Microsoft KB Archive/305196

= Cannot Establish an L2TP/IPSec Tunnel Between a Cisco Router and a Windows 2000 Certificate Authority =

Article ID: 305196

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Service Pack 2
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 2

-



This article was previously published under Q305196



SYMPTOMS
To establish an L2TP/IPSec tunnel between a Cisco Internetwork operating system router and a Windows 2000 Certificate Authority (CA), a certificate trust must exist between the CA and the router. To enable this trust, the router must request and install an IPSec certificate from the CA. However, when the Cisco IOS-enabled router requests to enroll the IPSec certificate from a Windows 2000 Enterprise CA, the request may not work, and the router may log the following error message in the Cisco log:

time CRYPTO_PKI: status = 101: certificate request is rejected

time CRYPTO_PKI: All enrollment requests completed.

datetime %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority

Additionally, the Application log on the Windows 2000 server that is hosting the Certificate Authority service may log the following event:

Event Type: Warning

Event Source: CertSvc

Event Category: None

Event ID: 53

Date: date

Time: time

User: N/A

Computer: computer name

Description:

Certificate Services denied request 72 because Access is denied. 0x80070005 (WIN32: 5).

The request was for OID.1.2.840.113549.1.9.2=name.com. Additional information: Denied by Policy Module

If you use the Certutil.exe tool to parse the WIN32 error (by using the certutil -error 0x80070005 command), you may receive the following output:

0x80070005 (WIN32: 5) -- 2147942405 (-2147024891)

Error message text: Access id denied.



CAUSE
This issue can occur if the Authenticated Users group had not been granted the Enroll permission to the IPSECIntermediateOffline template.



RESOLUTION
To resolve this issue, grant the Enroll permission to the Authenticated Users group on the IPSECIntermediateOffline template.



MORE INFORMATION
The Cisco Internetwork operating system uses a Cisco Simple Certificate Enrollment Protocol (SCEP) proprietary protocol to communicate with the CA to obtain a certificate. This is the only way to request or install a certificate to a Cisco router. Additionally, only CAs that support the SCEP protocol can be used to enroll the certificate. The Windows 2000 Server Resource Kit includes an add-on component (Cepsetup.exe), that allows Microsoft CAs to use SCEP.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

Additional query words: ios

Keywords: kberrmsg kbenv kbnetwork kbprb kb3rdparty KB305196

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.