From: Richard Dumoulin (Richard.Dumoulin@vanco.fr)
Date: Fri Feb 23 2007 - 21:40:07 ART
Anthony,
 A common issue is difference in time between the routers trying to negociate IPSec but this you can solve it by having them both pointing to the same NTP server.
Another issue I have encountered is with the length of the hostnames of the routers which I solved by reducing it. How are yours?
Regards
-- Richard
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com] 
Envoyi : Saturday, February 24, 2007 12:44 AM
@ : 'Anthony Bonilla'; ccielab@groupstudy.com
Objet : RE: IPSec problem using CA server
Is there a reason why the time on the two devices is so far apart?  In
general, the devices are usually within a few minutes of each other.
 
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?"
 marvin@ipexpert.com
http://www.IPexpert.com
  _____  
From: Anthony Bonilla [mailto:anthonybonilla.ccie@gmail.com] 
Sent: Friday, February 23, 2007 6:14 PM
To: Marvin Greenlee
Cc: ccielab@groupstudy.com
Subject: Re: IPSec problem using CA server
 
Marvin,
 
Yes, I searched on this error and saw that most of the people were able to
resolve this issue fixing time on routers and the CA.  Below is a snapshot
from my two routers showing the certificate validity times and clock and I
can't see anything wrong with it, may be one of you will find something that
I am overlooking: 
 
************************************************************
Rack1R1:
Validity Date:
   start date: 00:00:00 UTC Feb 22 2007
   end date: 23:59:59 UTC Apr 23 2007
 
Show clock ==> 06:08:29.861 UTC Fri Feb 23 2007
************************************************************
Validity Date:
    start date: 00:00:00 UTC Feb 22 2007
    end date: 23:59:59 UTC Apr 23 2007
 
Show clock ==> 23:04:43.849 UTC Fri Feb 23 2007
**************************************************************
 
Thanks for your help.
 
On 2/23/07, Marvin Greenlee <marvin@ipexpert.com> wrote: 
"...   %CRYPTO-5-IKMP_INVAL_CERT : Certificate received from [IP_address] is
bad: [chars]
Explanation   The certificate given by the remote peer either has been 
revoked or has expired (the certificate is invalid) or the signature check
on the certificate has failed (invalid signature).
Recommended Action   Contact the CA of the remote peer. The CA certificate
may be invalid.  ..." 
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_system_messa
ge_guide_chapter09186a008009e75f.html
Have you checked the time set on your devices with respect to the CA server?
Marvin Greenlee, CCIE #12237 (R&S, SP, Sec)
Senior Technical Instructor - IPexpert, Inc.
"When Will You Be an IP Expert?" 
marvin@ipexpert.com
http://www.IPexpert.com
-----Original Message-----
From: nobody@groupstudy.com  <mailto:nobody@groupstudy.com>
[mailto:nobody@groupstudy.com] On Behalf Of
Anthony Bonilla
Sent: Friday, February 23, 2007 4:00 PM
To: ccielab@groupstudy.com  <mailto:ccielab@groupstudy.com> 
Subject: IPSec problem using CA server
All,
I am currently testing IPSec to work with a CA server.  I have configured
two routers (connected via a LAN connection) and have retrieved certificates
on both routers successfully but when I try to bring up the tunnel by
pinging one router from the other, I get the following message:
%CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: CA
request failed 
Can someone pls let me know what could be a common cause - if I remove
crypto map from the interfaces, things start to work.  BTW, I have
configured a tunnel interface using the physical LAN connection between the routers and have crypto map applied to both tunnel and lan interfaces.
TIA
Tony.
This archive was generated by hypermail 2.1.4 : Thu Mar 01 2007 - 07:38:48 ART