Task 4.2 IPSEC VPN

Hi all,

We're having som trouble with this topic.
We get a CA certificate from the IE1, but when we try to get the identity cert. this go wrong.
The wonderfull thing is that the certificat authority on the ACS server says that they created a identity certificate for the router, but the router says otherwise:

Rack1R4(config)#crypto ca enroll IE1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.

Password:
Re-enter password:

% The fully-qualified domain name in the certificate will be: Rack1R4.internetworkexpert.com
% The subject name in the certificate will be: Rack1R4.internetworkexpert.com
% Include the router serial number in the subject name? [yes/no]: n
% Include an IP address in the subject name? [no]: n
Request certificate from CA? [yes/no]: y
% Certificate request sent to Certificate Authority
% The certificate request fingerprint will be displayed.
% The 'show crypto ca certificate' command will also show the fingerprint.

Rack1R4(config)# Fingerprint: 1CA62D8E 3C064283 FF51703E FB417469

Oct 25 10:00:15.136: %CRYPTO-6-CERTFAIL: Certificate enrollment failed.

We couldn't find any problems with ntp or access-lists blocking this.
----------------------------------------------------------------
Rack1R4#sh ntp associations detail
10.0.0.100 configured, our_master, sane, valid, stratum 4
ref ID 127.127.1.0, time CACAE872.0C30DB6D (10:03:30.047 UTC Thu Oct 25 2007)
our mode client, peer mode server, our poll intvl 64, peer poll intvl 64
root delay 0.00 msec, root disp 11.55, reach 377, sync dist 113.129
delay 94.06 msec, offset 238.8679 msec, dispersion 54.55
precision 2**18, version 3
org time CACAE89C.30AA2270 (10:04:12.190 UTC Thu Oct 25 2007)
rcv time CACAE89B.DF8B9A6B (10:04:11.873 UTC Thu Oct 25 2007)
xmt time CACAE89B.BEC1D492 (10:04:11.745 UTC Thu Oct 25 2007)
filtdelay = 126.14 94.06 106.54 98.18 108.49 98.05 107.77 108.11
filtoffset = 379.95 238.87 206.77 181.34 224.78 204.10 36.18 -3.43
filterror = 0.02 0.99 1.97 2.94 3.92 4.90 5.87 6.85

Rack1R4#sh run
Building configuration...

Current configuration : 3869 bytes
!
! Last configuration change at 10:04:09 UTC Thu Oct 25 2007
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Rack1R4
!
logging queue-limit 100
enable password cisco
!
memory-size iomem 10
ip subnet-zero
!
!
no ip domain lookup
ip domain name internetworkexpert.com
!
ip audit notify log
ip audit po max-events 100
!
crypto ca trustpoint IE1
enrollment mode ra
enrollment url http://10.0.0.100:80/certsrv/mscep/mscep.dll
crl optional
!
crypto ca certificate chain IE1
certificate ca 631B87522171C18C4161C792721A4DA5
308202F0 3082029A A0030201 02021063 1B875221 71C18C41 61C79272 1A4DA530
0D06092A 864886F7 0D010105 05003081 92312D30 2B06092A 864886F7 0D010901
161E7375 70706F72 7440696E 7465726E 6574776F 726B6578 70657274 2E636F6D
310B3009 06035504 06130255 53310B30 09060355 04081302 4E56310D 300B0603
55040713 0452656E 6F312230 20060355 040A1319 496E7465 726E6574 776F726B
20457870 6572742C 20496E63 2E311430 12060355 0403130B 5343312D 57696E32
30303030 1E170D30 37303533 31313632 3733385A 170D3137 30353331 31363332
35345A30 8192312D 302B0609 2A864886 F70D0109 01161E73 7570706F 72744069
6E746572 6E657477 6F726B65 78706572 742E636F 6D310B30 09060355 04061302
5553310B 30090603 55040813 024E5631 0D300B06 03550407 13045265 6E6F3122
30200603 55040A13 19496E74 65726E65 74776F72 6B204578 70657274 2C20496E
632E3114 30120603 55040313 0B534331 2D57696E 32303030 305C300D 06092A86
4886F70D 01010105 00034B00 30480241 00B8D98F F85349F3 982B206A 1D15BFA3
613B914D 7C54B277 F17BF564 3AB8FAB9 4ABEC97C 59FC738C 31B5EF8E AE07EF79
789D5F7C 3AF1BE92 A6471FCE 14736FD4 65020301 0001A381 C93081C6 300B0603
551D0F04 04030201 C6300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 144A3EF4 0E46FD04 9E48474A A7C236AB F0DC44E6 48307506 03551D1F
046E306C 3033A031 A02F862D 68747470 3A2F2F73 63312D77 696E3230 30302F43
65727445 6E726F6C 6C2F5343 312D5769 6E323030 302E6372 6C3035A0 33A03186
2F66696C 653A2F2F 5C5C5343 312D5749 4E323030 305C4365 7274456E 726F6C6C
5C534331 2D57696E 32303030 2E63726C 30100609 2B060104 01823715 01040302
0100300D 06092A86 4886F70D 01010505 00034100 919945DE DAD1101D A846A9E7
582970B6 43801D3B DC08ED69 42056E15 9E7D6C5A 8CD43520 550822B5 2165AD20
1682B988 2DB5A8B5 E6F3B539 50169C06 15BA9311
quit
!
!
crypto isakmp policy 10
encr 3des
hash md5
!
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 150.1.4.4 255.255.255.0
!
interface Ethernet0/0
ip address 183.1.46.4 255.255.255.0
ip ospf message-digest-key 1 md5 CISCO
half-duplex
!
interface Serial0/0
no ip address
encapsulation frame-relay
frame-relay lmi-type cisco
!
interface Serial0/0.345 point-to-point
ip address 183.1.0.4 255.255.255.0
ip nat outside
ip ospf message-digest-key 45 md5 CISCO45
ip ospf network point-to-multipoint
frame-relay interface-dlci 405
!
interface Ethernet0/1
ip address 10.41.41.4 255.255.255.0
ip nat inside
half-duplex
!
interface Serial0/1
ip address 183.1.45.4 255.255.255.0
ip nat outside
ip ospf message-digest-key 45 md5 CISCO45
!
router ospf 1
router-id 150.1.4.4
log-adjacency-changes
area 0 authentication message-digest
redistribute static subnets
network 150.1.4.4 0.0.0.0 area 0
network 183.1.0.4 0.0.0.0 area 0
network 183.1.45.4 0.0.0.0 area 0
network 183.1.46.4 0.0.0.0 area 0
!
ip http server
no ip http secure-server
ip classless
ip route 10.4.4.0 255.255.255.0 Ethernet0/1
!
!
!
!
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
line vty 0 4
password cisco
login
!
ntp server 10.0.0.100
!
end
------------------------------------------------------

Please could someone help us?

Comments

  • I see you are configured for NTP, but you should compare the time on the Certificate Server with that of the router's NTP time. If the time is ahead of the Cert server, then it will not enroll (the same is true if it is out of date based on the cert lifetime). Verify the time matches up and/or set the router just behind the Cert server time and try it again.

    Regards,
    Nick
  • The dates are critical as well.
Sign In or Register to comment.