ok ,let me install a new CA

Dr.X · ‎07-11-2014

helllo ,
im trying to use my router as remote access vpn with certificates , but still no luck

i have implemented windows 2003 as CA , i have issued CA  & identy certificates on my vpn client and it enrolled successfully

also , i enrolled CA & idnetity cert to my router and it enrolled successfull.

but when i try to connect based on the certificate on the client , it dont work and it  say that the router "didnt respond " ??!!!!
on the router logs , i have :
Jul 11 20:28:54.051: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: CA request failed!
Jul 11 20:28:55.175: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from zz.64.5 is bad: certificate invalid
Jul 11 20:30:08.163: IPSEC(key_engine): got a queue event with 1 KMI message(s)

couple of days with no luck !
===============
i will paste the config of my router :
===============

!
!
aaa authentication login default local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authentication login AUTH local
aaa authentication ppp DRVIRUS local
aaa authorization exec default local
aaa authorization network DRVIRUS local
aaa authorization network VPN_CLIENT_GROUP local
aaa authorization network AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip multicast-routing
!
!
ip domain name cisco900.com
ip host win2008 xx.79.13
ip host win2003 xx.79.16
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  pr
!
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1296895960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1296895960
revocation-check none
rsakeypair TP-self-signed-1296895960
!
crypto pki trustpoint win2003
enrollment mode ra
enrollment url http://win2003:80/certsrv/mscep/mscep.dll
serial-number
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1296895960
certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323936 38393539 3630301E 170D3134 30323032 30333437
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32393638
  39353936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C287 3A3D8545 48E04187 0A64C08E F215DA6E 77B897D9 7B4C051D B99F53BF
  9907D29E 4879A60A 84D0D659 78236289 55B0526B EC4412CD E47F6F1E A242BE25
  04A38A6C 42E8B9CF 825B12CC CA51DB11 CAEF652B FE055213 AB25ED4E 17E52FE1
  837B1C73 4C893BA2 16F479D1 E5581987 B112D596 1F6222E4 2C70EBAE F0966EBB
  864D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14D3CA37 2B7C53C7 BD65854C C54BA199 19EB09D4 3E301D06
  03551D0E 04160414 D3CA372B 7C53C7BD 65854CC5 4BA19919 EB09D43E 300D0609
  2A864886 F70D0101 05050003 8181008D A055CFCB 6D14F998 339A54FD A987E1DE
  8EDC8DCF 4BBA24B8 BA5FC21A E7B05CF0 BE559325 9F25E08D BC16C5F9 A0B7C103
  DA687526 ECB1571C D6F9948D 7960F06C 20E89702 1686EBBA 377B2169 80D8867B
  E12B370B 419B9F6B B73F3B3F B4D1B390 3ACB15A9 763CAEFE 8041B24A AD2247E1
  C3C4D905 C6C3AE0F 3F6D7D36 3CBC8A
        quit
crypto pki certificate chain win2003
certificate 111C4AA0000000000011
  308203CF 308202B7 A0030201 02020A11 1C4AA000 00000000 11300D06 092A8648
  86F70D01 01050500 300F310D 300B0603 55040313 04636572 74301E17 0D313430
  37313131 35343930 365A170D 31353037 31313135 35393036 5A303C31 14301206
  03550405 130B4643 5A313633 32433556 38312430 2206092A 864886F7 0D010902
  13156369 73636F39 30302E63 6973636F 3930302E 636F6D30 819F300D 06092A86
  4886F70D 01010105 0003818D 00308189 02818100 8455B1EF DDC5DF88 E4D5091B
  92C63762 34CFCCAD D736376D 8FA4F9C4 F5C05FE3 750F623F 6FFA4CF7 D9960432
  931EB086 C3B100BB 74C90D18 5CAEF069 2DE72234 EE911C1A 5C15498D 3F8D988B
  D6CFB73D 882D4635 91E5D540 C4FA62E3 E7559D69 C49023C9 DEB27927 A7433171
  BE7B7D69 CEB5741D 573B26AD 27026B1C 85AF835F 02030100 01A38201 82308201
  7E300B06 03551D0F 04040302 05A0301D 0603551D 0E041604 1414BD1F 2A27D537
  FC92C81C C1919772 DB15AE19 09301F06 03551D23 04183016 80145EFB 7EDC6795
  00CEAD58 F96E3E82 B119A2F9 4DEB3053 0603551D 1F044C30 4A3048A0 46A04486
  1F687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 2E63726C
  86216669 6C653A2F 2F5C5C63 6572745C 43657274 456E726F 6C6C5C63 6572742E
  63726C30 7406082B 06010505 07010104 68306630 3006082B 06010505 07300286
  24687474 703A2F2F 63657274 2F436572 74456E72 6F6C6C2F 63657274 5F636572
  742E6372 74303206 082B0601 05050730 02862666 696C653A 2F2F5C5C 63657274
  5C436572 74456E72 6F6C6C5C 63657274 5F636572 742E6372 74302306 03551D11
  0101FF04 19301782 15636973 636F3930 302E6369 73636F39 30302E63 6F6D303F
  06092B06 01040182 37140204 321E3000 49005000 53004500 43004900 6E007400
  65007200 6D006500 64006900 61007400 65004F00 66006600 6C006900 6E006530
  0D06092A 864886F7 0D010105 05000382 01010050 F13B1BC4 DA3143D7 91B58BD1
  8490EF35 CEF8F080 37E6D62D A3F3474C 138EC2D6 19D94817 EDCDE4F4 7C638AC9
  51956038 984189CB 9F0EBAF9 FECF0434 0028F534 65F2EBC2 9BDCE952 71A14979
  4609D958 14C7ADC4 5340DDBD 784A8F12 A71FEA74 CC6CC6B2 5C1C673E 0903206C
  1B7AB2B3 CFF053D0 4F70D0C0 527A9C52 C68CED94 0404B65A BA79A6FD 4F09B9A2
  BA18E88F 6723429A 260DE77A 2E7F3386 889B7250 0289159A 17EFD6BC 551F38AF
  DA92C48A 4D9662ED 341A547D 0C86629A F411CA62 B2652349 26B910AC E6DE412C
  90AE2D7F F64425AF 5ADD7B43 B9E0D364 D0BC3789 1B652C43 803F2799 1F1026CA
  646E8F0F DDBC8D61 60AC3055 D42EA85D DA6F96
        quit
certificate ca 4DB8E7F344319392444ADC1DFF12209B
  30820350 30820238 A0030201 0202104D B8E7F344 31939244 4ADC1DFF 12209B30
  0D06092A 864886F7 0D010105 0500300F 310D300B 06035504 03130463 65727430
  1E170D31 34303731 31313034 3431305A 170D3139 30373131 31303531 32395A30
  0F310D30 0B060355 04031304 63657274 30820122 300D0609 2A864886 F70D0101
  01050003 82010F00 3082010A 02820101 00A31734 F2C925EE 25015A31 9A1EA353
  9DBABA4E EB7B839E 5170F810 5AF9FE8D 132FE955 C0E7B500 4DE48838 D0A583D4
  7D9480E9 95C27430 1733F968 B2E0C31F 5EC77B63 6213C9EA 9856ED90 66910420
  41857EE5 9342EF7A DB06DF97 FC1821CA 0CE8EADD 1CAC81AF BEBEE09D 7274D819
  8C4DF21D 1A632DD3 08EA5489 5A9C1187 9DBD61EA 5C4BE321 8EDCBA80 A1B4AF91
  B4AA0A40 C5A49129 E87AC560 F7046608 9830EDF8 C80502EB 3D80C0DD 7BB1A9A9
  0E59EBB4 94960D38 4611851B 7C50F738 7C118F5A 9ECAE17F 98BFC4AC BF9C8180
  A86976C5 16E1BBE3 2E23DCC5 8BBD0F4B EA7C7CE7 C692D87C 167CA3E3 9A5F723B
  F65A827F 1FC45DB9 9991FA63 5693D6DD F5020301 0001A381 A73081A4 300B0603
  551D0F04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  0E041604 145EFB7E DC679500 CEAD58F9 6E3E82B1 19A2F94D EB305306 03551D1F
  044C304A 3048A046 A044861F 68747470 3A2F2F63 6572742F 43657274 456E726F
  6C6C2F63 6572742E 63726C86 2166696C 653A2F2F 5C5C6365 72745C43 65727445
  6E726F6C 6C5C6365 72742E63 726C3010 06092B06 01040182 37150104 03020100
  300D0609 2A864886 F70D0101 05050003 82010100 8FB13DDF 32D56714 2A2D97FF
  59F8F46D FD4BFE5C 455D6BEB 96629987 EB4CB503 63ED6ED6 5CE149D5 0B04B19A
  8F34BD38 89B69FC7 87C1B672 8A376E9F DDC126E1 F77DB8B3 C39634C1 902D374D
  FA067950 D3EDD29B B530AF53 35CF1FF5 99CF5FA1 2A7D9901 7ACF5561 475D839C
  0832C548 30338250 225B6736 02F897A7 C7FF9B99 3BD7AA7A B52E5080 0E6B4184
  D1A08ACC 07FAB699 DBB9F972 668152D8 A6631039 5ACFBED6 EA05E454 B5932A86
  EE190F5D E6AF4B43 C3FBBFD3 5285F177 02885940 869D772F 9C075DD4 2BB37152
  A356B586 3C55EE79 9817F642 C4794AB2 4CBD08A0 B8541E3D D8390107 3B2D153E
  0465AABC 08B97A3F 13D42DF7 17C1B05B 4759F3F7
        quit
voice-card 0
!
!
!
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1632C5V8
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
username xxx privilege 0 password 7 xxx
!
redundancy
!
!
!
!
!
!
crypto isakmp policy 10
encr aes 256
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5
!
crypto isakmp client configuration group EZ_VPN_CLIENT
dns 8.8.8.8
domain abc.com
pool EZVPN_POOL
pfs
max-logins 5
netmask 255.255.255.0
banner ^C
heyyyyyyyyyyyyyyyyy
^C
crypto isakmp profile EZVPN_PROFILE
   self-identity fqdn
   ca trust-point win2003
   match identity group EZ_VPN_CLIENT
   isakmp authorization list AUTH
   client configuration address respond
!
!
crypto ipsec transform-set ESP_AES_256_SHA esp-aes 256 esp-sha-hmac
!
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime seconds 28800
set transform-set ESP_AES_256_SHA
set pfs group2
set isakmp-profile EZVPN_PROFILE
reverse-route
!
!
!
crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
!
!
!
!
!
i
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address zzzz 255.255.255.0
ip pim dense-mode
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPN_MAP
!
!
ip local pool PPTP 10.11.12.1 10.11.12.100
ip local pool VPN_CLIENT_POOL 192.168.20.200 192.168.20.210
ip local pool EZVPN_POOL 172.16.100.32 172.16.100.63
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.32.0 0.0.0.255 any
!
access-list 110 permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255
!
!
!
!
!

cisco900#
=============================

is there anything wrong on router ??

any suggest , any help ??!!!

nkarthikeyan · ‎07-15-2014

Hi Ahmed,

Have you checked the time synchronization between the router and CA server??? Try to point both of them to the same NTP server if possible.

Please let me know once you try it.

Regards

Karthik

Dr.X · ‎07-15-2014

hi , thanks for reply .

i revised the time/date.

i found time and date are correct. except about 2 hours differs between router and server !

dont you think i have something wrong in the config of vpn above ?

do u want me make debug agian ?

nkarthikeyan · ‎07-15-2014

Hi Ahmed,

Your trustpoint name and server name should not be the same. it should be changed to a different name.

Regards

Karthik

Dr.X · ‎07-16-2014

hi , i tried bu it seems "No Luck " !!

anyway ,

can you guid me how to remove all the certificate/public,private keys from router and from flash and from nvram ?

i want to start the config of certificates from scratch and see wt will happen with me.

also , dont u think i have wrong config or the router above ?

i mean the VPN config ??

cheers

nkarthikeyan · ‎07-16-2014

have you changed the server name from win2003 to a different one?

crypto isakmp profile EZVPN_PROFILE
isakmp authorization list VPN_CLIENT_GROUP
!

Also you can go through the below mentioned video which will give you a better idea for your requirement.

http://www.youtube.com/watch?v=65rTOrmXUFU

http://www.youtube.com/watch?v=DD3h-C7DlHU

Regards

Karthik

Dr.X · ‎07-17-2014

Hi ,

YES

i tried many names for trustpoint & host.

but no luck

also , i followed the videos u gave me from the beginning for vpn setup , but no luck !!

it only work for me when i use pre shared key !

nkarthikeyan · ‎07-17-2014

Hi Ahmed,

I guess you are missing something here... can you send your latest configs to me..... have you generated the right rsa key on your device.... have you enabled authetication as rsa-sig..... when you access from client machine where it stops??

Regards

Karthik

Dr.X · ‎07-17-2014

ok ,

let me install a new CA server on win2003 and try agian

i will give u the tast config i have soon

when i finish m i will post the debug result

regards

need help in , VPN remote access based on certificates !