VPN with PKI escheme

Unanswered Question
Sep 3rd, 2008
User Badges:

Hi, i am trying to configure two routers, one as CA and other as cliente, but when i test it i have this error:

Sep 3 10:46:30.153: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 20.20.20.20 is bad: CA request failed!

Sep 3 10:46:31.676: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

Sep 3 10:46:33.724: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

Sep 3 10:46:35.248: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.

Sep 3 10:46:36.776: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.



This is the "show running" of server:


crypto pki server VPN_KEY

database level complete

database url flash:

issuer-name CN=pki-server.ma.com.ar L=BA C=AR OU=pki-group

lifetime certificate 730

lifetime ca-certificate 1825

!

crypto pki trustpoint VPN_KEY

revocation-check crl

rsakeypair VPN_KEY

!

crypto pki trustpoint TP-self-signed-2656266450

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2656266450

revocation-check none

rsakeypair TP-self-signed-2656266450

!

crypto pki trustpoint VPNKEY

revocation-check crl

!

!

!

crypto pki certificate map map1 10

subject-name co pki-group

subject-name co server.ma.com.ar

issuer-name co pki-server.ma.com.ar

!

crypto pki certificate chain VPN_KEY

certificate ca 01

30820350 30820238 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

quit

crypto pki certificate chain TP-self-signed-2656266450

certificate self-signed 01

30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030


crypto pki certificate chain VPNKEY

!

!

!

!

crypto isakmp policy 20

encr aes

group 5

crypto isakmp profile ezvpn-pki

match identity group pki-group

match certificate map1

client authentication list easyVPN

isakmp authorization list easyVPN

client configuration address respond

!

!

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

!

crypto map map1 100 ipsec-isakmp

set peer 21.25.9.3

set peer 20.20.20.20

set transform-set TSET

match address 111

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0

description Enlace a Internet

mac-address 000a.6c00.8007

ip dhcp client hostname router

ip address dhcp

no ip redirects

no ip proxy-arp

no ip mroute-cache

speed auto

full-duplex

no cdp enable

crypto map map1


access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255

and


ezvpn-server#show crypto ca certificates

Router Self-Signed Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: General Purpose

Issuer:

cn=IOS-Self-Signed-Certificate-2656266450

Subject:

Name: IOS-Self-Signed-Certificate-2656266450

cn=IOS-Self-Signed-Certificate-2656266450

Validity Date:

start date: 17:12:51 AR Sep 2 2008

end date: 21:00:00 AR Dec 31 2019

Associated Trustpoints: TP-self-signed-2656266450


CA Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: Signature

Issuer:

cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group

Subject:

cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group

Validity Date:

start date: 15:50:39 AR Sep 2 2008

end date: 15:50:39 AR Sep 1 2013

Associated Trustpoints: VPN_KEY



-------------------------------------------------------------




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mar1980cv Wed, 09/03/2008 - 06:10
User Badges:

The client configuration is next:


R2#show crypto ca ce

Certificate

Status: Available

Certificate Serial Number: 03

Certificate Usage: General Purpose

Issuer:

cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group

Subject:

Name: R2.ma.com.ar

Serial Number: 398A4CC6

serialNumber=398A4CC6+hostname=R2.ma.com.ar

ou=pki-group

Validity Date:

start date: 17:21:10 AR Sep 2 2008

end date: 17:21:10 AR Sep 2 2010

Associated Trustpoints: VPNKEY


CA Certificate

Status: Available

Certificate Serial Number: 01

Certificate Usage: Signature

Issuer:

cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group

Subject:

cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group

Validity Date:

start date: 15:50:39 AR Sep 2 2008

end date: 15:50:39 AR Sep 1 2013

Associated Trustpoints: VPNKEY

Storage: nvram:pki-serverpr#7003CA.cer



!

crypto pki trustpoint VPNKEY

enrollment url http://servidor:80

serial-number

subject-name OU=pki-group

revocation-check none

!

!

crypto pki certificate chain VPNKEY

certificate 03

30820280 30820168 A0030201 02020103 300D0609 2A864886 F70D0101 04050030

39313730 35060355 0403132E 706B692D 73657276 65722E70 72696D61 2E636F6D

2E617220 4C3D4241 20433D41 52204F55 3D706B69 2D67726F 7570301E 170D3038

30393032 32303231 31305A17 0D313030 39303232 30323131 305A3045 31123010

06035504 0B130970 6B692D67 726F7570 312F300F 06035504 05130833 39384134

43433630 1C06092A 864886F7 0D010902 160F5232 2E707269 6D612E63 6F6D2E61

72305C30 0D06092A

9BC360F6 5461A7DD DBEA5134 B01709D5 C3C7B471 92C3ED83 7F48B520 2C34E60B

B5021397 68C03EF0 0B16E62A 54F978DC 8F81EA45 4A632C65 857FA6B1 AD59762C

0981777A 974CA647 2B11D89D 8E2CDC74 F0A5543D 43077845 40B675AC 47EF3BA1

83F260C8

quit

certificate ca 01

30820350 30820238 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

39313730 35060355 0403132E 706B692D 73657276 39303131 38353033 395A3039 31373035

3 63306130

0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186

301F30D 69AC16C1

CAE77722 78C6DBDC 2BA401F0 B7885CFE C40CEBA2 16998F7F 89C8CC79 13AACCC1

AFE512ED 907C7179 FBF6DF0F 1AB8A181 2EAEF732 9EE92599 F24F84B6 1AF28165

E624500D F20635B5 D2CBA105 56E6CEC3 3659DF1F D550787B 80C7D09E 1EAA06F4

C47CF255 EA3CAD8C DB9F09EF A4BE3C18 6EECB16D C33578D8 AC7AB509 8894B2C4

9193D723 3617EB50 65C5EE33 26C6867B C91A2D80 EA2ED884 D177C123 5F79BF2D

8C894501 0E5CC08D 0CCD9A55 E63C8D30 0EF283B7

quit


!

!

crypto isakmp policy 20

encr aes

group 5

!

!

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

!

crypto map map1 100 ipsec-isakmp

set peer 21.25.9.3

set transform-set TSET

match address 111

!

!

!

interface Loopback0

ip address 192.168.1.3 255.255.255.0

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

mac-address ff0a.6004.8117

ip dhcp client hostname router

ip address dhcp

ip virtual-reassembly

duplex auto

speed auto

crypto map map1

!



access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255




Some one can help me about the problem?

Actions

This Discussion