Re: [OSL | CCIE_Security] VPN Client and CA

[Hussain Arsalan Ali]

this is insane . I just fired up GNS3 and configured simple things on it and 
the Windows XP machine was able to get cert from it sucessfully . Truly insane 
. Wil test that ezvpn thing 

From: a....@live.com
To: pi...@howto.pl
Date: Sun, 9 Oct 2011 13:14:38 +0500
CC: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] VPN Client and CA








@waleed 
The links i put is  http://ip_address/cgi-bin/pkiclient.exe .
@Piotr :There is no problem with the connection , at the moment I am only 
trying to enroll certificate ( not actually ezvpn thing ) . Once the cert is 
enrolled properly I will move towards EzVPN part . I only created a CA by 
isssuing the commands i wrote in my last email and then used a VPN Client 
software to get Certificate from it . Note that if i use a router for 
enrollment it works perfectly . It only is a problem with the Cisco VPN CLient 
Sofware 5.x on windows machine . 
Yesterday I tested in office using an 1841 router and it started working fine 
when i set the clock timezone along with proper clock etc. I wanted to test the 
whole toplogy thus did a rack rentals , they had 2610XM there and the Client 
was never able to Enroll cert. 
I will test it today more and will update you guys , If you have any input on 
this please let me know 

Date: Sun, 9 Oct 2011 08:38:34 +0200
Subject: Re: [OSL | CCIE_Security] VPN Client and CA
From: pi...@howto.pl
To: a....@live.com
CC: ccie_security@onlinestudylist.com

Is the problem still with certificate enrollment or with connection?

Take a look at 'sho cry pki cert' output and you'll see that you have only CA 
certificate. This certificate will NOT be put in ISAKMP response packet so that 
you'll not be able to connect successfully.


You must enroll an Identity certificate on the router first:

cry key gen rsa mod 1024 lab KEYS
cry pki trustp LOCAL-CA
rsak KEYS
enrollm url http://1.1.1.1

cry pki authen LOCAL-CA

cry pki enroll LOCAL-CA

Regards,
Piotr


2011/10/9 Hussain Arsalan Ali <a....@live.com>






by identity server you mean the CA server or ?
the base config for a CA should be ( correct me if i m wrong ) . 
Set Clock ip domain-name cisco.com
crypto key generate rsa 1024crypto pki server ciscogrant autono shutip http 
server

I did this config today on rack rentals to make sure its not an emulation issue 
and enrolled from the client and got same error . I saw the debug message on 
vpn client software Could not find data portion of HTTP response from CEP 
server. Contact your CA administrtator for further instructions .



from the VPN Client machine I can telnet on port 80 of that router easily which 
makes clear that connectivity is good . Time is also synced , I even tried 
moving the clock 30 minutes more but that also didnt helped . 


Any clues ?Date: Sat, 8 Oct 2011 12:14:31 +0200
Subject: Re: [OSL | CCIE_Security] VPN Client and CA
From: pi...@howto.pl

To: a....@live.com
CC: ccie_security@onlinestudylist.com


Hi,

It seems you don't have Identity certificate on the router.
Also, you should use DN as an identity.
I'm not seeing group configuration too.

Key size on the client is by default 2k so I don't see any problem with that.



Regards,
Piotr


2011/10/8 Hussain Arsalan Ali <a....@live.com>







I have been having this issue for a few days from now . Finally the certificate 
got enrolled properly but when I dial towards that VPN Server it doesnt happen 
. I did some debugs on the router and found out that the Cert is being rejected 
. Clock and timezone are same on both the devices and when I click Verify on 
VPN Client it says that the certificate is valid . The only problem I am 
thinking about is that when i created the keys on IOS device they were 1024 in 
size however when I requested certififate it shows 2048 . This could be a 
possible keysize mismatch , other than that I cant think of any . 




Can you please let me know if you have faced simillar problem where the IOS 
device is set for 1024 size and Client autometically gets 2048 size . 

Please check attachments. 
                                          

_______________________________________________

For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com



Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

                                          

                                          

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com                                         
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com