Easy VPN Integrated with Microsoft CA

Posted on 2009-12-18
Last Modified: 2012-05-08

I need to configure Cisco Easy VPN over Cisco ISR Router, Client Users will be Nokia E Series & they will use Nokia VPN Client which support Cisco Easy VPN but i should  have Microsoft Certificate & install it on each Nokia Phone.

I follow the below document but it did not work,...

I recevied the below Error on the Router:

*Dec 17 12:43:47.387: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from 168.1
87.185.8 is bad: certificate invalid

Please Advice !!!

Best Regards,

Question by:KOAC
    LVL 31

    Expert Comment

    Run this from cmd box:
    certutil -dump YOURCERT.cer
    -or- view details tab of cert - select Key Usage and Enhanced Key Usage (and Certificate Template, if present)

    Under Certificate Extensions, verify the following are set:
        Key Usage
            Digital Signature, Key Encipherment (a0)

        Enhanced Key Usage
            IP security IKE intermediate (

    If you requested against a template, it should mention IPSec, like:
        Certificate Template Name

    The template name can vary, but the Key Usage and Enhanced Key Usage must have at least these values - they can have additional ones.
    LVL 31

    Expert Comment

    Also, do you have a different IPSec cert installed on both ends, each issued to the repective host?  By this I mean:
    ServerA-  cert issued to ServerA - ServerA's cert installed on both ServerA & Server B - private key only exists on ServerA
    ServerB-  cert issued to ServerB - ServerB's cert installed on both ServerA & Server B - private key only exists on ServerB
    (do not export private key, if that is even allowed as an option, except to make a backup copy of it stored off of the server)
    LVL 31

    Accepted Solution

    Also, make sure that the cert was valid for the name(s) that you are accessing it by.  In this case it sounds like it is trying to access by IP address, so the subject name for the cert should be the IP address.

    If you need multiple name entries (e.g. IP address, hostname, FQDN, DNS alias, etc.) you can do that if you have the SAN attribute enabled on the CA, to do so run this on the CA:
    certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
    net stop certsvc
    net start certsvc

    What we do here is to use a request template for offline requests, then submit that to the CA using the CertSrv page using the IPSec (Offline) template.

    Create a file called "IPSec_Request.inf"
    ---start - do not include this line ---
    Signature = "$Windows NT$"

    Subject = "CN=server1.domain.local"
    ; EncipherOnly = FALSE   ; this seemed to cause a problem in 2008 Server CA for some reason
    Exportable = FALSE
    KeyLength = 2048
    KeySpec = 1
    MachineKeySet = TRUE
    PrivateKeyArchive = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    Silent = TRUE
    UseExistingKeySet = FALSE
    UserProtected = FALSE


    SAN = "dns=server1.domain.local&dns=server1&ipaddress="
    ---end - do not include this line ---

    For the subject, put in the main name you want for it, anything else that you want to be valid enter in the last line as a SAN entry, following the example as a guideline - use the subject as the first entry in the san.

    On the IPSec server:
    certreq -new IPSec_Request.inf ServerA_IPSec_CSR.txt

    Open the txt file and paste the contents into the CSR field on the certsrv page (1st option/2nd option), select the IPSec (Offline) template (or a duplicated version 2 template of the same), leave the SAN empty since it is provided in the request file.

    On the server, you should be able to install it by rightclick the cert file - install, and take the defaults.  If it isn't working, you can try this:
    Open the cert's properties - details tab - copy the serial number - paste into Notepad - ctl+H to replace all spaces with nothing (remove the spaces) and copy that - open cmd - certutil -repairstore My <right-click - paste unspaced serial number here>
    Only do this for the cert issued to that box, not the cert issued to the other box.

    Author Comment

    Dear Paranormastic;

    Hope you are doing well;

    Look Like you have a lot experience with Microsoft Certificate Server so could you guide me in steps what I need to do, Since this is the first time I configure Microsoft CA & Integrated with Cisco ISR Router.
    i did not understood all what you have advice.

    Note: i had attached the Certificate the I had issued from Microsoft CA server to  Client & Microsoft CA server Cert .
    Please Change Nokia.txt to Nokia.pfx & the Private Key 123456789.
    Please change Nevo-IPTV-Nevo-IPTV-1-.txt to Nevo-IPTV-Nevo-IPTV-1-.cert

    Please Advice..


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Suggested Solutions

    Title # Comments Views Activity
    L2/L3 Switch configuration 4 93
    AnyConnect 3 44
    Windows 2012 Remote Apps Question 2 31
    azure vpn connection 2 23
    Microsoft has released remote PowerShell capabilities to all commercial Office 365 customers. So you can be controlled via PowerShell and not from the Office 365 admin center Download Windows PowerShell Module for Lync Online http://www.micros…
    The System Center Operations Manager 2012, known as SCOM, is a part of the Microsoft system center product that provides the user with infrastructure monitoring and application performance monitoring. SCOM monitors:   Windows or UNIX/LinuxNetwo…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now