Thank you very much for your quick ansewer.
Today I tested the two commands but with no success.
That's why I will send you a detail config, maybe that will help you to find my mistake.
The VPN Client - Config:
My VPN Client has two Certificates installed:
1) Root Certificate from the Microsoft CA
Common Name: opticomCA
Department: NOCDA
Company: VPN
State: Hessen
Country: DE
Email: CASRV@oc-ag.de
MD5 Thumbprint 6780B01F86A7F0236FC2848D15354FBC
SHA1 Thumbprint 21226BB72FE4014A883E862F48D15FEF5F7AC440
Key Size 512
Subject cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Serial Number 3DD010B24188F3BB4A193C480FC0E5FB
Not valid before Fr 12. Sep 17:43:36 2003
Not valid after Mo 12. Sep 17:51:46 2005
2) Enrollment from Cisco Client (CISCO-Store)
Common Name:212.20.129.38
Department: VPN
Company: opticom gmbh
State: Hessen
Country: DE
Email: mmetz@opticom-gmbh.com
MD5 Thumbprint DD2EC2C77B5AB31E3ADE9A1449D563A6
SHA1 Thumbprint 07103D46CBCEAF71F96D61BB2FAC67EAB1338644
Key Size 1024
Subject cn=212.20.129.38,ou=VPN,o=opticom gmbh,st=Hessen,c=DE,e=mmetz@opticom-gmbh.com
Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Serial Number 1E0E8214000000000006
Not valid before Mo 15. Sep 11:20:22 2003
Not valid after Mi 15. Sep 11:30:22 2004
Here the show crypto ca cer output from the pix:
RA Signature Certificate
Status: Available
Certificate Serial Number: 6103fb49000000000002
Key Usage: Signature
CN = opti.com RA
OU = VPN
O = opticom
L = Darmstadt
ST = Hessen
C = DE
EA =<16> RA@oc-ag.de
Validity Date:
start date: 16:54:12 GMT/BDT Sep 12 2003
end date: 17:04:12 GMT/BDT Sep 12 2004
Certificate
Status: Available
Certificate Serial Number: 610d2088000000000004
Key Usage: General Purpose
Subject Name:
CN = optivpn.opti.com
UNSTRUCTURED NAME = optivpn.opti.com
Validity Date:
start date: 17:04:11 GMT/BDT Sep 12 2003
end date: 17:14:11 GMT/BDT Sep 12 2004
CA Certificate
Status: Available
Certificate Serial Number: 3dd010b24188f3bb4a193c480fc0e5fb
Key Usage: General Purpose
CN = opticomCA
OU = NOCDA
O = VPN
L = Darmstadt
ST = Hessen
C = DE
EA =<16> CASRV@oc-ag.de
Validity Date:
start date: 16:43:36 GMT/BDT Sep 12 2003
end date: 16:51:46 GMT/BDT Sep 12 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 6103fc24000000000003
Key Usage: Encryption
CN = opti.com RA
OU = VPN
O = opticom
L = Darmstadt
ST = Hessen
C = DE
EA =<16> RA@oc-ag.de
Validity Date:
start date: 16:54:12 GMT/BDT Sep 12 2003
end date: 17:04:12 GMT/BDT Sep 12 2004
Here my running config (OS 6.3(3)):
hostname optivpn
domain-name opti.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map outside_dyn_map 2000 match address outside_cryptomap_dyn_2000
crypto dynamic-map outside_dyn_map 2000 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 2020 match address outside_cryptomap_dyn_2020
crypto dynamic-map outside_dyn_map 2020 set transform-set ESP-AES-256-MD5
crypto dynamic-map outside_dyn_map 2040 match address outside_cryptomap_dyn_2040
crypto dynamic-map outside_dyn_map 2040 set transform-set ESP-3DES-MD5
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption aes-256
isakmp policy 50 hash md5
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication rsa-sig
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
vpngroup optida address-pool ma-vpn
vpngroup optida dns-server opticom3 opticom4
vpngroup optida wins-server opticom3
vpngroup optida default-domain opti.com
vpngroup optida split-tunnel optida_splitTunnelAcl
vpngroup optida idle-time 1800
vpngroup optida password xxxxxxx
vpngroup opticomCA address-pool ma-vpn
vpngroup opticomCA dns-server opticom3 opticom3
vpngroup opticomCA default-domain opti.com
vpngroup opticomCA split-tunnel opticomCA_splitTunnelAcl
vpngroup opticomCA pfs
vpngroup opticomCA idle-time 1800
vpngroup VPN address-pool ma-vpn
vpngroup VPN default-domain opti.com
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
ca identity exchxonf 172.16.50.9:/certsrv/mscep/mscep.dll
ca configure exchxonf ra 1 20 crloptional
Thanks a lot in advance for your help.
Best regards,
Marco
