I have GRE+IPSec VPN between two Linux boxes. I want to replace one of the Linux boxes with Cisco 1811, and I would like it to be drop-in replacement (with no changes on the remaining Linux box, if at all possible). The authentication is currently done using certificates. The certificates are signed by local CA, however the racoon (IKE daemon on Linux) is simply configured to check the peers certificate against local copy of other-ends certificate (using peers_certfile directive). CA signature is not actually checked. Basically, similar as when using self-signed certificates.
I'm having hard time importing the certificates and private keys from existing Linux box onto Cisco 1811.
I've checked Cisco's online documentation, and googled around long and hard, however all the examples for importing keys/certificates resulted with errors when I attempted to use them on 1811. BTW, I'm Cisco newbee and this is the very first Cisco box I'm configuring. If I haven't mentioned it already ;-)
First I attempted to create pkcs12 file with private key, certificate and CA certificate that would be used on 1811. The CA certificate isn't really used in my config, but I guess it never hurts to have it around.
openssl pkcs12 -inkey cisco.key -in cisco.crt -certfile cacert.crt
-export -out cisco.p12
I've copied the cisco.p12 onto flash on Cisco 1811, and attempted to import it:
configure terminal crypto pki trustpoint vpn-tp usage ike revocation-check none ^Z configure terminal crypto pki import vpn-tp pkcs12 flash:cisco.p12 passphrase
The last command gave me an import error: CRYPTO_PKI: Import PKCS12 operation failed, failure status = 0x72A
The passphrase was correct (openssl can read the p12 file just fine using the same passphrase).
Than I wiped out the trustpoint, and attempted to import just the CA certificate itself. Just to see if it is going to work. I attempted doing it this way:
configure terminal crypto pki trustpoint vpn-tp enrollment terminal pem revocation-check none usage ike ^Z configure terminal crypto pki authenticate vpn-tp
Enter the base 64 encoded CA certificate. End with a blank line or the word "quit" on a line by itself
-----BEGIN CERTIFICATE----- ... base64 of CA certificate ...
And again the error message:
% Error in saving certificate: status = FAIL
OK, so it doesn't let me to import CA certificate, no wonder the import of the whole package failed...
I attempted several other variations during the day yesterday, but all ended up with the above error messages.
So, I'm currently stuck with this trivial certificate import stuff (obviously, not that trivial). And can't move to the fun part (figuring out how to setup GRE and IPSec on Cisco box). I must be doing something totally wrong here, I guess. Any help, hint or advice would be more than welcome.