|
Posted by Alan on May 18, 2006, 3:56 am
Please log in for more thread options
The CEP certificate on our CA expired and, not being able to renew it,
we were told to re-install the MSCEP program. This meant were able to
auto-enrol certificates from the Cisco VPN client but there was a
problem actually using them. There is only one CA.
The VPN concentrators are both Cisco VPN 3000 series. The existing unit
has certificates issued prior to SCEP re-install, the new (spare) unit
has freshly cut certificates. Other than this, there are no changes or
differences to the concentrators.
Certificates issued both manually and via MSCEP will not authenticate
on the existing VPN concentrator. They are able to authenticate against
the spare concentrator. Existing certificates are able to authenticate
against the existing concentrator but not against the spare.
In each case the client shows the same error - Received un-encrypted
ISAKPM packet, but our SA is crypto active. The spare concentrator's
error log complains: "Unable to complete certificate chain, reason =
Incomplete certificate chain" Both concentrators can see the CA OK.
| 
XML Sitemap