Easy VPN Integrated with Microsoft CA


I need to configure Cisco Easy VPN over Cisco ISR Router, Client Users will be Nokia E Series & they will use Nokia VPN Client which support Cisco Easy VPN but i should  have Microsoft Certificate & install it on each Nokia Phone.

I follow the below document but it did not work,...

I recevied the below Error on the Router:

*Dec 17 12:43:47.387: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 168.1
87.185.8 is bad: certificate invalid

Please Advice !!!

Best Regards,

Who is Participating?
ParanormasticCryptographic EngineerCommented:
Also, make sure that the cert was valid for the name(s) that you are accessing it by.  In this case it sounds like it is trying to access by IP address, so the subject name for the cert should be the IP address.

If you need multiple name entries (e.g. IP address, hostname, FQDN, DNS alias, etc.) you can do that if you have the SAN attribute enabled on the CA, to do so run this on the CA:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

What we do here is to use a request template for offline requests, then submit that to the CA using the CertSrv page using the IPSec (Offline) template.

Create a file called "IPSec_Request.inf"
---start - do not include this line ---
Signature = "$Windows NT$"

Subject = "CN=server1.domain.local"
; EncipherOnly = FALSE   ; this seemed to cause a problem in 2008 Server CA for some reason
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
Silent = TRUE
UseExistingKeySet = FALSE
UserProtected = FALSE


SAN = "dns=server1.domain.local&dns=server1&ipaddress="
---end - do not include this line ---

For the subject, put in the main name you want for it, anything else that you want to be valid enter in the last line as a SAN entry, following the example as a guideline - use the subject as the first entry in the san.

On the IPSec server:
certreq -new IPSec_Request.inf ServerA_IPSec_CSR.txt

Open the txt file and paste the contents into the CSR field on the certsrv page (1st option/2nd option), select the IPSec (Offline) template (or a duplicated version 2 template of the same), leave the SAN empty since it is provided in the request file.

On the server, you should be able to install it by rightclick the cert file - install, and take the defaults.  If it isn't working, you can try this:
Open the cert's properties - details tab - copy the serial number - paste into Notepad - ctl+H to replace all spaces with nothing (remove the spaces) and copy that - open cmd - certutil -repairstore My <right-click - paste unspaced serial number here>
Only do this for the cert issued to that box, not the cert issued to the other box.
ParanormasticCryptographic EngineerCommented:
Run this from cmd box:
certutil -dump YOURCERT.cer
-or- view details tab of cert - select Key Usage and Enhanced Key Usage (and Certificate Template, if present)

Under Certificate Extensions, verify the following are set:
    Key Usage
        Digital Signature, Key Encipherment (a0)

    Enhanced Key Usage
        IP security IKE intermediate (

If you requested against a template, it should mention IPSec, like:
    Certificate Template Name

The template name can vary, but the Key Usage and Enhanced Key Usage must have at least these values - they can have additional ones.
ParanormasticCryptographic EngineerCommented:
Also, do you have a different IPSec cert installed on both ends, each issued to the repective host?  By this I mean:
ServerA-  cert issued to ServerA - ServerA's cert installed on both ServerA & Server B - private key only exists on ServerA
ServerB-  cert issued to ServerB - ServerB's cert installed on both ServerA & Server B - private key only exists on ServerB
(do not export private key, if that is even allowed as an option, except to make a backup copy of it stored off of the server)
KOACAuthor Commented:
Dear Paranormastic;

Hope you are doing well;

Look Like you have a lot experience with Microsoft Certificate Server so could you guide me in steps what I need to do, Since this is the first time I configure Microsoft CA & Integrated with Cisco ISR Router.
i did not understood all what you have advice.

Note: i had attached the Certificate the I had issued from Microsoft CA server to  Client & Microsoft CA server Cert .
Please Change Nokia.txt to Nokia.pfx & the Private Key 123456789.
Please change Nevo-IPTV-Nevo-IPTV-1-.txt to Nevo-IPTV-Nevo-IPTV-1-.cert

Please Advice..

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.