02-10-2005 01:35 AM
I am trying to connect the VPN client 4.x to an IOS (12.2.8T) router using certificates. I can issue the router the certs and I can see all 4 of them (ra-sig, ra-enc, ca, and general) but when I try to connect using the client I get the following errors:
Feb 10 03:18:03: CRYPTO_PKI: can not set ca cert object.
Feb 10 03:18:03: CRYPTO_PKI: status = 65535: failed to get issuer name der from cert
Feb 10 03:18:03: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 10.19.1.204 is bad: CA request failed!
I am using Windows2003 as the CA server with CEP installed, and have made sure my client has a valid certificate from the server.
Any ideas?
Thanks!!
Brian Mitchell
If you need it, here is my config
Building configuration...
Current configuration : 13262 bytes
!
! Last configuration change at 03:17:02 CST Thu Feb 10 2005
! NVRAM config last updated at 00:40:22 CST Thu Feb 10 2005
!
version 12.2
!
!
aaa new-model
!
!
aaa authentication login ClientAuth local
aaa authorization network ClientAuth local
aaa session-id common
!
username bmitchell password xxxx
!
crypto ca trustpoint CA1
enrollment mode ra
enrollment url http://10.19.1.20:80/certsrv/mscep/mscep.dll
serial-number none
ip-address Ethernet0/0.10
crl optional
crypto ca certificate chain CA1
certificate xxx
quit
certificate ra-sign xxx
quit
certificate ra-encrypt xxxx
quit
certificate ca xxxx
quit
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
!
crypto isakmp client configuration group VPN
pool IPPool
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
!
crypto dynamic-map DM 10
set transform-set strong
!
!
crypto map BVPN client authentication list ClientAuth
crypto map BVPN isakmp authorization list ClientAuth
crypto map BVPN client configuration address respond
crypto map BVPN 10 ipsec-isakmp dynamic DM
!
!
!
!
!
interface Ethernet0/0.10
description Internal Network
encapsulation dot1Q 10
ip address 10.19.1.1 255.255.255.0
no ip proxy-arp
ip pim sparse-mode
no ip mroute-cache
crypto map BVPN
!
!
ip local pool IPPool 9.x.x.x.9.9.5
!
!
end
02-24-2005 03:53 PM
Uncheck the "Send CA Certificate Chain" box on the Authentication tab of the vpn client profile (Connection Entries >> Modify)
05-20-2005 09:59 AM
Hi Scott,
Im deploying VPNs with digital certificates and fortunately everything is working just fine. However, one day I tried to enable the send ca certificate chain feature and I couldnt connect to my VPN concentrator.
Is there any bug with this feature?
Maybe I have a misconception of what that check does.
Ill really appreciate it if you could send me a little note explaining why you recommended Brian to disable this feature.
Thanks in advance.
Omar
02-25-2005 07:32 AM
Also, make sure you have a CN=VPN on the certificate issued to a group VPN.
Good luck,
Sasa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide