@waleed The links i put is http://ip_address/cgi-bin/pkiclient.exe . @Piotr :There is no problem with the connection , at the moment I am only trying to enroll certificate ( not actually ezvpn thing ) . Once the cert is enrolled properly I will move towards EzVPN part . I only created a CA by isssuing the commands i wrote in my last email and then used a VPN Client software to get Certificate from it . Note that if i use a router for enrollment it works perfectly . It only is a problem with the Cisco VPN CLient Sofware 5.x on windows machine . Yesterday I tested in office using an 1841 router and it started working fine when i set the clock timezone along with proper clock etc. I wanted to test the whole toplogy thus did a rack rentals , they had 2610XM there and the Client was never able to Enroll cert. I will test it today more and will update you guys , If you have any input on this please let me know
Date: Sun, 9 Oct 2011 08:38:34 +0200 Subject: Re: [OSL | CCIE_Security] VPN Client and CA From: [email protected] To: [email protected] CC: [email protected] Is the problem still with certificate enrollment or with connection? Take a look at 'sho cry pki cert' output and you'll see that you have only CA certificate. This certificate will NOT be put in ISAKMP response packet so that you'll not be able to connect successfully. You must enroll an Identity certificate on the router first: cry key gen rsa mod 1024 lab KEYS cry pki trustp LOCAL-CA rsak KEYS enrollm url http://1.1.1.1 cry pki authen LOCAL-CA cry pki enroll LOCAL-CA Regards, Piotr 2011/10/9 Hussain Arsalan Ali <[email protected]> by identity server you mean the CA server or ? the base config for a CA should be ( correct me if i m wrong ) . Set Clock ip domain-name cisco.com crypto key generate rsa 1024crypto pki server ciscogrant autono shutip http server I did this config today on rack rentals to make sure its not an emulation issue and enrolled from the client and got same error . I saw the debug message on vpn client software Could not find data portion of HTTP response from CEP server. Contact your CA administrtator for further instructions . from the VPN Client machine I can telnet on port 80 of that router easily which makes clear that connectivity is good . Time is also synced , I even tried moving the clock 30 minutes more but that also didnt helped . Any clues ?Date: Sat, 8 Oct 2011 12:14:31 +0200 Subject: Re: [OSL | CCIE_Security] VPN Client and CA From: [email protected] To: [email protected] CC: [email protected] Hi, It seems you don't have Identity certificate on the router. Also, you should use DN as an identity. I'm not seeing group configuration too. Key size on the client is by default 2k so I don't see any problem with that. Regards, Piotr 2011/10/8 Hussain Arsalan Ali <[email protected]> I have been having this issue for a few days from now . Finally the certificate got enrolled properly but when I dial towards that VPN Server it doesnt happen . I did some debugs on the router and found out that the Cert is being rejected . Clock and timezone are same on both the devices and when I click Verify on VPN Client it says that the certificate is valid . The only problem I am thinking about is that when i created the keys on IOS device they were 1024 in size however when I requested certififate it shows 2048 . This could be a possible keysize mismatch , other than that I cant think of any . Can you please let me know if you have faced simillar problem where the IOS device is set for 1024 size and Client autometically gets 2048 size . Please check attachments. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
