Cisco Support Community
Community Member

VPN Concentrator 3030 using CRLs from Windows 2000 CA Server

Hi Guys,

I have installed a couple of VPN Concentrator (3030/ OS 3.5.3) and Windows 2000 CA server with SCEP support.

I configure and created CA / Concentrators + VPN Client certificates via SCEP as per documentation and all works fine.

The last stage is to get the CRLs download via LDAP but here documentation is not so clear.

Note: I also notice the CA server need to be installed as DC (Domain controller) as otherwise they will not run LDAP Directory Service.

I have checked the CDP (CRLs Distribution Point) on the W2K CA server and left it as default for LDAP.

At the Concentrator I have modified the CRL checking to do a search on a diferent Base DN. Then I looked at the live event log, try to VPN in and even if the path have been change. The concentrator seems to be still be looking for CRL on the CDP provided by the CA Certificate???

After that you can see the concentrator fails to download the CRL.

Because of it the VPN Client is not authorised to VPN in as the Concentrator hasn't got a CRL to check against.

Then my Qs are:

1. I am missing something?

2. Does anyone have the Concentrator and W2K CA working fine via LDAP?

3. Do I need to change the CRL Distribution Points on the CA server.

4. Any other info will be apreciated.

Thanks in advanced.


Community Member

Re: VPN Concentrator 3030 using CRLs from Windows 2000 CA Server

Just found the problem s a misconfigured filter on the Interface to allow CRL over LDAP.



CreatePlease to create content