1. Home
  2. Cisco Systems
  3. Cisco VPN client and 1721 router as IOS CA??

Cisco VPN client and 1721 router as IOS CA??

Has someone ever succeeded in getting a Cisco VPN client (vpnclient-win-msi-4.6.02.0011-k9) with a 1721 router (c1700-k9o3sy7-mz.123-7.T9) as a certificate authority working ? With my limited Cisco experience, I don't manage to do this. My 1721 configuration is:

! ! Last configuration change at 17:11:49 CET Thu Apr 28 2005 by admin ! NVRAM config last updated at 14:04:14 CET Tue Apr 26 2005 by admin ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname charon ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings enable secret 5 enable password 7 ! username bugworks privilege 15 password 7 username admin privilege 15 secret 5 clock timezone CET 1 clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero ! ! ip domain name centurion-akku.nl ip name-server 213.129.213.129 ip name-server 213.129.213.128 ip name-server b.b.b.b ! ! ip cef ip audit po max-events 100 no ftp-server write-enable ! ! crypto pki server hecate database level names issuer-name CN=hecate, O=Centurion Akku, C=NL lifetime crl 24 lifetime ca-certificate 730 cdp-url http://x.x.x.x:80/hecate.crl! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e= snipped-for-privacy@sdmtest.com revocation-check crl ! crypto pki trustpoint hecate revocation-check crl rsakeypair hecate ! crypto pki trustpoint bugworks enrollment url http://x.x.x.x:80 serial-number fqdn charon.centurion-akku.nl ip-address ATM0.1 password 7 revocation-check crl rsakeypair SDM-RSAKey-1114582402000 auto-enroll ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain hecate certificate ca 01 30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit crypto pki certificate chain bugworks certificate 02 3082026A 308201D3 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 quit certificate ca 01 30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 quit ! ! ! crypto isakmp policy 1 encr 3des group 2 ! crypto isakmp policy 2 encr 3des authentication pre-share group 2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA1 match address 102 ! crypto dynamic-map SDM_DYNMAP_2 1 set transform-set ESP-3DES-SHA2 match address 102 ! ! crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2 ! ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point ip address x.x.x.x 255.255.255.0 no ip mroute-cache crypto map SDM_CMAP_2 pvc 1/19 protocol ip y.y.y.y encapsulation aal5snap ! ! interface FastEthernet0 ip address a.a.a.a 255.255.255.240 speed auto full-duplex no cdp enable ! ip local pool SDM_POOL_1 192.168.60.50 192.168.60.60 ip classless ip route 0.0.0.0 0.0.0.0 ATM0.1 ip route 192.168.60.0 255.255.255.0 b.b.b.b ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ! ! access-list 100 permit ip 213.129.194.96 0.0.0.15 any access-list 101 remark SDM_ACL Category=4 access-list 101 remark IPSec Rule access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 102 remark SDM_ACL Category=4 access-list 102 remark IPSec Rule access-list 102 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 103 remark SDM_ACL Category=4 access-list 103 remark IPSec Rule access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255 snmp-server community RO snmp-server enable traps tty no cdp run ! ! control-plane ! banner login ^CUNAUTHORIZED ACCESS IS PROHIBITED

Prosecution to the fullest extent of federal, state and local laws will result for unauthorized access. All IP addresses and e-mail addresses are logged with every attempt to gain access.

^C ! line con 0 exec-timeout 0 0 line aux 0 line vty 0 4 password 7 transport input telnet ssh ! ntp clock-period 17180091 ntp server 193.79.237.14 ntp server 193.67.79.202 prefer ntp server 213.129.197.13 ! end

The client is behind a firewall (ipfilter) in the 192.168.10.0/24 net.

When I try to enroll a certificate (Certificates -> Enroll), I get the following errors:

1 16:04:25.918 05/02/05 Sev=Warning/3 CERT/0xA3600010 Invalid server URL specification.

2 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600012 Online certificate server returned the following HTTP error: Invalid server URL specification.

3 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600008 Could not retrieve CA certificate to begin enrollment.

As CA URL I use http:/x.x.x.x.

Any advise would be appreciated.

Jac

Reply to
Jac Backus
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.