Re: IPSec problem using CA server

From: saheed Balogun (saheedb@gmail.com)
Date: Sun Dec 07 2008 - 02:47:23 ARST

• Next message: Pavel Bykov: "Re: class-default is reserved 25% of the configured BW ???"
• Previous message: paul cosgrove: "Re: IP assignment on Major Interface to SubInterface"
• Maybe in reply to: Tomi Amao: "IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tomi,

I guess you may be missing the right Certificates profiles required for the
VPN.
In RSA you would need to Include (Key Usage: Digital Signature).

To resolve this, You need to revoke existing Certificates for the routers on
the RSA Certificate manager,
delete the Certificates on the routers.
Submit a new request.
Set the new certificate profile to include (Key Usage: *Digital Signature*).
Regards,

Saheed
On Sat, Dec 6, 2008 at 11:47 PM, Piyoush Sharma <piyoush@gmail.com> wrote:

> Hey Tomi,
>
> Do you have ntp configured??
> I have seen that if there is significant difference in the clock times on
> crypto peers, they do not accept the digital certificate.
> Also, make sure in your trustpoints for both the router, you have set
> "*revocation-check
> none*"
>
> I cannot think of anything else, unless the issued certificates do not
> match
> with the issuing CA's certificate.
>
> Piyoush.
>
> On Fri, Dec 5, 2008 at 12:48 PM, Tomi Amao <tomiground@hotmail.com> wrote:
>
> > hi Piyoush
> > thx for ur response. i'm running the CA server on a windows 2003
> machine
> > not on an IOS router. the CA im using is RSA CA on windows 2003.
> > the 2 routers have authenticated and enrolled with the CA. it's doing the
> > set up of the IPSec tunnel that the error is generated.
> >
> > regards,
> > Tomi Amao
> > CCIE#19627
> >
> >
> >
> >
> > > Date: Fri, 5 Dec 2008 10:32:25 -0800
> > > From: piyoush@gmail.com
> > > To: tomiground@hotmail.com
> > > Subject: Re: IPSec problem using CA server
> > > CC: ccielab@groupstudy.com
> >
> > >
> > > Hi Tomi,
> > >
> > > I have seen this error before, it crops up if your CA router is the
> peer
> > for
> > > the other router. You need to create another trustpoint on your CA
> > router,
> > > then authenticate this trustpoint and enroll the router with the CA.
> > Because
> > > you are using the CA router as a crypto peer, it has not been
> > authenticated.
> > > So you would need to have a trustpoint for the crypto (this would named
> > > differently that the trustpoint thats created as part of the IOS pki ca
> > > server.
> > > Good luck!!!
> > >
> > > Let me know if this works for you.
> > >
> > > Piyoush.
> > >
> > > On Thu, Dec 4, 2008 at 6:31 AM, Tomi Amao <tomiground@hotmail.com>
> > wrote:
> > >
> > > > i have an issue nd this is it i hope to get help from any1 as soon as
> > > > possible thx.
> > > >
> > > > i have 2 routers on a LAN and a CA also on that LAN
> > > > the 2 routers have authenticated the CA nd then enrolled with the CA
> > > > the 2 routers have generated rsa keys (1024)
> > > >
> > > > when i create interesting traffic on the routers that match the proxy
> > ACL
> > > > the traffic never gets encrypted
> > > >
> > > > isakmp phase 1 attributes are acceptable
> > > > but along the line durin the debug crypto isakmp and debug crypto
> ipsec
> > i
> > > > get
> > > > the following error message:
> > > >
> > > > %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad:
> > > > CArequest
> > > > failed
> > > >
> > > > i've read tht time on the cisco routers could be a problem but tht is
> > > > properly
> > > > sorted out the 2 routers are synched up
> > > > with proper time and they are also synched up with proper time from
> the
> > CA
> > > >
> > > > i really can't guess again wat the problem could be any help would
> > really
> > > > be
> > > > appreciated urgently
> > > >
> > > > thx
> > > > Tomi Amao
> > > > CCIE#19627
> > > > _________________________________________________________________
> > > > Explore the seven wonders of the world
> > > >
> > http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
> > > >
> > > >
> > > > Blogs and organic groups at http://www.ccie.net
> > > >
> > > >
> _______________________________________________________________________
> > > > Subscription information may be found at:
> > > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> >
> > ------------------------------
> > Discover the new Windows Vista Learn more!<
> http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE>
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Pavel Bykov: "Re: class-default is reserved 25% of the configured BW ???"
• Previous message: paul cosgrove: "Re: IP assignment on Major Interface to SubInterface"
• Maybe in reply to: Tomi Amao: "IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST