Is the problem still with certificate enrollment or with connection? Take a look at 'sho cry pki cert' output and you'll see that you have only CA certificate. This certificate will NOT be put in ISAKMP response packet so that you'll not be able to connect successfully.
You must enroll an Identity certificate on the router first: cry key gen rsa mod 1024 lab KEYS cry pki trustp LOCAL-CA rsak KEYS enrollm url http://1.1.1.1 cry pki authen LOCAL-CA cry pki enroll LOCAL-CA Regards, Piotr 2011/10/9 Hussain Arsalan Ali <[email protected]> > by identity server you mean the CA server or ? > > the base config for a CA should be ( correct me if i m wrong ) . > > Set Clock > ip domain-name cisco.com > crypto key generate rsa 1024 > crypto pki server cisco > grant auto > no shut > ip http server > > > I did this config today on rack rentals to make sure its not an emulation > issue and enrolled from the client and got same error . I saw the debug > message on vpn client software *Could not find data portion of HTTP > response from CEP server. Contact your CA administrtator for further > instructions .* > > > from the VPN Client machine I can telnet on port 80 of that router easily > which makes clear that connectivity is good . Time is also synced , I even > tried moving the clock 30 minutes more but that also didnt helped . > > > Any clues ? > ------------------------------ > Date: Sat, 8 Oct 2011 12:14:31 +0200 > Subject: Re: [OSL | CCIE_Security] VPN Client and CA > From: [email protected] > To: [email protected] > CC: [email protected] > > > Hi, > > It seems you don't have Identity certificate on the router. > Also, you should use DN as an identity. > I'm not seeing group configuration too. > > Key size on the client is by default 2k so I don't see any problem with > that. > > Regards, > Piotr > > > 2011/10/8 Hussain Arsalan Ali <[email protected]> > > I have been having this issue for a few days from now . Finally the > certificate got enrolled properly but when I dial towards that VPN Server it > doesnt happen . I did some debugs on the router and found out that the Cert > is being rejected . Clock and timezone are same on both the devices and when > I click Verify on VPN Client it says that the certificate is valid . The > only problem I am thinking about is that when i created the keys on IOS > device they were 1024 in size however when I requested certififate it shows > 2048 . This could be a possible keysize mismatch , other than that I cant > think of any . > > > Can you please let me know if you have faced simillar problem where the IOS > device is set for 1024 size and Client autometically gets 2048 size . > > Please check attachments. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
