remote access vpn between ios rtr and vpn client using certs

Unanswered Question
Apr 16th, 2007

i was trying to setup remote access vpn between ios router 12.3 and vpn client 4.x, using microsoft ca.. but i was unable to connect with vpn client .. i dnt knw where i m going wrong .. my rtr cfg is as follows

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname Central_site

!

aaa new-model

!

!

aaa authentication login vpn_auth group tacacs+

aaa authentication login LOCAL local

aaa authorization network LOCAL local

aaa authorization network vpn_auth group tacacs+

aaa session-id common

ip subnet-zero

ip tcp synwait-time 5

!

!

no ip domain lookup

ip domain name cisco.com

!

ip audit notify log

ip audit po max-events 100

!

crypto ca trustpoint ca_serv

enrollment mode ra

enrollment url http://10.1.1.3:80/certsrv/mscep/mscep.dll

usage ike

serial-number

fqdn none

subject-name cn=vpnclient,OU=guest_group

rsakeypair rsakey

!

crypto ca certificate chain ca_serv

certificate 6146C131000000000008

30820320 308202CA A0030201 02020A61 46C13100 00000000 08300D06 092A8648

92

{cut for space}

quit

certificate ca 72E76FC6C80A07BE4E6B545DE8376B3F

{cut for space}

quit

!

!

crypto isakmp policy 10

encr 3des

group 5

crypto isakmp identity dn

!

crypto isakmp client configuration group guest_group

dns 10.1.1.3

pool vpnpool

acl 100

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set ESP-3DES-MD5

!

!

crypto map vpn_map client authentication list LOCAL

crypto map vpn_map isakmp authorization list LOCAL

crypto map vpn_map client configuration address initiate

crypto map vpn_map client configuration address respond

crypto map vpn_map 10 ipsec-isakmp dynamic dynmap

!

!

interface FastEthernet0/0

ip address 10.1.1.1 255.255.255.0

duplex auto

speed auto

!

interface Serial0/0

no ip address

encapsulation frame-relay

!

interface Serial0/0.1 point-to-point

ip address 172.31.235.21 255.255.255.252

frame-relay interface-dlci 100

crypto map vpn_map

!

ip local pool vpnpool 192.168.1.100 192.168.1.200

no ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0.1

!

!

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

!

!

!

dial-peer cor custom

!

end

i generated a certificate for vpnclient having OU=guest_group.. below is the debug message for crypto isakmp sa

01:25:44: ISAKMP (0:1): UNITY's identity FQDN but no group info

01:25:44: ISAKMP (0:1): peer matches *none* of the profiles

01:25:44: ISAKMP (0:1): processing CERT payload. message ID = 0

01:25:44: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert

01:25:44: ISAKMP (0:1): peer's pubkey isn't cached

01:25:44: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

01:25:44: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5

01:25:44: ISAKMP (0:1): sending packet to 10.2.1.3 my_port 500 peer_port 500 (R)

MM_KEY_EXCH

01:25:44: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR

01:25:44: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM4

01:25:44: ISAKMP (0:1): received packet from 10.2.1.3 dport 500 sport 500 Global

(R) MM_KEY_EXCH

01:25:44: ISAKMP: set new node 1338741477 to CONF_XAUTH

01:25:44: ISAKMP (0:1): processing HASH payload. message ID = 1338741477

01:25:44: ISAKMP (0:1): processing NOTIFY INVALID_PAYLOAD protocol 1

spi 0, message ID = 1338741477, sa = 82F624C8

01:25:44: ISAKMP (0:1): peer does not do paranoid keepalives.

01:25:44: ISAKMP (0:1): deleting SA reason "recevied fatal informational" state

(R) MM_KEY_EXCH (peer 10.2.1.3) input queue 0

01:25:44: ISAKMP (0:1): deleting node 1338741477 error FALSE reason "information

al (in) state 1"

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
diptanshusingh Sat, 04/21/2007 - 23:32

HI , i resolved it actually i was trying at ios 12.3 , but the feature is supported from 12.4..

Actions

This Discussion