Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Cisco VPN client and 1721 router as IOS CA?? (http://www.velocityreviews.com/forums/t39022-cisco-vpn-client-and-1721-router-as-ios-ca.html)

Jac Backus 05-02-2005 02:10 PM

Cisco VPN client and 1721 router as IOS CA??
 
Has someone ever succeeded in getting a Cisco VPN client
(vpnclient-win-msi-4.6.02.0011-k9) with a 1721 router
(c1700-k9o3sy7-mz.123-7.T9) as a certificate authority working ? With my
limited Cisco experience, I don't manage to do this. My 1721 configuration
is:

!
! Last configuration change at 17:11:49 CET Thu Apr 28 2005 by admin
! NVRAM config last updated at 14:04:14 CET Tue Apr 26 2005 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname charon
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 <removed>
enable password 7 <removed>
!
username bugworks privilege 15 password 7 <removed>
username admin privilege 15 secret 5 <removed>
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name centurion-akku.nl
ip name-server 213.129.213.129
ip name-server 213.129.213.128
ip name-server b.b.b.b
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto pki server hecate
database level names
issuer-name CN=hecate, O=Centurion Akku, C=NL
lifetime crl 24
lifetime ca-certificate 730
cdp-url http://x.x.x.x:80/hecate.crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint hecate
revocation-check crl
rsakeypair hecate
!
crypto pki trustpoint bugworks
enrollment url http://x.x.x.x:80
serial-number
fqdn charon.centurion-akku.nl
ip-address ATM0.1
password 7 <removed>
revocation-check crl
rsakeypair SDM-RSAKey-1114582402000
auto-enroll
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain hecate
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
<snip>
quit
crypto pki certificate chain bugworks
certificate 02
3082026A 308201D3 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
<snip>
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
<snip>
quit
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
match address 102
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA2
match address 102
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address x.x.x.x 255.255.255.0
no ip mroute-cache
crypto map SDM_CMAP_2
pvc 1/19
protocol ip y.y.y.y
encapsulation aal5snap
!
!
interface FastEthernet0
ip address a.a.a.a 255.255.255.240
speed auto
full-duplex
no cdp enable
!
ip local pool SDM_POOL_1 192.168.60.50 192.168.60.60
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.60.0 255.255.255.0 b.b.b.b
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
access-list 100 permit ip 213.129.194.96 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
snmp-server community <removed> RO
snmp-server enable traps tty
no cdp run
!
!
control-plane
!
banner login ^CUNAUTHORIZED ACCESS IS PROHIBITED

Prosecution to the fullest extent of federal, state and local laws will
result for unauthorized access. All IP addresses and e-mail addresses are
logged with every attempt to gain access.

^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 <removed>
transport input telnet ssh
!
ntp clock-period 17180091
ntp server 193.79.237.14
ntp server 193.67.79.202 prefer
ntp server 213.129.197.13
!
end

The client is behind a firewall (ipfilter) in the 192.168.10.0/24 net.

When I try to enroll a certificate (Certificates -> Enroll), I get the
following errors:

1 16:04:25.918 05/02/05 Sev=Warning/3 CERT/0xA3600010
Invalid server URL specification.

2 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600012
Online certificate server returned the following HTTP error: Invalid server
URL specification.

3 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600008
Could not retrieve CA certificate to begin enrollment.

As CA URL I use http:/x.x.x.x.

Any advise would be appreciated.

Jac




All times are GMT. The time now is 04:36 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.