IPSEC using Cisco Router as CA Server

**roeeshimrit** · 09-09-2013, 01:42 AM

Hello

I am using 2 Cisco Routers for ipsec tunnel and third Cisco router as CA server .
It seems as the routers recive the certificates from the CA Router but no Traffic between them (fails on phase 1 ).

Following important Router configuration and I can send also debug messages:

R1:

crypto pki server cisco1
issuer-name CN=cisco1.cisco.com L=RTP C=US
cdp-url http://192.168.252.254/cisco1cdp.cisco1.crl
!
crypto pki trustpoint cisco1
revocation-check crl
rsakeypair cisco1
!
!
crypto pki certificate chain cisco1
certificate ca 01
308201A0 3082014A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
26312430 22060355 0403131B 63697363 6F312E63 6973636F 2E636F6D 204C3D52
54502043 3D555330 1E170D31 33303930 38313031 3231335A 170D3136 30393037
31303132 31335A30 26312430 22060355 0403131B 63697363 6F312E63 6973636F
2E636F6D 204C3D52 54502043 3D555330 5C300D06 092A8648 86F70D01 01010500
034B0030 48024100 C4D81725 37AE4F29 868F6A6C 8DD005AC 68B5876D D4AC89FD
4CE1800C 6BB5A601 9C5AB866 6EE0338E E66BE612 49FC0A9D 562B9D9F ABBAC04C
320F6750 081BDCD7 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801456
F091F770 16A63F89 B46900B1 3E67198B 0D548E30 1D060355 1D0E0416 041456F0
91F77016 A63F89B4 6900B13E 67198B0D 548E300D 06092A86 4886F70D 01010405
00034100 52FBD15E 39D75563 BA2EBD8B 6C2C9CD7 732A0871 F9A85E65 F2A0C6EA
490A31FE 0F92BE14 8AFD1764 509E9AE1 312A121A B3A9E92C 6A1A9904 39A482F4 CEE786
50
quit

interface GigabitEthernet0/0
ip address 192.168.252.254 255.255.255.0
duplex auto
speed auto
media-type rj45

!

R3 (similiar to R2):

crypto pki trustpoint cisco
enrollment retry count 5
enrollment retry period 3
enrollment url http://192.168.252.254:80
usage ike
usage ssl-server
usage ssl-client
serial-number
revocation-check crl
!
!
crypto pki certificate chain cisco
certificate ca 01
308201A0 3082014A A0030201 02020101 300D0609 2A864886 F70D0101 04050030
26312430 22060355 0403131B 63697363 6F312E63 6973636F 2E636F6D 204C3D52
54502043 3D555330 1E170D31 33303930 38313031 3231335A 170D3136 30393037
31303132 31335A30 26312430 22060355 0403131B 63697363 6F312E63 6973636F
2E636F6D 204C3D52 54502043 3D555330 5C300D06 092A8648 86F70D01 01010500
034B0030 48024100 C4D81725 37AE4F29 868F6A6C 8DD005AC 68B5876D D4AC89FD
4CE1800C 6BB5A601 9C5AB866 6EE0338E E66BE612 49FC0A9D 562B9D9F ABBAC04C
320F6750 081BDCD7 02030100 01A36330 61300F06 03551D13 0101FF04 05300301
01FF300E 0603551D 0F0101FF 04040302 0186301F 0603551D 23041830 16801456
F091F770 16A63F89 B46900B1 3E67198B 0D548E30 1D060355 1D0E0416 041456F0
91F77016 A63F89B4 6900B13E 67198B0D 548E300D 06092A86 4886F70D 01010405
00034100 52FBD15E 39D75563 BA2EBD8B 6C2C9CD7 732A0871 F9A85E65 F2A0C6EA
490A31FE 0F92BE14 8AFD1764 509E9AE1 312A121A B3A9E92C 6A1A9904 39A482F4 CEE78650
quit
!
!
archive
log config
hidekeys
!
!
crypto isakmp policy 1
hash md5
group 2
!
!
crypto ipsec transform-set ts_1 esp-des esp-md5-hmac
!
crypto map map_1 1 ipsec-isakmp
set peer 10.0.0.1
set transform-set ts_1
match address 100
!
!
!
ip ssh version 1
!
!
!
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 192.168.252.253 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface FastEthernet1/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
crypto map map_1
!
interface FastEthernet1/1
no ip address
duplex auto
speed auto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
!
access-list 100 permit icmp any any
!

Attached the Setup,

Appreciate your assitance and I will send any required information .

thanks
Roee

**Jim.Alles** · 09-09-2013, 04:59 AM

I don't see Untangle in the picture, this probably isn't the best place to ask for help?

Thread: IPSEC using Cisco Router as CA Server

LinkBack

Thread Tools

IPSEC using Cisco Router as CA Server

Posting Permissions