Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco VPN client and 1721 router as IOS CA??

Reply
Thread Tools

Cisco VPN client and 1721 router as IOS CA??

 
 
Jac Backus
Guest
Posts: n/a
 
      05-02-2005
Has someone ever succeeded in getting a Cisco VPN client
(vpnclient-win-msi-4.6.02.0011-k9) with a 1721 router
(c1700-k9o3sy7-mz.123-7.T9) as a certificate authority working ? With my
limited Cisco experience, I don't manage to do this. My 1721 configuration
is:

!
! Last configuration change at 17:11:49 CET Thu Apr 28 2005 by admin
! NVRAM config last updated at 14:04:14 CET Tue Apr 26 2005 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname charon
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 <removed>
enable password 7 <removed>
!
username bugworks privilege 15 password 7 <removed>
username admin privilege 15 secret 5 <removed>
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name centurion-akku.nl
ip name-server 213.129.213.129
ip name-server 213.129.213.128
ip name-server b.b.b.b
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
crypto pki server hecate
database level names
issuer-name CN=hecate, O=Centurion Akku, C=NL
lifetime crl 24
lifetime ca-certificate 730
cdp-url http://x.x.x.x:80/hecate.crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=(E-Mail Removed)
revocation-check crl
!
crypto pki trustpoint hecate
revocation-check crl
rsakeypair hecate
!
crypto pki trustpoint bugworks
enrollment url http://x.x.x.x:80
serial-number
fqdn charon.centurion-akku.nl
ip-address ATM0.1
password 7 <removed>
revocation-check crl
rsakeypair SDM-RSAKey-1114582402000
auto-enroll
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain hecate
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
<snip>
quit
crypto pki certificate chain bugworks
certificate 02
3082026A 308201D3 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
<snip>
quit
certificate ca 01
30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
<snip>
quit
!
!
!
crypto isakmp policy 1
encr 3des
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
match address 102
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA2
match address 102
!
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address x.x.x.x 255.255.255.0
no ip mroute-cache
crypto map SDM_CMAP_2
pvc 1/19
protocol ip y.y.y.y
encapsulation aal5snap
!
!
interface FastEthernet0
ip address a.a.a.a 255.255.255.240
speed auto
full-duplex
no cdp enable
!
ip local pool SDM_POOL_1 192.168.60.50 192.168.60.60
ip classless
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.60.0 255.255.255.0 b.b.b.b
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
!
access-list 100 permit ip 213.129.194.96 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
snmp-server community <removed> RO
snmp-server enable traps tty
no cdp run
!
!
control-plane
!
banner login ^CUNAUTHORIZED ACCESS IS PROHIBITED

Prosecution to the fullest extent of federal, state and local laws will
result for unauthorized access. All IP addresses and e-mail addresses are
logged with every attempt to gain access.

^C
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password 7 <removed>
transport input telnet ssh
!
ntp clock-period 17180091
ntp server 193.79.237.14
ntp server 193.67.79.202 prefer
ntp server 213.129.197.13
!
end

The client is behind a firewall (ipfilter) in the 192.168.10.0/24 net.

When I try to enroll a certificate (Certificates -> Enroll), I get the
following errors:

1 16:04:25.918 05/02/05 Sev=Warning/3 CERT/0xA3600010
Invalid server URL specification.

2 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600012
Online certificate server returned the following HTTP error: Invalid server
URL specification.

3 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600008
Could not retrieve CA certificate to begin enrollment.

As CA URL I use http:/x.x.x.x.

Any advise would be appreciated.

Jac


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
1721 connect to Pix 515 - which IOS for 1721? Scooter Cisco 1 02-25-2005 08:06 PM
VPN - Cisco IOS <-> VPN Client - problem Jarosław Skórka Cisco 1 02-01-2005 11:32 AM
Cannot VPN to 1721 through Easy VPN Client mack Cisco 0 10-13-2004 01:15 PM
Cisco VPN Client 4.01 (Rel) problems connecting to Cisc o 2612 IOS Router. Mark Cisco 2 03-02-2004 02:17 PM
Building VPN's: Static/Dynamic//IOS/PIX/Cisco VPN Client/ all at the same time hk Cisco 0 11-25-2003 02:47 AM



Advertisments