Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
542
Views
0
Helpful
3
Replies

VPN IOS router and client using certificates

MagellanTX
Level 1
Level 1

‎02-10-2005 01:35 AM

I am trying to connect the VPN client 4.x to an IOS (12.2.8T) router using certificates. I can issue the router the certs and I can see all 4 of them (ra-sig, ra-enc, ca, and general) but when I try to connect using the client I get the following errors:

Feb 10 03:18:03: CRYPTO_PKI: can not set ca cert object.

Feb 10 03:18:03: CRYPTO_PKI: status = 65535: failed to get issuer name der from cert

Feb 10 03:18:03: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.19.1.204 is bad: CA request failed!

I am using Windows2003 as the CA server with CEP installed, and have made sure my client has a valid certificate from the server.

Any ideas?

Thanks!!

Brian Mitchell

If you need it, here is my config

Building configuration...

Current configuration : 13262 bytes

!

! Last configuration change at 03:17:02 CST Thu Feb 10 2005

! NVRAM config last updated at 00:40:22 CST Thu Feb 10 2005

!

version 12.2

!

!

aaa new-model

!

!

aaa authentication login ClientAuth local

aaa authorization network ClientAuth local

aaa session-id common

!

username bmitchell password xxxx

!

crypto ca trustpoint CA1

enrollment mode ra

enrollment url http://10.19.1.20:80/certsrv/mscep/mscep.dll

serial-number none

ip-address Ethernet0/0.10

crl optional

crypto ca certificate chain CA1

certificate xxx

quit

certificate ra-sign xxx

quit

certificate ra-encrypt xxxx

quit

certificate ca xxxx

quit

!

crypto isakmp policy 1

encr 3des

hash md5

group 2

!

crypto isakmp client configuration group VPN

pool IPPool

!

!

crypto ipsec transform-set strong esp-3des esp-md5-hmac

!

crypto dynamic-map DM 10

set transform-set strong

!

!

crypto map BVPN client authentication list ClientAuth

crypto map BVPN isakmp authorization list ClientAuth

crypto map BVPN client configuration address respond

crypto map BVPN 10 ipsec-isakmp dynamic DM

!

!

!

!

!

interface Ethernet0/0.10

description Internal Network

encapsulation dot1Q 10

ip address 10.19.1.1 255.255.255.0

no ip proxy-arp

ip pim sparse-mode

no ip mroute-cache

crypto map BVPN

!

!

ip local pool IPPool 9.x.x.x.9.9.5

!

!

end

Labels:
0 Helpful
3 Replies 3

scott.lake
Level 1
Level 1

‎02-24-2005 03:53 PM

Uncheck the "Send CA Certificate Chain" box on the Authentication tab of the vpn client profile (Connection Entries >> Modify)

0 Helpful

obrenes
Level 1
Level 1
In response to scott.lake

‎05-20-2005 09:59 AM

Hi Scott,

I’m deploying VPN’s with digital certificates and fortunately everything is working just fine. However, one day I tried to enable the “send ca certificate chain” feature and I couldn’t connect to my VPN concentrator.

Is there any bug with this feature?

Maybe I have a misconception of what that check does.

I’ll really appreciate it if you could send me a little note explaining why you recommended Brian to disable this feature.

Thanks in advance.

Omar

0 Helpful

sasa.rasovic
Level 1
Level 1

‎02-25-2005 07:32 AM

Also, make sure you have a CN=VPN on the certificate issued to a group VPN.

Good luck,

Sasa

0 Helpful
Customers Also Viewed These Support Documents