Hi, I have quite opposite experience. In most cases it works fine for me (I mean enrollment process). Try to put time on the client a bit forward than it is on the server (like 5 hours). It must work fine.
Regards, Piotr 2011/10/9 Hussain Arsalan Ali <[email protected]> > @waleed > > The links i put is http://ip_address/cgi-bin/pkiclient.exe . > > @Piotr : > There is no problem with the connection , at the moment I am only trying to > enroll certificate ( not actually ezvpn thing ) . Once the cert is enrolled > properly I will move towards EzVPN part . I only created a CA by isssuing > the commands i wrote in my last email and then used a VPN Client software to > get Certificate from it . Note that if i use a router for enrollment it > works perfectly . It only is a problem with the Cisco VPN CLient Sofware 5.x > on windows machine . > > Yesterday I tested in office using an 1841 router and it started working > fine when i set the clock timezone along with proper clock etc. I wanted to > test the whole toplogy thus did a rack rentals , they had 2610XM there and > the Client was never able to Enroll cert. > > I will test it today more and will update you guys , If you have any input > on this please let me know > > ------------------------------ > Date: Sun, 9 Oct 2011 08:38:34 +0200 > > Subject: Re: [OSL | CCIE_Security] VPN Client and CA > From: [email protected] > To: [email protected] > CC: [email protected] > > Is the problem still with certificate enrollment or with connection? > > Take a look at 'sho cry pki cert' output and you'll see that you have only > CA certificate. This certificate will NOT be put in ISAKMP response packet > so that you'll not be able to connect successfully. > > You must enroll an Identity certificate on the router first: > > cry key gen rsa mod 1024 lab KEYS > cry pki trustp LOCAL-CA > rsak KEYS > enrollm url http://1.1.1.1 > > cry pki authen LOCAL-CA > cry pki enroll LOCAL-CA > > Regards, > Piotr > > > 2011/10/9 Hussain Arsalan Ali <[email protected]> > > by identity server you mean the CA server or ? > > the base config for a CA should be ( correct me if i m wrong ) . > > Set Clock > ip domain-name cisco.com > crypto key generate rsa 1024 > crypto pki server cisco > grant auto > no shut > ip http server > > > I did this config today on rack rentals to make sure its not an emulation > issue and enrolled from the client and got same error . I saw the debug > message on vpn client software *Could not find data portion of HTTP > response from CEP server. Contact your CA administrtator for further > instructions .* > > > from the VPN Client machine I can telnet on port 80 of that router easily > which makes clear that connectivity is good . Time is also synced , I even > tried moving the clock 30 minutes more but that also didnt helped . > > > Any clues ? > ------------------------------ > Date: Sat, 8 Oct 2011 12:14:31 +0200 > Subject: Re: [OSL | CCIE_Security] VPN Client and CA > From: [email protected] > To: [email protected] > CC: [email protected] > > > Hi, > > It seems you don't have Identity certificate on the router. > Also, you should use DN as an identity. > I'm not seeing group configuration too. > > Key size on the client is by default 2k so I don't see any problem with > that. > > Regards, > Piotr > > > 2011/10/8 Hussain Arsalan Ali <[email protected]> > > I have been having this issue for a few days from now . Finally the > certificate got enrolled properly but when I dial towards that VPN Server it > doesnt happen . I did some debugs on the router and found out that the Cert > is being rejected . Clock and timezone are same on both the devices and when > I click Verify on VPN Client it says that the certificate is valid . The > only problem I am thinking about is that when i created the keys on IOS > device they were 1024 in size however when I requested certififate it shows > 2048 . This could be a possible keysize mismatch , other than that I cant > think of any . > > > Can you please let me know if you have faced simillar problem where the IOS > device is set for 1024 size and Client autometically gets 2048 size . > > Please check attachments. > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
