retransmit phase 1
Jul 13 13:58:13.429: ISAKMP:(1086): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Jul 13 13:58:18.497: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:18.497: ISAKMP:(1086): phase 1 packet is a duplicate of a previous packet.
Jul 13 13:58:18.497: ISAKMP:(1086): retransmitting due to retransmit phase 1
Jul 13 13:58:18.497: ISAKMP:(1086): no outgoing phase 1 packet to retransmit. MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP: set new node -1313227518 to QM_IDLE
Jul 13 13:58:23.517: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP (1086): received packet from 176.58.66.1 dport 4500 sport 13360 Global (R) MM_KEY_EXCH
Jul 13 13:58:23.517: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 176.58.66.1 to 85.252.160.200.
intel#

Dr.X · ‎07-13-2014

wts ur opinion ?

Marcin Latosiewicz · ‎07-13-2014

Something wrong with ID certificate.

Jul 13 13:58:03.157: ISAKMP:(1086):Unable to get router cert or routerdoes not have a cert: needed to find DN! <---- no identity cert of wrong certificate in IKE profile?
Jul 13 13:58:03.157: ISAKMP:(1086):SA is doing RSA signature authentication using id type ID_IPV4_ADDR
Jul 13 13:58:03.157: ISAKMP (1086): ID payload
next-payload : 6
type : 1
address : 85.252.160.200
protocol : 17
port : 0
length : 12
Jul 13 13:58:03.157: ISAKMP:(1086):Total payload length: 12
Jul 13 13:58:03.157: ISAKMP:(1086): IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP:(1086): PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 176.58.66.1)
Jul 13 13:58:03.157: ISAKMP (1086): unable to build cert chain <---- indicating same as above.
Jul 13 13:58:03.157: ISAKMP (1086): FSM action returned error: 2

Dr.X · ‎07-13-2014

here is my running :

!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authentication login AUTH local
aaa authentication ppp DRVIRUS local
aaa authorization exec default local
aaa authorization network DRVIRUS local
aaa authorization network VPN_CLIENT_GROUP local
aaa authorization network AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip multicast-routing
!
!
ip domain name cbt.com
ip host cert xx.79.16
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
v
!
!
crypto pki trustpoint win2003
revocation-check crl
!
crypto pki trustpoint cert
enrollment mode ra
serial-number
revocation-check crl
!
crypto pki trustpoint now
enrollment mode ra
enrollment url http://cert:80/certsrv/mscep/mscep.dll
revocation-check crl
rsakeypair now
!
!
crypto pki certificate chain win2003
crypto pki certificate chain cert
crypto pki certificate chain now
certificate 1ABDB172000000000019
308203A9 30820291 A0030201 02020A1A BDB17200 00000000 19300D06 092A8648
86F70D01 01050500 300F310D 300B0603 55040313 04636572 74301E17 0D313430
37313331 32343431 335A170D 31353037 31333132 35343133 5A301E31 1C301A06
092A8648 86F70D01 0902130D 696E7465 6C2E6362 742E636F 6D30819F 300D0609
2A864886 F70D0101 01050003 818D0030 81890281 8100B710 2F4F5622 A17327D9
6425BE52 778C5D5A 0194F2BF A6FC8B94 5D91D620 A29A94FD 88EF18CC 77C9AA1F
060B507C A6A47D3A FDB9B9E7 453B8DDB E2A8705B A2370483 BCE2FB24 38D577B4
7710E095 AFF8CB17 091A93B8 C7BDD952 9C6E25A7 4A6C9D29 10C3F352 6987AE21
9982FCE6 7004B85C 127FA41F 8F71B757 3348D716 2F1F0203 010001A3 82017A30
82017630 0B060355 1D0F0404 030205A0 301D0603 551D0E04 16041474 19D6349E
AE67E461 E2A1BFE3 E7E69BD7 513D8930 1F060355 1D230418 30168014 5EFB7EDC
679500CE AD58F96E 3E82B119 A2F94DEB 30530603 551D1F04 4C304A30 48A046A0
44861F68 7474703A 2F2F6365 72742F43 65727445 6E726F6C 6C2F6365 72742E63
726C8621 66696C65 3A2F2F5C 5C636572 745C4365 7274456E 726F6C6C 5C636572
742E6372 6C307406 082B0601 05050701 01046830 66303006 082B0601 05050730
02862468 7474703A 2F2F6365 72742F43 65727445 6E726F6C 6C2F6365 72745F63
6572742E 63727430 3206082B 06010505 07300286 2666696C 653A2F2F 5C5C6365
72745C43 65727445 6E726F6C 6C5C6365 72745F63 6572742E 63727430 1B060355
1D110101 FF041130 0F820D69 6E74656C 2E636274 2E636F6D 303F0609 2B060104
01823714 0204321E 30004900 50005300 45004300 49006E00 74006500 72006D00
65006400 69006100 74006500 4F006600 66006C00 69006E00 65300D06 092A8648
86F70D01 01050500 03820101 009836A4 BE3212BF 20FBA518 70BEDAC0 CC3651AC
24072368 4FAB81FB A70CE272 5EF7B8C5 B5053727 05A23445 BB61F5BA 8995B3A5
D4A26148 7EE514BE 861269B9 6F03E959 0D947CE0 AA3FF5E6 9D732EF8 B0B3A542
B1B3F7B2 0FB06E22 711431D1 EFAD3A2E 37658A9A 14C750C4 D5E95CFD 97569AB7
7790390B A64E9C68 C4478019 E19228A7 1C6E22B6 73EA3AAA 9F6C4792 3F5498EB
5A0DFB17 0008729D 69488204 99B5BAE2 D392F60B A618A003 A4E1CB42 35FC8A9C
9CB60FAC 00D830D5 5D1697AE 1B91095F 3C92030B 89D4577E 8AD00095 4AB40674
5FE09AB4 E607DD66 5798A12B 2EEC94BF 0A3F56D1 D810D371 14E105FF 07E1CBFE
45D8EF6E 9266DA5D 95536AB2 2C
quit
certificate ca 4DB8E7F344319392444ADC1DFF12209B
30820350 30820238 A0030201 0202104D B8E7F344 31939244 4ADC1DFF 12209B30
0D06092A 864886F7 0D010105 0500300F 310D300B 06035504 03130463 65727430
1E170D31 34303731 31313034 3431305A 170D3139 30373131 31303531 32395A30
0F310D30 0B060355 04031304 63657274 30820122 300D0609 2A864886 F70D0101
01050003 82010F00 3082010A 02820101 00A31734 F2C925EE 25015A31 9A1EA353
9DBABA4E EB7B839E 5170F810 5AF9FE8D 132FE955 C0E7B500 4DE48838 D0A583D4
7D9480E9 95C27430 1733F968 B2E0C31F 5EC77B63 6213C9EA 9856ED90 66910420
41857EE5 9342EF7A DB06DF97 FC1821CA 0CE8EADD 1CAC81AF BEBEE09D 7274D819
8C4DF21D 1A632DD3 08EA5489 5A9C1187 9DBD61EA 5C4BE321 8EDCBA80 A1B4AF91
B4AA0A40 C5A49129 E87AC560 F7046608 9830EDF8 C80502EB 3D80C0DD 7BB1A9A9
0E59EBB4 94960D38 4611851B 7C50F738 7C118F5A 9ECAE17F 98BFC4AC BF9C8180
A86976C5 16E1BBE3 2E23DCC5 8BBD0F4B EA7C7CE7 C692D87C 167CA3E3 9A5F723B
F65A827F 1FC45DB9 9991FA63 5693D6DD F5020301 0001A381 A73081A4 300B0603
551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 145EFB7E DC679500 CEAD58F9 6E3E82B1 19A2F94D EB305306 03551D1F
044C304A 3048A046 A044861F 68747470 3A2F2F63 6572742F 43657274 456E726F
6C6C2F63 6572742E 63726C86 2166696C 653A2F2F 5C5C6365 72745C43 65727445
6E726F6C 6C5C6365 72742E63 726C3010 06092B06 01040182 37150104 03020100
300D0609 2A864886 F70D0101 05050003 82010100 8FB13DDF 32D56714 2A2D97FF
59F8F46D FD4BFE5C 455D6BEB 96629987 EB4CB503 63ED6ED6 5CE149D5 0B04B19A
8F34BD38 89B69FC7 87C1B672 8A376E9F DDC126E1 F77DB8B3 C39634C1 902D374D
FA067950 D3EDD29B B530AF53 35CF1FF5 99CF5FA1 2A7D9901 7ACF5561 475D839C
0832C548 30338250 225B6736 02F897A7 C7FF9B99 3BD7AA7A B52E5080 0E6B4184
D1A08ACC 07FAB699 DBB9F972 668152D8 A6631039 5ACFBED6 EA05E454 B5932A86
EE190F5D E6AF4B43 C3FBBFD3 5285F177 02885940 869D772F 9C075DD4 2BB37152
A356B586 3C55EE79 9817F642 C4794AB2 4CBD08A0 B8541E3D D8390107 3B2D153E
0465AABC 08B97A3F 13D42DF7 17C1B05B 4759F3F7
quit
voice-card 0
!
!
!
!
!
!
!

!
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5

!
crypto isakmp client configuration group EZ_VPN_CLIENT
dns 172.16.32.40
domain abc.com
pool EZVPN_POOL
acl EZVPN_ST_ACL
pfs
max-logins 5
netmask 255.255.255.0
banner ^C
ddddddddddddddddddddddd

^C
crypto isakmp profile EZVPN_PROFILE
self-identity fqdn
ca trust-point now
match identity group EZ_VPN_CLIENT
isakmp authorization list AUTH
client configuration address respond
!
!
crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac
!
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime seconds 28800
set transform-set ESP_AES_256_SHA
set pfs group2
set isakmp-profile EZVPN_PROFILE
reverse-route
!
!
!
crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
!
!
!

!nterface GigabitEthernet0/0
ip address 85.252.xxx 255.255.255.0

crypto map VPN_MAP

Need help with VPN remote access Certificates