09-03-2008 06:09 AM
Hi, i am trying to configure two routers, one as CA and other as cliente, but when i test it i have this error:
Sep 3 10:46:30.153: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 20.20.20.20 is bad: CA request failed!
Sep 3 10:46:31.676: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Sep 3 10:46:33.724: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Sep 3 10:46:35.248: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
Sep 3 10:46:36.776: %CRYPTO-3-IKMP_QUERY_KEY: Querying key pair failed.
This is the "show running" of server:
crypto pki server VPN_KEY
database level complete
database url flash:
issuer-name CN=pki-server.ma.com.ar L=BA C=AR OU=pki-group
lifetime certificate 730
lifetime ca-certificate 1825
!
crypto pki trustpoint VPN_KEY
revocation-check crl
rsakeypair VPN_KEY
!
crypto pki trustpoint TP-self-signed-2656266450
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2656266450
revocation-check none
rsakeypair TP-self-signed-2656266450
!
crypto pki trustpoint VPNKEY
revocation-check crl
!
!
!
crypto pki certificate map map1 10
subject-name co pki-group
subject-name co server.ma.com.ar
issuer-name co pki-server.ma.com.ar
!
crypto pki certificate chain VPN_KEY
certificate ca 01
30820350 30820238 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
quit
crypto pki certificate chain TP-self-signed-2656266450
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
crypto pki certificate chain VPNKEY
!
!
!
!
crypto isakmp policy 20
encr aes
group 5
crypto isakmp profile ezvpn-pki
match identity group pki-group
match certificate map1
client authentication list easyVPN
isakmp authorization list easyVPN
client configuration address respond
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto map map1 100 ipsec-isakmp
set peer 21.25.9.3
set peer 20.20.20.20
set transform-set TSET
match address 111
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
description Enlace a Internet
mac-address 000a.6c00.8007
ip dhcp client hostname router
ip address dhcp
no ip redirects
no ip proxy-arp
no ip mroute-cache
speed auto
full-duplex
no cdp enable
crypto map map1
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
and
ezvpn-server#show crypto ca certificates
Router Self-Signed Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: General Purpose
Issuer:
cn=IOS-Self-Signed-Certificate-2656266450
Subject:
Name: IOS-Self-Signed-Certificate-2656266450
cn=IOS-Self-Signed-Certificate-2656266450
Validity Date:
start date: 17:12:51 AR Sep 2 2008
end date: 21:00:00 AR Dec 31 2019
Associated Trustpoints: TP-self-signed-2656266450
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group
Subject:
cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group
Validity Date:
start date: 15:50:39 AR Sep 2 2008
end date: 15:50:39 AR Sep 1 2013
Associated Trustpoints: VPN_KEY
-------------------------------------------------------------
09-03-2008 06:10 AM
The client configuration is next:
R2#show crypto ca ce
Certificate
Status: Available
Certificate Serial Number: 03
Certificate Usage: General Purpose
Issuer:
cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group
Subject:
Name: R2.ma.com.ar
Serial Number: 398A4CC6
serialNumber=398A4CC6+hostname=R2.ma.com.ar
ou=pki-group
Validity Date:
start date: 17:21:10 AR Sep 2 2008
end date: 17:21:10 AR Sep 2 2010
Associated Trustpoints: VPNKEY
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Issuer:
cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group
Subject:
cn=pki-server.ma.com.ar L\=BA C\=AR OU\=pki-group
Validity Date:
start date: 15:50:39 AR Sep 2 2008
end date: 15:50:39 AR Sep 1 2013
Associated Trustpoints: VPNKEY
Storage: nvram:pki-serverpr#7003CA.cer
!
crypto pki trustpoint VPNKEY
enrollment url http://servidor:80
serial-number
subject-name OU=pki-group
revocation-check none
!
!
crypto pki certificate chain VPNKEY
certificate 03
30820280 30820168 A0030201 02020103 300D0609 2A864886 F70D0101 04050030
39313730 35060355 0403132E 706B692D 73657276 65722E70 72696D61 2E636F6D
2E617220 4C3D4241 20433D41 52204F55 3D706B69 2D67726F 7570301E 170D3038
30393032 32303231 31305A17 0D313030 39303232 30323131 305A3045 31123010
06035504 0B130970 6B692D67 726F7570 312F300F 06035504 05130833 39384134
43433630 1C06092A 864886F7 0D010902 160F5232 2E707269 6D612E63 6F6D2E61
72305C30 0D06092A
9BC360F6 5461A7DD DBEA5134 B01709D5 C3C7B471 92C3ED83 7F48B520 2C34E60B
B5021397 68C03EF0 0B16E62A 54F978DC 8F81EA45 4A632C65 857FA6B1 AD59762C
0981777A 974CA647 2B11D89D 8E2CDC74 F0A5543D 43077845 40B675AC 47EF3BA1
83F260C8
quit
certificate ca 01
30820350 30820238 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
39313730 35060355 0403132E 706B692D 73657276 39303131 38353033 395A3039 31373035
3 63306130
0F060355 1D130101 FF040530 030101FF 300E0603 551D0F01 01FF0404 03020186
301F30D 69AC16C1
CAE77722 78C6DBDC 2BA401F0 B7885CFE C40CEBA2 16998F7F 89C8CC79 13AACCC1
AFE512ED 907C7179 FBF6DF0F 1AB8A181 2EAEF732 9EE92599 F24F84B6 1AF28165
E624500D F20635B5 D2CBA105 56E6CEC3 3659DF1F D550787B 80C7D09E 1EAA06F4
C47CF255 EA3CAD8C DB9F09EF A4BE3C18 6EECB16D C33578D8 AC7AB509 8894B2C4
9193D723 3617EB50 65C5EE33 26C6867B C91A2D80 EA2ED884 D177C123 5F79BF2D
8C894501 0E5CC08D 0CCD9A55 E63C8D30 0EF283B7
quit
!
!
crypto isakmp policy 20
encr aes
group 5
!
!
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
!
crypto map map1 100 ipsec-isakmp
set peer 21.25.9.3
set transform-set TSET
match address 111
!
!
!
interface Loopback0
ip address 192.168.1.3 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
mac-address ff0a.6004.8117
ip dhcp client hostname router
ip address dhcp
ip virtual-reassembly
duplex auto
speed auto
crypto map map1
!
access-list 111 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Some one can help me about the problem?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: