From: Piyoush Sharma (piyoush@gmail.com)
Date: Sat Dec 06 2008 - 17:47:58 ARST
Hey Tomi,
Do you have ntp configured??
I have seen that if there is significant difference in the clock times on
crypto peers, they do not accept the digital certificate.
Also, make sure in your trustpoints for both the router, you have set
"*revocation-check
none*"
I cannot think of anything else, unless the issued certificates do not match
with the issuing CA's certificate.
Piyoush.
On Fri, Dec 5, 2008 at 12:48 PM, Tomi Amao <tomiground@hotmail.com> wrote:
> hi Piyoush
> thx for ur response. i'm running the CA server on a windows 2003 machine
> not on an IOS router. the CA im using is RSA CA on windows 2003.
> the 2 routers have authenticated and enrolled with the CA. it's doing the
> set up of the IPSec tunnel that the error is generated.
>
> regards,
> Tomi Amao
> CCIE#19627
>
>
>
>
> > Date: Fri, 5 Dec 2008 10:32:25 -0800
> > From: piyoush@gmail.com
> > To: tomiground@hotmail.com
> > Subject: Re: IPSec problem using CA server
> > CC: ccielab@groupstudy.com
>
> >
> > Hi Tomi,
> >
> > I have seen this error before, it crops up if your CA router is the peer
> for
> > the other router. You need to create another trustpoint on your CA
> router,
> > then authenticate this trustpoint and enroll the router with the CA.
> Because
> > you are using the CA router as a crypto peer, it has not been
> authenticated.
> > So you would need to have a trustpoint for the crypto (this would named
> > differently that the trustpoint thats created as part of the IOS pki ca
> > server.
> > Good luck!!!
> >
> > Let me know if this works for you.
> >
> > Piyoush.
> >
> > On Thu, Dec 4, 2008 at 6:31 AM, Tomi Amao <tomiground@hotmail.com>
> wrote:
> >
> > > i have an issue nd this is it i hope to get help from any1 as soon as
> > > possible thx.
> > >
> > > i have 2 routers on a LAN and a CA also on that LAN
> > > the 2 routers have authenticated the CA nd then enrolled with the CA
> > > the 2 routers have generated rsa keys (1024)
> > >
> > > when i create interesting traffic on the routers that match the proxy
> ACL
> > > the traffic never gets encrypted
> > >
> > > isakmp phase 1 attributes are acceptable
> > > but along the line durin the debug crypto isakmp and debug crypto ipsec
> i
> > > get
> > > the following error message:
> > >
> > > %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad:
> > > CArequest
> > > failed
> > >
> > > i've read tht time on the cisco routers could be a problem but tht is
> > > properly
> > > sorted out the 2 routers are synched up
> > > with proper time and they are also synched up with proper time from the
> CA
> > >
> > > i really can't guess again wat the problem could be any help would
> really
> > > be
> > > appreciated urgently
> > >
> > > thx
> > > Tomi Amao
> > > CCIE#19627
> > > _________________________________________________________________
> > > Explore the seven wonders of the world
> > >
> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> ------------------------------
> Discover the new Windows Vista Learn more!<http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE>
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST