Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3000 with IPSec, MS CA, MSCEP Enrollment Parameters ....

Hi there

Does anybody can tell me, how to configure a proper configuration of the Microsoft CA with mscep ? I intend to use it for IPSec VPN with VPN3000 and Cisco VPN Client and it seems to me, that there is something wrong with the parameters I used for the CA configuration.

At the Moment, the SCEP Works for the VPN Client, but not for the VPN3000 (manually it works..., I changed the parameters aprox. 1000 times...)

My Configuration:

VPN3000, Vers. 3.5.2, Rel. Feb. 2002

VPN Client, Vers. 3.5.2 (C)

W2K, CA, Engl.

MSCEP, 5.131.2195.1 (

My CA Adv.Options:

CSP: Microsoft Base Crypt. Provider 1.0

Hash algorithm:SHA-1 (?) or better MD5 ???

Key length:2048 (?)

Properties-Default Action: Always issue the certificate


Chalange Phrase Options, Require SCEP Challange Phrase to Enroll: YES (?)

Enrollment Adv.Options:

Signature Keys:2048 (?)

Encryption Keys:1024 (?)

My Questions:

- Are these Parameters ok for vpn3000 ?

- Which Fields in the CA, RA, and Client Request Identity Forms are best practice ?

(Is it Correct, that the OU: must match the VPN3000 Group Name ?)

- In VPN3000, where do I have to Configure the Challange Phrase for MSCEP ?

- Do I have to Change anything in the IIS Access Rights for the "CertSrv, mscep?

(Anonymous access=on, Integrated Windows authentication=off).

I would appreciate any help !

New Member

Re: VPN3000 with IPSec, MS CA, MSCEP Enrollment Parameters ....

I have even more infos:

- The CA is a "Stand-alone Root CA" -> no ActiveDirectory -> Could this be a problem with MSCEP ?

CreatePlease login to create content