Re: IPSec problem using CA server

From: Piyoush Sharma (piyoush@gmail.com)
Date: Fri Dec 05 2008 - 16:32:25 ARST

• Next message: Piyoush Sharma: "BGP AS-Path Prepend being ignored on the Internet routers"
• Previous message: Pavel Bykov: "Re: class-default is reserved 25% of the configured BW ???"
• Maybe in reply to: Tomi Amao: "IPSec problem using CA server"
• Next in thread: Piyoush Sharma: "Re: IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tomi,

I have seen this error before, it crops up if your CA router is the peer for
the other router. You need to create another trustpoint on your CA router,
then authenticate this trustpoint and enroll the router with the CA. Because
you are using the CA router as a crypto peer, it has not been authenticated.
So you would need to have a trustpoint for the crypto (this would named
differently that the trustpoint thats created as part of the IOS pki ca
server.
Good luck!!!

Let me know if this works for you.

Piyoush.

On Thu, Dec 4, 2008 at 6:31 AM, Tomi Amao <tomiground@hotmail.com> wrote:

> i have an issue nd this is it i hope to get help from any1 as soon as
> possible thx.
>
> i have 2 routers on a LAN and a CA also on that LAN
> the 2 routers have authenticated the CA nd then enrolled with the CA
> the 2 routers have generated rsa keys (1024)
>
> when i create interesting traffic on the routers that match the proxy ACL
> the traffic never gets encrypted
>
> isakmp phase 1 attributes are acceptable
> but along the line durin the debug crypto isakmp and debug crypto ipsec i
> get
> the following error message:
>
> %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad:
> CArequest
> failed
>
> i've read tht time on the cisco routers could be a problem but tht is
> properly
> sorted out the 2 routers are synched up
> with proper time and they are also synched up with proper time from the CA
>
> i really can't guess again wat the problem could be any help would really
> be
> appreciated urgently
>
> thx
> Tomi Amao
> CCIE#19627
> _________________________________________________________________
> Explore the seven wonders of the world
> http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net

• Next message: Piyoush Sharma: "BGP AS-Path Prepend being ignored on the Internet routers"
• Previous message: Pavel Bykov: "Re: class-default is reserved 25% of the configured BW ???"
• Maybe in reply to: Tomi Amao: "IPSec problem using CA server"
• Next in thread: Piyoush Sharma: "Re: IPSec problem using CA server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jan 01 2009 - 12:53:07 ARST