Cisco VPN client and 1721 router as IOS CA??

Discussion in 'Cisco' started by Jac Backus, May 2, 2005.

  1. Jac Backus

    Jac Backus Guest

    Has someone ever succeeded in getting a Cisco VPN client
    (vpnclient-win-msi-4.6.02.0011-k9) with a 1721 router
    (c1700-k9o3sy7-mz.123-7.T9) as a certificate authority working ? With my
    limited Cisco experience, I don't manage to do this. My 1721 configuration
    is:

    !
    ! Last configuration change at 17:11:49 CET Thu Apr 28 2005 by admin
    ! NVRAM config last updated at 14:04:14 CET Tue Apr 26 2005 by admin
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname charon
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 <removed>
    enable password 7 <removed>
    !
    username bugworks privilege 15 password 7 <removed>
    username admin privilege 15 secret 5 <removed>
    clock timezone CET 1
    clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip domain name centurion-akku.nl
    ip name-server 213.129.213.129
    ip name-server 213.129.213.128
    ip name-server b.b.b.b
    !
    !
    ip cef
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    crypto pki server hecate
    database level names
    issuer-name CN=hecate, O=Centurion Akku, C=NL
    lifetime crl 24
    lifetime ca-certificate 730
    cdp-url http://x.x.x.x:80/hecate.crl
    !
    crypto pki trustpoint test_trustpoint_config_created_for_sdm
    subject-name e=
    revocation-check crl
    !
    crypto pki trustpoint hecate
    revocation-check crl
    rsakeypair hecate
    !
    crypto pki trustpoint bugworks
    enrollment url http://x.x.x.x:80
    serial-number
    fqdn charon.centurion-akku.nl
    ip-address ATM0.1
    password 7 <removed>
    revocation-check crl
    rsakeypair SDM-RSAKey-1114582402000
    auto-enroll
    !
    !
    crypto pki certificate chain test_trustpoint_config_created_for_sdm
    crypto pki certificate chain hecate
    certificate ca 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    <snip>
    quit
    crypto pki certificate chain bugworks
    certificate 02
    3082026A 308201D3 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    <snip>
    quit
    certificate ca 01
    30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    <snip>
    quit
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    group 2
    !
    crypto isakmp policy 2
    encr 3des
    authentication pre-share
    group 2
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA1
    match address 102
    !
    crypto dynamic-map SDM_DYNMAP_2 1
    set transform-set ESP-3DES-SHA2
    match address 102
    !
    !
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
    !
    !
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    ip address x.x.x.x 255.255.255.0
    no ip mroute-cache
    crypto map SDM_CMAP_2
    pvc 1/19
    protocol ip y.y.y.y
    encapsulation aal5snap
    !
    !
    interface FastEthernet0
    ip address a.a.a.a 255.255.255.240
    speed auto
    full-duplex
    no cdp enable
    !
    ip local pool SDM_POOL_1 192.168.60.50 192.168.60.60
    ip classless
    ip route 0.0.0.0 0.0.0.0 ATM0.1
    ip route 192.168.60.0 255.255.255.0 b.b.b.b
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    !
    !
    !
    access-list 100 permit ip 213.129.194.96 0.0.0.15 any
    access-list 101 remark SDM_ACL Category=4
    access-list 101 remark IPSec Rule
    access-list 101 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 192.168.60.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 103 remark SDM_ACL Category=4
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 192.168.10.0 0.0.0.255 192.168.60.0 0.0.0.255
    snmp-server community <removed> RO
    snmp-server enable traps tty
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CUNAUTHORIZED ACCESS IS PROHIBITED

    Prosecution to the fullest extent of federal, state and local laws will
    result for unauthorized access. All IP addresses and e-mail addresses are
    logged with every attempt to gain access.

    ^C
    !
    line con 0
    exec-timeout 0 0
    line aux 0
    line vty 0 4
    password 7 <removed>
    transport input telnet ssh
    !
    ntp clock-period 17180091
    ntp server 193.79.237.14
    ntp server 193.67.79.202 prefer
    ntp server 213.129.197.13
    !
    end

    The client is behind a firewall (ipfilter) in the 192.168.10.0/24 net.

    When I try to enroll a certificate (Certificates -> Enroll), I get the
    following errors:

    1 16:04:25.918 05/02/05 Sev=Warning/3 CERT/0xA3600010
    Invalid server URL specification.

    2 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600012
    Online certificate server returned the following HTTP error: Invalid server
    URL specification.

    3 16:04:25.918 05/02/05 Sev=Warning/2 CERT/0xE3600008
    Could not retrieve CA certificate to begin enrollment.

    As CA URL I use http:/x.x.x.x.

    Any advise would be appreciated.

    Jac
     
    Jac Backus, May 2, 2005
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hk
    Replies:
    0
    Views:
    1,980
  2. MP
    Replies:
    2
    Views:
    12,384
  3. mack
    Replies:
    0
    Views:
    896
  4. Jaros³aw Skórka

    VPN - Cisco IOS <-> VPN Client - problem

    Jaros³aw Skórka, Feb 1, 2005, in forum: Cisco
    Replies:
    1
    Views:
    3,158
  5. Scooter
    Replies:
    1
    Views:
    908
    BradReeseCom
    Feb 25, 2005
Loading...

Share This Page