07-18-2006 11:27 PM - edited 02-21-2020 02:32 PM
Hi,
I'm trying to build a IPSec VPN between a PIX (v6.3) and a router (IOS 12.4.3a) with digital certificates. I have enroll both of my equipment with a Microsoft CA Server (with scep addon). When trying to build the tunnel, the debug on the router tells me " %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.1.1 is bad: CA request failed!". I followed the example available on the CCO : http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml
but no chance to get it working.
Any help will be appreciated !
Regards
Francois
07-25-2006 05:49 AM
Try by using pre-shared keys instead of digital certificates if it is working fine.Then the problem is communication between the Router and CA server.So,replace the CA server with new one.
08-01-2006 06:51 AM
Hi Francois,
Are you CRL checking at all? Also i take it the time on the equipment matches the time and date on the CA Server? Can you highlight the order of events you did when enrolling these devices and obtained the certificates?
That would be great :-)
Andy
08-01-2006 09:45 PM
Hi,
It seems to be a IOS issue when running 12.4.3a on the 2821. I tried exactly the same configuration with a 2600 running 12.2.15T and all was fine. Do you know if we have to add some "new" options with version 12.4 ? I didn't found any bugs in the release notes concerning this.
Concerning the date/time, the CA Server and the two routers were syncronized.
Francois
08-02-2006 06:23 AM
Hi Francois,
Any chance you can post the configs with private info etc masked?
thanks :-)
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide