I have an IPsec VPN module on 7606 router. Authentication is based on digital certificate.But there is a problem with revocation check. When revocation check is set to CRL, VPN connection fails when router try to get crl from web server. Debugging output is shown by the follow:
E ../cert-c/source/crlobj.c(384) : Error #705h
CRYPTO_PKI: status = 1797: failed to set crl ber
CRYPTO_PKI: transaction Unknown completed
CRYPTO_PKI: Poll CRL callback
CRYPTO_PKI:Blocking chain verification callback received status: 105
CRYPTO_PKI: Certificate not validated
When revocation check is set to none, VPN connection established successfully.
do you men CRL or certificate? there is no problem with certificate, because with this certificate without revocation check VPN connection estableshid, also with the another certificates there is same problem.
....#show debugging Cryptographic Subsystem: Crypto ISAKMP debugging is on Crypto IPSEC debugging is on Crypto Key Management Interface debugging is on PKI: Crypto PKI Msg debugging is on Crypto PKI Trans debugging is on Crypto PKI callbacks debugging is on verbose debug output debugging is on Crypto PKI Certificate Server debugging is on .....#deb ....#debug cr ....#debug crypto pk ....#debug crypto pki ? API PKI API callbacks PKI callbacks messages PKI Input/Output Messages server CA Server transactions PKI transactions
I'm really appreciate for your attention. I'm sorry for hiding some information it's because of our security policies.
....#sh crypto pki certificates Certificate Status: Available Certificate Serial Number: 0095 Certificate Usage: General Purpose Issuer: cn=...... ou=...... o=..... l=..... st=..... c=..... Subject: Name: ....... IP Address: ....... Serial Number: 0001AE14 serialNumber=1AE14+ipaddress=.....+hostname=....... cn=..... CRL Distribution Points: http://10.3.71.1/crl.crl Validity Date: start date: 08:40:01 May 3 2010 end date: 09:40:01 May 3 2011
CA Certificate Status: Available Certificate Serial Number: 01 Certificate Usage: Not Set Issuer: cn=... ou=... o=... l=... st=... c=... Subject: cn=.... ou=... o=.... l=.... st=.... c=... Validity Date: start date: 20:21:10 May 18 2008 end date: 20:21:10 May 23 2011
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :