Cannot Establish an L2TP/IPSec Tunnel Between a Cisco Router and a Windows 2000 Certificate Authority (305196)


The information in this article applies to:

  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Datacenter Server SP2
This article was previously published under Q305196

SYMPTOMS

To establish an L2TP/IPSec tunnel between a Cisco Internetwork operating system router and a Windows 2000 Certificate Authority (CA), a certificate trust must exist between the CA and the router. To enable this trust, the router must request and install an IPSec certificate from the CA. However, when the Cisco IOS-enabled router requests to enroll the IPSec certificate from a Windows 2000 Enterprise CA, the request may not work, and the router may log the following error message in the Cisco log:
time CRYPTO_PKI: status = 101: certificate request is rejected
time CRYPTO_PKI: All enrollment requests completed.
datetime %CRYPTO-6-CERTREJECT: Certificate enrollment request was rejected by Certificate Authority
Additionally, the Application log on the Windows 2000 server that is hosting the Certificate Authority service may log the following event:
Event Type: Warning
Event Source: CertSvc
Event Category: None
Event ID: 53
Date: date
Time: time
User: N/A
Computer: computer name
Description:

Certificate Services denied request 72 because Access is denied. 0x80070005 (WIN32: 5).
The request was for OID.1.2.840.113549.1.9.2=name.com. Additional information: Denied by Policy Module
If you use the Certutil.exe tool to parse the WIN32 error (by using the certutil -error 0x80070005 command), you may receive the following output:
0x80070005 (WIN32: 5) -- 2147942405 (-2147024891)
Error message text: Access id denied.

CAUSE

This issue can occur if the Authenticated Users group had not been granted the Enroll permission to the IPSECIntermediateOffline template.

RESOLUTION

To resolve this issue, grant the Enroll permission to the Authenticated Users group on the IPSECIntermediateOffline template.

MORE INFORMATION

The Cisco Internetwork operating system uses a Cisco Simple Certificate Enrollment Protocol (SCEP) proprietary protocol to communicate with the CA to obtain a certificate. This is the only way to request or install a certificate to a Cisco router. Additionally, only CAs that support the SCEP protocol can be used to enroll the certificate. The Windows 2000 Server Resource Kit includes an add-on component (Cepsetup.exe), that allows Microsoft CAs to use SCEP.

The third-party products that are discussed in this article are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MajorLast Reviewed:12/3/2003
Keywords:kb3rdparty kbenv kberrmsg kbnetwork kbprb KB305196
©2003 Microsoft Corporation. All rights reserved.