From: Kal Han (calikali2006@gmail.com)
Date: Wed Nov 15 2006 - 22:30:58 ART
Hi
Its working now ( the VPN tunnel comming up part ).
I still dont see the RA certificate.
I did NOT change any config on the router or on the PIX.
but its working now. Not sure why ??
The clocks are properly synced between the router and pix
from the starting.
Is there any known timing issue with pix.. I mean after the
certificate is issued, do we need to do anything with the clock ?
or wait for some time ?
( even if the clock is synced betwee pix, router and CA server )
During that time, I configured VPN between two routers using
certificates and they immediately worked.
Thanks
Kal
On 11/15/06, Kal Han <calikali2006@gmail.com> wrote:
>
> Hi
> I am not able to get the RA certificate after the
> authentication/enrollment process.
> I am just getting the CA certificate. My IKE is failing when I try to use
> certificates.
> How can I get RA Signature&Encipher Certificate on a router. I dont know
> whats wrong, but this used to work before. ( PIX is fine )
>
> Here is my relate config.
>
> crypto ca trustpoint root
> enrollment retry count 20
> enrollment mode ra
> enrollment url http://filter-test8:80/certsrv/mscep/mscep.dll
> !
> !
> !
> crypto isakmp policy 10
> encr 3des
> hash md5
> group 2
> !
> crypto isakmp policy 20
> encr 3des
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cciesec address 195.1.113.10
> crypto isakmp key cciesec address 0.0.0.0 0.0.0.0
> crypto isakmp key cciesec hostname PIX.cisco.com <http://pix.cisco.com/>
> crypto isakmp identity hostname
> !
> !
> crypto ipsec transform-set ts esp-3des esp-sha-hmac
> !
> crypto map cm 10 ipsec-isakmp
> set peer 195.1.113.10
> set transform-set ts
> match address 198
>
> ****************************************************************
>
> R3(config)#cry ca authenticate root
> Certificate has the following attributes:
> Fingerprint: 0BD408B3 C66EC15D DA2721EF 9A43EF20
> % Do you accept this certificate? [yes/no]: yes
> Trustpoint CA certificate accepted.
> R3(config)#
> R3(config)#
> R3(config)#do sh cry ca cert
> CA Certificate
> Status: Available
> Certificate Serial Number: 3640DE961861A6A744071A3404C6C173
> Certificate Usage: Signature
> Issuer:
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> Subject:
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> CRL Distribution Point:
> http://filter-test8/CertEnroll/MS%20CA%20Server.crl
> Validity Date:
> start date: 09:55:28 PST Aug 24 2006
> end date: 10:03:16 PST Aug 24 2009
> Associated Trustpoints: root
>
>
> *After Enrolling*
>
> R3#sh cry ca cert
> Certificate
> Status: Available
> Certificate Serial Number: 4321F68900000000002E
> Certificate Usage: General Purpose
> Issuer:
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> Subject:
> Name: R3.cisco.com <http://r3.cisco.com/>
> OID.1.2.840.113549.1.9.2 = R3.cisco.com <http://r3.cisco.com/>
> CRL Distribution Point:
> http://filter-test8/CertEnroll/MS%20CA%20Server.crl
> Validity Date:
> start date: 13:22:40 PST Nov 15 2006
> end date: 13:32:40 PST Nov 15 2007
> renew date: 16:00:00 PST Dec 31 1969
> Associated Trustpoints: root
>
> CA Certificate
> Status: Available
> Certificate Serial Number: 3640DE961861A6A744071A3404C6C173
> Certificate Usage: Signature
> Issuer:
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> Subject:
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> CRL Distribution Point:
> http://filter-test8/CertEnroll/MS%20CA%20Server.crl
> Validity Date:
> start date: 09:55:28 PST Aug 24 2006
> end date: 10:03:16 PST Aug 24 2009
> Associated Trustpoints: root
>
> *Why is this ?? *
> *On my PIX everything is fine.*
> *Is there anything different for a router ( other than *
> *setting the enrollment mode as ra ) *
> **
> *Here is my what I see on the PIX.*
>
> PIX(config)# sh ca cert
> Certificate
> Status: Available
> Certificate Serial Number: 4302325600000000002d
> Key Usage: General Purpose
> Subject Name:
> CN = PIX.cisco.com <http://pix.cisco.com/>
> UNSTRUCTURED NAME = PIX.cisco.com <http://pix.cisco.com/>
> Validity Date:
> start date: 12:47:58 PST Nov 15 2006
> end date: 12:57:58 PST Nov 15 2007
>
> RA Signature Certificate
> Status: Available
> Certificate Serial Number: 61053a03000000000004
> Key Usage: Signature
> CN = Cisco SCEP Root
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = mysceproot@ciscosceproot.com
> Validity Date:
> start date: 10:30:26 PST Aug 24 2006
> end date: 10:40:26 PST Aug 24 2007
>
> CA Certificate
> Status: Available
> Certificate Serial Number: 3640de961861a6a744071a3404c6c173
> Key Usage: Signature
> CN = MS CA Server
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = root@mymscaserver.com
> Validity Date:
> start date: 09:55:28 PST Aug 24 2006
> end date: 10:03:16 PST Aug 24 2009
>
> RA KeyEncipher Certificate
> Status: Available
> Certificate Serial Number: 61053ace000000000005
> Key Usage: Encryption
> CN = Cisco SCEP Root
> OU = Lab
> O = Exam
> L = San Jose
> ST = CA
> C = US
> EA = mysceproot@ciscosceproot.com
> Validity Date:
> start date: 10:30:27 PST Aug 24 2006
> end date: 10:40:27 PST Aug 24 2007
>
> PIX(config)#
>
> Thanks
> Kal
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:47 ART