Re: CA in IPSec

From: Christopher Larson (clarson@xxxxxxxx)
Date: Fri Sep 22 2000 - 07:42:26 GMT-3

• Next message: Christopher Larson: "Re: CA in IPSec"
• Previous message: Horvath, Russell: "RE: CA in IPSec"
• Maybe in reply to: Jim Bond: "CA in IPSec"
• Next in thread: Christopher Larson: "Re: CA in IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Yes we have it setup and running. There were a couple items not mentioned in
the docs. That being that you must use DNS and FDQN when identifying the CA
in the router, the router must have an A record in the DNS and that the CA
identity is not simply a nmemonic but needs to be the name of the CA root
cert exactly as it appears on the cert.... case sensitive.

----- Original Message -----
From: "Horvath, Russell" <Russell.Horvath@viatel.com>
To: "'Chris Larson'" <clarson@pct3.com>; "'Asbjorn Hojmark'"
<Asbjorn@Hojmark.ORG>
Cc: <ccielab@groupstudy.com>; <cisco@groupstudy.com>; "'Jason1'"
<jason1@v-labs.net>; "'Jim Bond'" <trycisco@yahoo.com>
Sent: Friday, September 22, 2000 4:16 AM
Subject: RE: CA in IPSec

> Just a quick question regarding CA's on windows2000.
>
> I am currently looking at this for our network but in the labs. This said
we
> are looking at using the windows2000 one as its the cheapest.
>
> Has anyone actually set up the CA for windows2000?
> Are there any 'GOTCHAS' I need to be aware of when using with cisco IOS
12.1
> and above?.
> Is there a limitation with the size of network you can use it on?
>
> regards Russ
>
> > ----------
> > From: Asbjorn Hojmark[SMTP:Asbjorn@Hojmark.ORG]
> > Reply To: Asbjorn Hojmark
> > Sent: 21 September 2000 23:09
> > To: 'Chris Larson'
> > Cc: ccielab@groupstudy.com; cisco@groupstudy.com; 'Jason1'; 'Jim Bond'
> > Subject: RE: CA in IPSec
> >
> > > We will secure by having the root CA off-line and walking
> > > the ROOT Cert to the RA. Also, the CA cert will remain
> > > pending until the security admin issues it to the router.
> >
> > You should note that IOS currently doesn't currently support
> > cert chaining (subordinate CAs). I learned this the hard way.
> >
> > TAC tells me, however, that DE is testing two-level hierar-
> > chies and that they expect it to ship with 12.1(4)T or maybe
> > first with 12.2.
> >
> > HTH,
> > -A
> > --
> > Heroes: Vint Cerf & Bob Kahn, Leonard Kleinrock, Robert Metcalfe
> > Links : http://www.hojmark.org/networking/
> >
> >

• Next message: Christopher Larson: "Re: CA in IPSec"
• Previous message: Horvath, Russell: "RE: CA in IPSec"
• Maybe in reply to: Jim Bond: "CA in IPSec"
• Next in thread: Christopher Larson: "Re: CA in IPSec"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:00 GMT-3