help required

i have set a small network on my home lab to practice

site to site vpn using certificates for authentication

but have run in problems

the scenario is this have configured a Pix 515 running

os 7.0(5) (which represents a head office) with a dmz

on which resides a windows 2000 server that has been

configured as a stand alone root CA and a cisco 1721

Router running c1700-adventerprisek9-mz.123-18

(that represents a branch office), The idea is that both

the Pix and the Router obtains its root and identity

certificates from the CA using the cut and paste method

(have tried using scep and doing it out of band as well)

the Router obtains its certificates over an encrypted tunnel

the tunnel initialy uses pre-shared keys for authentication

once the Pix and Router have their certificates their configs

are changed and certificates are used for authentication.

getting the certificates onto the Router and the Pix was

no problem the problem is when i try using certificates for

authentication the tunnel will not come up and i have no

idea why.

i have included the configs for the Router and Pix and the debug

crypto isakmp output for the Pix as attachments.

incidentialy i cannot get a site to site vpn between 2 Routers using

certificates to work either but a site to site vpn between 2 Pix's

running 7.0(5) with the remote Pix obtaining is certificates over

an encrypted tunnel works perfectly i have included this setup in

a file called pix-to pix tunnel.

the site to site vpn between the 2 cisco routers consist's of

1721 running c1700-adventerprisek9-mz.123-18

and

2621 running c2600-advsecurityk9-mz.124-1a

for remote router (2621) have tried certificate enrollment using scep

out of band and over an encrypted tunnel all methods allow me to obtain

certificates but am unable to use them for authentication

would appreciate someone taking a look to help me try and figure out

where the problem lies.

regards

Melvyn Brown