Hi there

Does anybody can tell me, how to configure a proper configuration of the Microsoft CA with mscep ? I intend to use it for IPSec VPN with VPN3000 and Cisco VPN Client and it seems to me, that there is something wrong with the parameters I used for the CA configuration.

At the Moment, the SCEP Works for the VPN Client, but not for the VPN3000 (manually it works..., I changed the parameters aprox. 1000 times...)

My Configuration:

VPN3000, Vers. 3.5.2, Rel. Feb. 2002

VPN Client, Vers. 3.5.2 (C)

W2K, CA, Engl.

MSCEP, 5.131.2195.1 (http://www.download.windowsupdate.com/msdownload/update/v3/static/RTF/en/3363.htm)

My CA Adv.Options:

CSP: Microsoft Base Crypt. Provider 1.0

Hash algorithm:SHA-1 (?) or better MD5 ???

Key length:2048 (?)

Properties-Default Action: Always issue the certificate

MSCEP:

Chalange Phrase Options, Require SCEP Challange Phrase to Enroll: YES (?)

Enrollment Adv.Options:

Signature Keys:2048 (?)

Encryption Keys:1024 (?)

My Questions:

- Are these Parameters ok for vpn3000 ?

- Which Fields in the CA, RA, and Client Request Identity Forms are best practice ?

(Is it Correct, that the OU: must match the VPN3000 Group Name ?)

- In VPN3000, where do I have to Configure the Challange Phrase for MSCEP ?

- Do I have to Change anything in the IIS Access Rights for the "CertSrv, mscep?

(Anonymous access=on, Integrated Windows authentication=off).

I would appreciate any help !