Please find the configs
*EzVPN Server* crypto isakmp policy 1 encr aes 256 hash md5 group 2 crypto isakmp key cisco address 0.0.0.0 0.0.0.0 crypto isakmp identity dn ! crypto isakmp client configuration group king pool addr acl 123 crypto isakmp profile prof match identity group king client authentication list ez isakmp authorization list ez client configuration address respond client configuration group king virtual-template 6 ! ! crypto ipsec transform-set tran esp-3des esp-sha-hmac ! crypto ipsec profile prof set transform-set tran set isakmp-profile prof ! ! interface Virtual-Template6 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile prof *CA server* crypto pki server caserver issuer-name ou=king grant auto crypto pki trustpoint caserver revocation-check crl rsakeypair caserver With regards Kings On Sun, Mar 7, 2010 at 12:18 AM, Brandon Carroll <[email protected]>wrote: > Ok, Ill look at that lab again, but I'm glad you got it worked out. > Can you send me your final config? > > Regards, > > Brandon Carroll - CCIE #23837 > Senior Technical Instructor - IPexpert > Mailto: [email protected] > Telephone: +1.810.326.1444 > Live Assistance, Please visit: www.ipexpert.com/chat > eFax: +1.810.454.0130 > > IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, > Security & Service Provider) Certification Training with locations > throughout the United States, Europe and Australia. Be sure to check > out our online communities at www.ipexpert.com/communities and our > public website at www.ipexpert.com. > > > > > On Sat, Mar 6, 2010 at 10:40 AM, Kingsley Charles > <[email protected]> wrote: > > Hi Brandoll > > > > Just brought the client connection with the IOS server up. The IOS EzVPN > > server just had a cert without cn or ou. I had "crypto isakmp identity > dn" > > configured. Without, it the certification validation failed on the > client. > > > > The CA server just have grant auto and issuer-name configured. > > > > > > One of the CA options asked to be configured in the VPN (4A IOS EzVPN > > server) lab is causing the issue. > > > > > > With regards > > Kings > > > > On Sat, Mar 6, 2010 at 9:58 AM, Brandon Carroll <[email protected]> > > wrote: > >> > >> Kings, > >> > >> I’ve had the same issue in testing and upgrading to the T2 code solved > it. > >> With me, the enrollment was successful but the tunnel failed because of > the > >> way the client was verifying the cert. Another thing that I’ve seen > make it > >> work is setting the database level to complete on the PKI server. I’m > not > >> sure why there was a difference though. I need to test it again. > >> > >> Anyhow, if you are still seeing this issue what code are you running on > >> the PKI server and what URL are you using to enroll the client? Do you > have > >> the cdp-url configured? What is that URL? > >> -- > >> Regards, > >> > >> Brandon Carroll - CCIE #23837 > >> Senior Technical Instructor - IPexpert > >> Mailto: [email protected] > >> Telephone: +1.810.326.1444 > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> eFax: +1.810.454.0130 > >> > >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security > & > >> Service Provider) Certification Training with locations throughout the > >> United States, Europe and Australia. Be sure to check out our online > >> communities at www.ipexpert.com/communities and our public website at > >> www.ipexpert.com. > >> > >> > >> ________________________________ > >> From: Kingsley Charles <[email protected]> > >> Date: Sat, 6 Mar 2010 09:38:54 +0530 > >> To: Tyson Scott <[email protected]> > >> Cc: <[email protected]>, Simon Baumann <[email protected]>, > >> <[email protected]> > >> Subject: Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling > >> VPN-Client). > >> > >> > >> For the past two, I am also facing the issue on my local test bed. In > the > >> client logs, it says something like the header is empty. > >> > >> It seems the server is not responding but at the same I am able to > enroll > >> the routers to the CA. > >> > >> There is some kind of bug. > >> > >> Why can't we do this directly using Windows? > >> > >> > >> Open the MMC and Add a snap shot for the certification. Select Personal > >> and right > All Tasks > Request New Certificate. > >> > >> But I have not able to go through, as it says I don't have admin rights > or > >> cannot contact active directory > >> > >> > >> > http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmreqcerts.mspx?mfr=true > >> > >> > >> After getting the cert on the windows certificate personal folder, you > can > >> see that in the client. > >> > >> > >> If anyone suceeds, please let me know. > >> > >> > >> With regards > >> Kings > >> > >> > >> > >> > >> With regards > >> Kings > >> > >> > >> > >> On Sat, Mar 6, 2010 at 4:25 AM, Tyson Scott <[email protected]> > wrote: > >> > >> Team, > >> > >> Our support team is in the middle of upgrading all our racks to get past > >> this problem. I believe it to be a problem with the 12.4(24)T1 code. > >> 12.4(15)T9 should also be in the flash of all the routers and if you use > >> that it will work fine. I hope to have all the racks upgraded very > soon. > >> > >> Regards, > >> > >> Tyson Scott - CCIE #13513 R&S, Security, and SP > >> Technical Instructor - IPexpert, Inc. > >> Mailto: [email protected] <mailto:[email protected]> > >> Telephone: +1.810.326.1444, ext. 208 > >> > >> Live Assistance, Please visit: www.ipexpert.com/chat > >> <http://www.ipexpert.com/chat> > >> eFax: +1.810.454.0130 > >> > >> IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA > >> (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security > & > >> Service Provider) Certification Training with locations throughout the > >> United States, Europe and Australia. Be sure to check out our online > >> communities at www.ipexpert.com/communities > >> <http://www.ipexpert.com/communities> and our public website at > >> www.ipexpert.com <http://www.ipexpert.com/> > >> > >> > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Badar > Farooq > >> Sent: Friday, March 05, 2010 4:31 PM > >> To: Simon Baumann > >> Cc: [email protected] > >> Subject: Re: [OSL | CCIE_Security] Vol1, Lab 4: task 4.6 (enrolling > >> VPN-Client). > >> > >> > >> > >> I am also struggling with this error. > >> I have checked my configuration and its otherwise sound. > >> Same CA successfully issues certificates to other routers. By I cant > >> enroll my VPN Client. > >> I am using http://x.x.x.x/cgi-bin/pkiclient.exe as CA url in the vpn > >> client config and i keep getting error 42. > >> Any help will be appreciated > >> > >> Regards > >> > >> On Wed, Jan 6, 2010 at 5:48 PM, Simon Baumann <[email protected]> > >> wrote: > >> Hi, > >> I got a question about task 4.6 of Lab 4. The task requires that the VPN > >> Client has to enroll with R2 to obtain idendity certificate. I get > "Error > >> 42" on the VPN Client. > >> If I got everything right, R2 doesn't have to seem and route back to the > >> XP WS. So the XP WS will never be able the enroll until I set an route > on R2 > >> to reach the XP WS. > >> Is that correct? TIA. > >> > >> Cheers > >> Simon > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com <http://www.ipexpert.com/> > >> > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com <http://www.ipexpert.com/> > >> > >> > >> > >> ________________________________ > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
