01-14-2008 07:38 PM - edited 02-21-2020 10:20 AM
Hi,
I enabled Local Certificate Authority Services on ASA5500 V8.02, VPN is working when I use Pre-share key to authenticate client logon. but it doesn't work when I use the Certificate.
The following is ASA 5500 debug log, VPN client log and ASA 5500 Config. Can someone advise me what's wrong on the config and how to get it work with local certificate authority on ASA 5500. Thank you so much for your help.
Young
ASA 5500 Debug Log when IPSec Remote Client connect to ASA5500 using Certificate (Through ASA5500 Local Certificate Authority)
113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown
713903|||Group = TestRemoteVPN, IP = 99.238.155.113, Error: Unable to remove PeerTblEntry
713902|||Group = TestRemoteVPN, IP = 99.238.155.113, Removing peer from peer table failed, no match!
713050|||Group = TestRemoteVPN, IP = 99.238.155.113, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
713068|||Group = TestRemoteVPN, IP = 99.238.155.113, Received non-routine Notify message: Authentication failed (24)
713068|||Group = TestRemoteVPN, IP = 99.238.155.113, Received non-routine Notify message: Invalid signature (25)
717028|||Certificate chain was successfully validated with warning, revocation status was not checked.
717022|||Certificate was successfully validated. serial number: 02, subject name: cn=test1.
302015|99.238.155.113|ASA5500-WAN-IP-Address|Built inbound UDP connection 826 for WAN:Remote Peer IP Address/2971 to NP Identity Ifc:ASA5500 WAN IP Address/500
01-14-2008 07:46 PM
Remote Client (IPSec) log
Cisco Systems VPN Client Version 5.0.01.0600
10 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
11 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
12 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
13 Sev=Info/4 CERT/0x63600020
Could not load private key - bad password.
14 Sev=Info/4 CERT/0x63600016
Could not load private key for certificate cn=test1 from store Cisco User Certificate.
15 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
16 Sev=Info/4 CM/0x63100002
Begin connection process
17 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
18 Sev=Info/4 CM/0x63100004
Establish secure connection
19 Sev=Info/4 CERT/0x63600015
Cert (cn=test1) verification succeeded.
20 Sev=Info/4 CM/0x63100024
Attempt connection with server "ASA5500-WAN-IP-Address"
21 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with ASA5500-WAN-IP-Address.
22 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
23 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
24 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to ASA5500-WAN-IP-Address
25 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
26 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
27 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = ASA5500-WAN-IP-Address
28 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Frag)) from ASA5500-WAN-IP-Address
29 Sev=Info/5 IKE/0x63000001
Peer supports IKE fragmentation payloads
30 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
01-14-2008 07:47 PM
Continue to VPN client log
31 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to ASA5500-WAN-IP-Address
32 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = ASA5500-WAN-IP-Address
33 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?)) from ASA5500-WAN-IP-Address
34 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
35 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
36 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x20000001
37 Sev=Info/4 CERT/0x6360001B
No smart card readers with cards inserted found.
38 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to ASA5500-WAN-IP-Address
39 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to ASA5500-WAN-IP-Address
40 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (FRAG) to ASA5500-WAN-IP-Address
41 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = ASA5500-WAN-IP-Address
42 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from ASA5500-WAN-IP-Address
43 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = ASA5500-WAN-IP-Address
44 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (FRAG) from ASA5500-WAN-IP-Address
45 Sev=Info/5 IKE/0x63000073
All fragments received.
46 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from ASA5500-WAN-IP-Address
47 Sev=Info/4 CERT/0x6360000E
Discarding ROOT CA cert sent from peer.
48 Sev=Info/5 IKE/0x63000001
Peer supports DPD
49 Sev=Warning/3 IKE/0xE300007C
Failed to verify signature
50 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:904)
51 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SIGNATURE) to ASA5500-WAN-IP-Address
52 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to ASA5500-WAN-IP-Address
53 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2238)
54 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=0292873115D4BD0C R_Cookie=56CC5F248EB69A07) reason = DEL_REASON_IKE_NEG_FAILED
55 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ASA5500-WAN-IP-Address
56 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=0292873115D4BD0C R_Cookie=56CC5F248EB69A07) reason = DEL_REASON_IKE_NEG_FAILED
57 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "ASA5500-WAN-IP-Address" because of "DEL_REASON_IKE_NEG_FAILED"
58 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
59 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
60 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
61 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
62 01/14/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
63 01/14/08 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
64 01/14/08 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
01-14-2008 07:57 PM
ASA 5500 V8.02 Config
ASA Version 8.0(2)
!
hostname asa5500
domain-name Test.com
!
interface Ethernet0/0
nameif WAN
security-level 0
ip address WAN-IP-Address 255.255.255.248
!
interface Ethernet0/1
nameif LAN
security-level 100
ip address 192.168.50.50 255.255.255.0
!
domain-name Test.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list TestRemoteVPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0
access-list LAN_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 10.10.40.0 255.255.255.0
ip local pool RemoteVPNIPPool 10.10.40.30-10.10.40.200 mask 255.255.255.0
global (WAN) 1 interface
nat (LAN) 0 access-list LAN_nat0_outbound
nat (LAN) 1 192.168.50.0 255.255.255.0
route WAN 0.0.0.0 0.0.0.0 G/W-IP-Address 1
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map WAN_map interface WAN
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn asa5500
subject-name CN=asa5500
keypair LOCAL-CA-SERVER
no client-types
crl configure
crypto ca server
cdp-url http://asa5500.Test.com/+CSCOCA+/asa_ca.crl
lifetime crl 12
smtp from-address admin@Test.com
smtp subject Test VPN Certificate Enrollment Invitation
publish-crl WAN 80
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
3082020f 30820178 ..........................
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
308201c0 30820129....................
quit
crypto isakmp enable WAN
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
!
threat-detection basic-threat
threat-detection statistics access-list
!
service-policy global_policy global
webvpn
enable WAN
group-policy TestRemoteVPN internal
group-policy TestRemoteVPN attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TestRemoteVPN_splitTunnelAcl
default-domain value Test.com
group-policy TestClientlessVPN internal
group-policy TestClientlessVPN attributes
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
username testuser password rODIhpKxinqKRjIF encrypted privilege 0
username testuser attributes
vpn-group-policy TestRemoteVPN
tunnel-group TestRemoteVPN type remote-access
tunnel-group TestRemoteVPN general-attributes
address-pool RemoteVPNIPPool
default-group-policy TestRemoteVPN
tunnel-group TestRemoteVPN ipsec-attributes
trust-point ASDM_TrustPoint0
tunnel-group TestClientlessVPN type remote-access
tunnel-group TestClientlessVPN general-attributes
authentication-server-group (WAN) LOCAL
default-group-policy TestClientlessVPN
strip-realm
tunnel-group TestClientlessVPN webvpn-attributes
authentication certificate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide