IPSec VPN between PIX and Router with digital certificates

buntschu · ‎07-18-2006

Hi,

I'm trying to build a IPSec VPN between a PIX (v6.3) and a router (IOS 12.4.3a) with digital certificates. I have enroll both of my equipment with a Microsoft CA Server (with scep addon). When trying to build the tunnel, the debug on the router tells me " %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 192.168.1.1 is bad: CA request failed!". I followed the example available on the CCO : http://www.cisco.com/en/US/customer/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml

but no chance to get it working.

Any help will be appreciated !

Regards

Francois

ivillegas · ‎07-25-2006

Try by using pre-shared keys instead of digital certificates if it is working fine.Then the problem is communication between the Router and CA server.So,replace the CA server with new one.

andrew100 · ‎08-01-2006

Hi Francois,

Are you CRL checking at all? Also i take it the time on the equipment matches the time and date on the CA Server? Can you highlight the order of events you did when enrolling these devices and obtained the certificates?

That would be great :-)

Andy

buntschu · ‎08-01-2006

Hi,

It seems to be a IOS issue when running 12.4.3a on the 2821. I tried exactly the same configuration with a 2600 running 12.2.15T and all was fine. Do you know if we have to add some "new" options with version 12.4 ? I didn't found any bugs in the release notes concerning this.

Concerning the date/time, the CA Server and the two routers were syncronized.

Francois

andrew100 · ‎08-02-2006

Hi Francois,

Any chance you can post the configs with private info etc masked?

thanks :-)

Andy