Re: PIX and MS certificates

mauro.elias · ‎01-28-2003

hello,

the scenario is: i'm trying to create a VPN from a win2k client to a pix V.6.2(2) following the configuration examples from

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080089924.html#xtocid10 and http://www.cisco.com/en/US/tech/tk648/tk367/technologies_configuration_example09186a00800942ad.shtml

A driver has been installed in my CA server so it will properly give Certificates to cisco devices (according to microsoft), and in the Certificates console in this server I can see that a new valid certificate has been issued to mi PIX when the procedure is followed.

The problem is that at the time that I want to enroll the Certificate the following error appears in the PIX console:

PIX(config)# ca enroll cert_name password

% No CA root cert exists. Use "ca authenticate"

and the command "sh ca certificates" shows nothing of course...

And I can't get past this step... so I don't know if this kind of VPN will work, has any body tried using this configuration (win2k client to pix using Microsoft Certificates)???

any clues?

thank you in advance

gfullage · ‎01-28-2003

Your config should look something like:

> ca identity cert_name 10.1.1.1:certsrv/mscep/mscep.dll

> ca configure cert_name ra 10 3 crloptional

Then you just need to do the following:

> ca gen rsa key 1024

> ca authenticate cert_name

At this point the PIX should contact the CA server at 10.1.1.1 and download the CA certificate. Once (and only once) that's completed successfully, then do:

> ca enroll cert_name

and the PIX should enroll with the CA and get an identity cert. After that has been downloaded, make sure you do:

> ca save all

to save the certificates, otherwise you'll lose them after a reboot.

mauro.elias · ‎01-29-2003

wow! you're really good!

the PIX has accepted the certificated and got enrolled.

I had a typo, i was entering:

> ca configure cert_name "ca" 10 3 crloptional

and it should be:

> ca configure cert_name "ra" 10 3 crloptional

Now the problem is in the side of the client, I can't make it work. I saw a message in this forum in which a link to configure the win2k-native-client was posted, but i can't find it again. Do you know the link? or any other that could help? and of course... the answer of gfullage was accurate and solved the initial problem, should I rate it now? or could I go on with this message and clear all other doubts ;)

thank you in advance

gfullage · ‎01-29-2003

There'sa few links. Is this for a client-to-PIX tunnel using native Windows 2000 as the client? If so then you'll have to do L2TP/IPSec cause that's all Windows does, a config eaxmple is here:

http://www.cisco.com/warp/public/110/l2tp-ipsec.html

Although this really doesn't show the client setup, for that try this link:

http://www.cisco.com/warp/public/471/Win_client.html

If this is for a LAN-to-LAN connection using the Win2K box as one of end devices, then you want to look at this (which also highlights the configuration of the Windows side of things):

http://www.cisco.com/warp/public/707/2000.html

As for your rating question, you can rate the answer whenever you like. Some people rate each answer they get, nothing wrong with that, some rate just the last answer, most don't rate anything, it's entirely up to you.