|
Home > Archive > Cisco Security exams > July 2003 > CA, IPSec, Win2003, cepsetup.exe, problems
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
CA, IPSec, Win2003, cepsetup.exe, problems
|
|
| Devinator 2003-06-21, 7:34 pm |
| I've been on a personal mission to learn to perform both IPSec using digital certificates on Cisco routers and how to set up a stand alone certificate server. I'm running Win2003 on my servers, and haven't found anything specifically about them natively supporting SCEP (Simple Certificate Enrollment Protocol) which Cisco routers need to do their enrollment. I read about cepsetup.exe that's part of the Win2000 ResKit, and installed it. It runs fine and tells me my URL. My servers are set up as workgroup servers, and though cepsetup.exe installs fine, when i try to get my routers to authenticate and enroll, I get nothing but an error. I have these questions:
1. Can I use cepsetup.exe and Certificate Services on a Workgroup server to successfully authenticate and enroll routers?
2. Anyone else ever experienced this problem?
3. Has anyone tried using Baltimore's TrustedVPN software (www.baltimore.com)
Thanks! | |
| sean34 2003-06-25, 7:21 pm |
| Devinator,
Yes u can use scep on a workgroup server...Ive done it myself numerous times.
so thats not your problem...
What error do u receive?
later,
Sean | |
| Devinator 2003-06-25, 8:06 pm |
| Thanks Sean. The router is not acting like it sees the server at all. There seems to be no SCEP or CEP templates available...odd. I'm running 2003 with cepsetup.exe from the Win2k RK. I tried the full URL that the cepsetup.exe gave me which included all the way down to the .dll file, then I tried it with the IP instead of the host name....neither worked. the router is acting like the server isn't even there. odd really. I tried http://vpncerts.entrust.com/ also (they're publically open test servers), but they didn't work. I got an error on my 3640 (IOS = 12.3.1 IP Plus/FW) when trying to authenticate to entrust saying their cert length = 0. I could authenticate fine when using my 2611 (same IOS) but then it wouldn't enroll (bring down MY certificate). I'm kind of stuck. | |
| sean34 2003-06-26, 1:16 am |
| hmmm, interesting...
its simple enough but have you sent the time properly on your routers? If they are not insync with the CA servers the setup will not work.
your enrollment statement should look like this, include the dll as well
enrollment url http://10.0.1.10:80/certsrv/mscep/mscep.dll
hope this helps
Sean | |
| Devinator 2003-06-26, 7:26 pm |
| Yep, using NTP for time services - check the clocks and they're in sync. your URL and mine are identical except for IP. i'm clueless as to the problem...it's SUPPOSED to work. :-) it can ping, but won't see the services. configuring scep is a complete no brainer, but i'm not 100% sure of its compatability with win2003 certificate services. installing cert services is easy as cake, but it doesn't seem to be working so i'm missing something somewhere. | |
| Just_Curious 2003-07-10, 4:04 pm |
| Was seeing the same problem as you had mentioned.
Downloaded the latest resource kit tools from Microsoft's website, extracted them and ran the CEPSETUP.EXE and now i am able to get the passphrase for enrollment.
Try the link below to download the tools:
file's called: rktools.exe
Good Luck.
http://www.microsoft.com/downloads/...&displaylang=en | |
| Devinator 2003-07-10, 10:41 pm |
| I'm downloading it now. Will try it out. Many thanks! | |
| sean34 2003-07-11, 6:03 am |
| thanks, for the link to the resource kit
regards,
Sean |
|
|
|
|