Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

is
New Member

Pix 515E and NT4 certificate server problem...

Hi all,

I'm trying to setup a *simple* Windows to Pix VPN connection. Rather than have each client download the VPN Client (on a dialup connection, this could take quite a while and if I'm supposed to dial-in and fix something NOW, that wouldn't work), I'm trying to get it setup to support the built-in Windows VPN features.

I have the VPN working using a pre-shared key. XP supports this rather easily, but with 2k it's a pain to use a pre-shared key (you have to configure it through MMC, etc.). To bypass all of this, I'm attempting to configure the Pix to use a certificate rather than a pre-shared key.

The only directions I've been able to find so far reference using the certificate server with Windows 2k, not the one with NT4. Is there a way to use the certificate server with NT4 or am I fighting a hopeless cause?

I've followed the directions given at http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v53/ipsec/excas.htm#51035 but get the following error on the Pix:

Pix(config)# ca identity VPNClients 10.1.5.3:/certsrv/mscep/mscep.dll

Pix(config)# ca authenticate VPNClients

msgsym(GETCARACERT, CRYPTO)!

%Error in connection to Certificate Authority: status = FAIL

I've looked on the NT4 server and the certsrv directory exists but there's no mscep directory and no dll by that name. Is there a way to communicate with NT4's certificate server from the Pix?

Thank you in advance for your time and help,

Tim C

3 REPLIES
Cisco Employee

Re: Pix 515E and NT4 certificate server problem...

The MSCEP stuff comes as a separate DLL to be installed, even with the 2K CA server. It's included in the Win2K Resource Kit, s onot sure if it'll install on a NT4.0 server, can't say I've ever tried.

If you can't find the DLL, search for it in google, it's available in various places around the trapd, although funnily enough, it doesn't seem to be on MS's web site. If you still can't find it and can wait till next week, I can email you a copy of it off-line (I'm currently at home and don't have access to my server).

Once the DLL is installed you should be able to browse to the URL just from a browser and you'll get a certificate fingerprint. Until you can get that the PIX won't be able to download the cert properly.

Also make sure you set the enrollment mode to RA.

is
New Member

Re: Pix 515E and NT4 certificate server problem...

Thank you for your response! I'm not sure that the MSCEP would work on NT4, but I'm willing to try it! I've looked on the net, but like you said, Microsoft doesn't have it on their site (there are lots of references to the Corporate Update site, but they removed that site). Could you send me the file(s) needed to install and make MSCEP work? The preferred email address is tclegg@ovhd.com.

Thank you for your help,

Tim C

is
New Member

Re: Pix 515E and NT4 certificate server problem...

I found the SCEP on Yahoo! Group cciesecurity and tried installing it on NT4, but it wouldn't fully load. Are there any other ways of getting the Pix to get a certificate with NT4? Moving to W2k isn't really an option at this point with our certificate server.

Thank you for your help,

Tim C

97
Views
0
Helpful
3
Replies