Configuring crl when using certificates for vpn connection

imadjabboury · ‎02-06-2009

Dear all,

i have established a successfull Hub&Spoke DMVPN connection between routers, but i'm not using a pre-shared key, i'm using a certificates that i could enroll from a CA server where i installed mscep.

My configuration worked when i had put

"revocation-check none"

now i need to use the crl, anyone can advice on that pls..

crypto pki trustpoint CASrv1

enrollment mode ra

enrollment url http://192.168.1.11:80/certsrv/mscep/mscep.dll

serial-number

revocation-check none

Ivan Martinon · ‎02-06-2009

You need to check that your CA server has CRL publishing enabled, if the Hub is unable to contact the CRL server and download the List, then it will not accept the connection. To test you can set the revocation to optional while troubleshooting why your crl is not coming down.

As a configuration, you need to make sure that your CRL link is reachable via your selected protocol. For example, your CA server when giving you your certificate gives you as well your CDP distribution point, usually that url contains the hostname of your CA server and if this server is not found my name resolution then your router will not be able to find it.

imadjabboury · ‎02-06-2009

"As a configuration, you need to make sure that your CRL link is reachable via your selected protocol"

how can i know the url of crl link since it arriveswith the certificate as i understood

and do i hve any added configuration on my router, other than changing the revocation-list value ???

Ivan Martinon · ‎02-06-2009

You can modify the value with the cdp-url configuration under the CRL mode of your router.