Learn how to a build a cloud-first strategyRegister Now


Easy VPN Integrated with Microsoft CA

Posted on 2009-12-18
Medium Priority
Last Modified: 2012-05-08

I need to configure Cisco Easy VPN over Cisco ISR Router, Client Users will be Nokia E Series & they will use Nokia VPN Client which support Cisco Easy VPN but i should  have Microsoft Certificate & install it on each Nokia Phone.

I follow the below document but it did not work,...

I recevied the below Error on the Router:

*Dec 17 12:43:47.387: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 168.1
87.185.8 is bad: certificate invalid

Please Advice !!!

Best Regards,

Question by:KOAC
  • 3
LVL 31

Expert Comment

ID: 26082844
Run this from cmd box:
certutil -dump YOURCERT.cer
-or- view details tab of cert - select Key Usage and Enhanced Key Usage (and Certificate Template, if present)

Under Certificate Extensions, verify the following are set:
    Key Usage
        Digital Signature, Key Encipherment (a0)

    Enhanced Key Usage
        IP security IKE intermediate (

If you requested against a template, it should mention IPSec, like:
    Certificate Template Name

The template name can vary, but the Key Usage and Enhanced Key Usage must have at least these values - they can have additional ones.
LVL 31

Expert Comment

ID: 26082904
Also, do you have a different IPSec cert installed on both ends, each issued to the repective host?  By this I mean:
ServerA-  cert issued to ServerA - ServerA's cert installed on both ServerA & Server B - private key only exists on ServerA
ServerB-  cert issued to ServerB - ServerB's cert installed on both ServerA & Server B - private key only exists on ServerB
(do not export private key, if that is even allowed as an option, except to make a backup copy of it stored off of the server)
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 26083041
Also, make sure that the cert was valid for the name(s) that you are accessing it by.  In this case it sounds like it is trying to access by IP address, so the subject name for the cert should be the IP address.

If you need multiple name entries (e.g. IP address, hostname, FQDN, DNS alias, etc.) you can do that if you have the SAN attribute enabled on the CA, to do so run this on the CA:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

What we do here is to use a request template for offline requests, then submit that to the CA using the CertSrv page using the IPSec (Offline) template.

Create a file called "IPSec_Request.inf"
---start - do not include this line ---
Signature = "$Windows NT$"

Subject = "CN=server1.domain.local"
; EncipherOnly = FALSE   ; this seemed to cause a problem in 2008 Server CA for some reason
Exportable = FALSE
KeyLength = 2048
KeySpec = 1
MachineKeySet = TRUE
PrivateKeyArchive = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
Silent = TRUE
UseExistingKeySet = FALSE
UserProtected = FALSE


SAN = "dns=server1.domain.local&dns=server1&ipaddress="
---end - do not include this line ---

For the subject, put in the main name you want for it, anything else that you want to be valid enter in the last line as a SAN entry, following the example as a guideline - use the subject as the first entry in the san.

On the IPSec server:
certreq -new IPSec_Request.inf ServerA_IPSec_CSR.txt

Open the txt file and paste the contents into the CSR field on the certsrv page (1st option/2nd option), select the IPSec (Offline) template (or a duplicated version 2 template of the same), leave the SAN empty since it is provided in the request file.

On the server, you should be able to install it by rightclick the cert file - install, and take the defaults.  If it isn't working, you can try this:
Open the cert's properties - details tab - copy the serial number - paste into Notepad - ctl+H to replace all spaces with nothing (remove the spaces) and copy that - open cmd - certutil -repairstore My <right-click - paste unspaced serial number here>
Only do this for the cert issued to that box, not the cert issued to the other box.

Author Comment

ID: 26083591
Dear Paranormastic;

Hope you are doing well;

Look Like you have a lot experience with Microsoft Certificate Server so could you guide me in steps what I need to do, Since this is the first time I configure Microsoft CA & Integrated with Cisco ISR Router.
i did not understood all what you have advice.

Note: i had attached the Certificate the I had issued from Microsoft CA server to  Client & Microsoft CA server Cert .
Please Change Nokia.txt to Nokia.pfx & the Private Key 123456789.
Please change Nevo-IPTV-Nevo-IPTV-1-.txt to Nevo-IPTV-Nevo-IPTV-1-.cert

Please Advice..


Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question