02-06-2009 08:07 AM
Dear all,
i have established a successfull Hub&Spoke DMVPN connection between routers, but i'm not using a pre-shared key, i'm using a certificates that i could enroll from a CA server where i installed mscep.
My configuration worked when i had put
"revocation-check none"
now i need to use the crl, anyone can advice on that pls..
crypto pki trustpoint CASrv1
enrollment mode ra
enrollment url http://192.168.1.11:80/certsrv/mscep/mscep.dll
serial-number
revocation-check none
02-06-2009 10:50 AM
You need to check that your CA server has CRL publishing enabled, if the Hub is unable to contact the CRL server and download the List, then it will not accept the connection. To test you can set the revocation to optional while troubleshooting why your crl is not coming down.
As a configuration, you need to make sure that your CRL link is reachable via your selected protocol. For example, your CA server when giving you your certificate gives you as well your CDP distribution point, usually that url contains the hostname of your CA server and if this server is not found my name resolution then your router will not be able to find it.
02-06-2009 02:05 PM
"As a configuration, you need to make sure that your CRL link is reachable via your selected protocol"
how can i know the url of crl link since it arriveswith the certificate as i understood
and do i hve any added configuration on my router, other than changing the revocation-list value ???
02-06-2009 02:12 PM
You can modify the value with the cdp-url configuration under the CRL mode of your router.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide