Re: pix with ca certificate

martin_lx1980 · ‎10-08-2006

I want to test that IPSec Between PIX and Cisco VPN Client Using ca certificate.But pix can not get the certificate from CA server with Microsoft Windows 2003 Enterprise Server.I install the Simple Certificate Enrollment Protocol(SCEP) add-on for Certificate Service in CA Server.Connection test using command Ping between pix and CA server is ok.

Ip address of CA server is 192.168.22.167/24

pix:

domain-name test.com

ip address outside 192.168.22.166 255.255.255.0

clock timezone beijing +8

CA Server and pix located in the same timezone.

pix1(config)# ca generate rsa key 512

Keypair generation process begin.

.Success.

pix1(config)# sh ca mypubkey rsa

% Key pair was generated at: 17:54:34 beijing Oct 8 2006

Key name: pix1.test.com

Usage: General Purpose Key

Key Data:

305c300d xxxx00034b00 30480241 00ac7b75 bf67fd5e

xxx2cf73c6f

5edad654 1e00b18b a928142b fa8a03d0 1be27b02 ec078201 41020301 0001

pix1(config)# ca identity cert 192.168.22.167:/certsrv/mscep/mscep.dll

pix1(config)# ca authen cert

Certificate has the following attributes:

Fingerprint: 1e5563c3 6b3e53e2 f9ebbd65 ce44dda4

I get below information from url http://192.168.22.167/certsrv/mscep/mscep.dll

The CA certificate's thumbprint is 72463416 7B80534A 5979369B 238DE32D.

Your enrollment challenge password is E7C44517867A6464 and will expire within 60 minutes. This password can only be used once.

Each enrollment requires a new challenge password. You can refresh this web page to obtain a new challenge password.

For more information please see the online documentation mscephlp.htm.

pix1(config)# ca enroll cert E7C44517867A6464

% No CA root cert exists. Use "ca authenticate"

Who can tell the reason and what could i do next?

Thanks a lot

rdijkink · ‎10-08-2006

Hello,

Between the commnads:

pix1(config)# ca identity cert 192.168.22.167:/certsrv/mscep/mscep.dll

and

pix1(config)# ca authen cert

Normally should also be used:

ca configure ca_nickname ca | ra retry_period retry_count [crloptional]

at least in pix version 6.2.

regards

Rogier

martin_lx1980 · ‎10-08-2006

rdijkink:

Thank you for your suggestion.

I try it again.

pix1(config)# clear ca

pix1(config)# ca generate rsa key 512

Keypair generation process begin.

Success.

pix1(config)# sh ca mypubkey rsa

% Key pair was generated at: 10:56:18 beijing Oct 9 2006

Key name: pix1.test.com

Usage: General Purpose Key

Key Data:

305c300d 06092a86 4886f70d 01010105 00034b00 30480241 00c06a49 f13988e4

12066c5b 0c03c9b5 46fe1b27 97d03787 fe76d2cc a88f7ed2 11e4fdfc 35d2fc81

a4411c46 0b6d9a06 706a3d88 24237130 90dc2509 46d15cbe 2f020301 0001

pix1(config)# ca identity cert 192.168.22.167:/certsrv/mscep/mscep.dll

pix1(config)# ca conf cert ra 1 20 crloption

pix1(config)# ca conf cert ca 1 20 crloption

pix1(config)# ca authen cert

Certificate has the following attributes:

Fingerprint: 1e5563c3 6b3e53e2 f9ebbd65 ce44dda4

pix1(config)# ca enroll cert 076FBFB313CCD259

% No CA root cert exists. Use "ca authenticate"

But indicate me the same error message.

pix1#sh version

Cisco PIX Firewall Version 6.3(5)

Cisco PIX Device Manager Version 3.0(4)

Compiled on Thu 04-Aug-05 21:40 by morlee

pix1 up 19 mins 58 secs

Hardware: PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

Encryption hardware device : VAC+ (Crypto5823 revision 0x1)

0: ethernet0: address is 0017.9514.63a3, irq 10

1: ethernet1: address is 0017.9514.63a4, irq 11

2: ethernet2: address is 0005.5d18.2ce4, irq 11

3: ethernet3: address is 0005.5d18.28a7, irq 10

4: ethernet4: address is 0005.5d18.2d95, irq 9

5: ethernet5: address is 0005.5d18.2d81, irq 5

Licensed Features:

Failover: Enabled

VPN-DES: Enabled

VPN-3DES-AES: Enabled

Maximum Physical Interfaces: 6

Maximum Interfaces: 10

Cut-through Proxy: Enabled

Guards: Enabled

URL-filtering: Enabled

Inside Hosts: Unlimited

Throughput: Unlimited

IKE peers: Unlimited

This PIX has a Failover Only (FO) license.

Serial Number: 809140476 (0x303a80fc)

Running Activation Key: 0xdc761818 0x09fb8dab 0xa8a74dde 0xc86dae93

Configuration last modified by enable_15 at 10:59:51.676 beijing Mon Oct 9 2006

mrmozaffari · ‎10-10-2006

Hi

Maybe this help you:

check the timezone and be sure it sould be gmt ,also syncoronize your pix Date & Clock with ca server Date & clock.

Thanks.

martin_lx1980 · ‎10-10-2006

I am sure that I configure the same timezone on pix515 and CA server.

But the way, I add a router 2811 to my experiment and the router can get a certificate from CA server.Vpn client(version 4.6.01) also got a certificate from CA server.But vpn client can not dial-in with rsa-sig authentication.Attachments are configuration of router and debug information.

I can not find the reason now.Could anybody else do the same experiment and give me some suggestion.

Thanks a lot.

mrmozaffari · ‎10-11-2006

Hi

I only know little how to configure vpn and ipsec on a pix firewall.

have you configured """vpngroup vpngroupname ....""" on your pix ?

If you ve configured this be sure the name of the department as same as the name of vpngroupname when you want to complete the certification form to request a new certificate.

Thanks.