ASA5500 VPN Invalid signature/Authentication fail w/ CertifcateAuthority

kennywu · ‎01-14-2008

Hi,

I enabled Local Certificate Authority Services on ASA5500 V8.02, VPN is working when I use Pre-share key to authenticate client logon. but it doesn't work when I use the Certificate.

The following is ASA 5500 debug log, VPN client log and ASA 5500 Config. Can someone advise me what's wrong on the config and how to get it work with local certificate authority on ASA 5500. Thank you so much for your help.

Young

ASA 5500 Debug Log when IPSec Remote Client connect to ASA5500 using Certificate (Through ASA5500 Local Certificate Authority)

113019|||Group = , Username = , IP = 0.0.0.0, Session disconnected. Session Type: , Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Unknown

713903|||Group = TestRemoteVPN, IP = 99.238.155.113, Error: Unable to remove PeerTblEntry

713902|||Group = TestRemoteVPN, IP = 99.238.155.113, Removing peer from peer table failed, no match!

713050|||Group = TestRemoteVPN, IP = 99.238.155.113, Connection terminated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A

713068|||Group = TestRemoteVPN, IP = 99.238.155.113, Received non-routine Notify message: Authentication failed (24)

713068|||Group = TestRemoteVPN, IP = 99.238.155.113, Received non-routine Notify message: Invalid signature (25)

717028|||Certificate chain was successfully validated with warning, revocation status was not checked.

717022|||Certificate was successfully validated. serial number: 02, subject name: cn=test1.

302015|99.238.155.113|ASA5500-WAN-IP-Address|Built inbound UDP connection 826 for WAN:Remote Peer IP Address/2971 to NP Identity Ifc:ASA5500 WAN IP Address/500

kennywu · ‎01-14-2008

Remote Client (IPSec) log

Cisco Systems VPN Client Version 5.0.01.0600

10 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

11 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

12 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

13 Sev=Info/4 CERT/0x63600020

Could not load private key - bad password.

14 Sev=Info/4 CERT/0x63600016

Could not load private key for certificate cn=test1 from store Cisco User Certificate.

15 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

16 Sev=Info/4 CM/0x63100002

Begin connection process

17 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

18 Sev=Info/4 CM/0x63100004

Establish secure connection

19 Sev=Info/4 CERT/0x63600015

Cert (cn=test1) verification succeeded.

20 Sev=Info/4 CM/0x63100024

Attempt connection with server "ASA5500-WAN-IP-Address"

21 Sev=Info/6 IKE/0x6300003B

Attempting to establish a connection with ASA5500-WAN-IP-Address.

22 Sev=Info/6 CERT/0x63600026

Attempting to find a Certificate using Serial Hash.

23 Sev=Info/6 CERT/0x63600027

Found a Certificate using Serial Hash.

24 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to ASA5500-WAN-IP-Address

25 Sev=Info/4 IPSEC/0x63700008

IPSec driver successfully started

26 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

27 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = ASA5500-WAN-IP-Address

28 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA, VID(Frag)) from ASA5500-WAN-IP-Address

29 Sev=Info/5 IKE/0x63000001

Peer supports IKE fragmentation payloads

30 Sev=Info/6 IKE/0x63000001

IOS Vendor ID Contruction successful

kennywu · ‎01-14-2008

Continue to VPN client log

31 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to ASA5500-WAN-IP-Address

32 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = ASA5500-WAN-IP-Address

33 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?)) from ASA5500-WAN-IP-Address

34 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

35 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

36 Sev=Info/5 IKE/0x63000082

Received IOS Vendor ID with unknown capabilities flag 0x20000001

37 Sev=Info/4 CERT/0x6360001B

No smart card readers with cards inserted found.

38 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to ASA5500-WAN-IP-Address

39 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to ASA5500-WAN-IP-Address

40 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (FRAG) to ASA5500-WAN-IP-Address

41 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = ASA5500-WAN-IP-Address

42 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (FRAG) from ASA5500-WAN-IP-Address

43 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = ASA5500-WAN-IP-Address

44 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (FRAG) from ASA5500-WAN-IP-Address

45 Sev=Info/5 IKE/0x63000073

All fragments received.

46 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG, VID(dpd)) from ASA5500-WAN-IP-Address

47 Sev=Info/4 CERT/0x6360000E

Discarding ROOT CA cert sent from peer.

48 Sev=Info/5 IKE/0x63000001

Peer supports DPD

49 Sev=Warning/3 IKE/0xE300007C

Failed to verify signature

50 Sev=Warning/2 IKE/0xE300009B

Failed to authenticate peer (Navigator:904)

51 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:INVALID_SIGNATURE) to ASA5500-WAN-IP-Address

52 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:AUTH_FAILED) to ASA5500-WAN-IP-Address

53 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2238)

54 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=0292873115D4BD0C R_Cookie=56CC5F248EB69A07) reason = DEL_REASON_IKE_NEG_FAILED

55 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to ASA5500-WAN-IP-Address

56 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=0292873115D4BD0C R_Cookie=56CC5F248EB69A07) reason = DEL_REASON_IKE_NEG_FAILED

57 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "ASA5500-WAN-IP-Address" because of "DEL_REASON_IKE_NEG_FAILED"

58 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

59 Sev=Info/6 CM/0x63100046

Set tunnel established flag in registry to 0.

60 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

61 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

62 01/14/08 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

63 01/14/08 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

64 01/14/08 Sev=Info/4 IPSEC/0x6370000A

IPSec driver successfully stopped

kennywu · ‎01-14-2008

ASA 5500 V8.02 Config

ASA Version 8.0(2)

!

hostname asa5500

domain-name Test.com

!

interface Ethernet0/0

nameif WAN

security-level 0

ip address WAN-IP-Address 255.255.255.248

!

interface Ethernet0/1

nameif LAN

security-level 100

ip address 192.168.50.50 255.255.255.0

!

domain-name Test.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list TestRemoteVPN_splitTunnelAcl standard permit 192.168.50.0 255.255.255.0

access-list LAN_nat0_outbound extended permit ip 192.168.50.0 255.255.255.0 10.10.40.0 255.255.255.0

ip local pool RemoteVPNIPPool 10.10.40.30-10.10.40.200 mask 255.255.255.0

global (WAN) 1 interface

nat (LAN) 0 access-list LAN_nat0_outbound

nat (LAN) 1 192.168.50.0 255.255.255.0

route WAN 0.0.0.0 0.0.0.0 G/W-IP-Address 1

dynamic-access-policy-record DfltAccessPolicy

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map WAN_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map WAN_map interface WAN

crypto ca trustpoint LOCAL-CA-SERVER

keypair LOCAL-CA-SERVER

crl configure

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

fqdn asa5500

subject-name CN=asa5500

keypair LOCAL-CA-SERVER

no client-types

crl configure

crypto ca server

cdp-url http://asa5500.Test.com/+CSCOCA+/asa_ca.crl

lifetime crl 12

smtp from-address admin@Test.com

smtp subject Test VPN Certificate Enrollment Invitation

publish-crl WAN 80

crypto ca certificate chain LOCAL-CA-SERVER

certificate ca 01

3082020f 30820178 ..........................

quit

crypto ca certificate chain ASDM_TrustPoint0

certificate 31

308201c0 30820129....................

quit

crypto isakmp enable WAN

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

no crypto isakmp nat-traversal

!

threat-detection basic-threat

threat-detection statistics access-list

!

service-policy global_policy global

webvpn

enable WAN

group-policy TestRemoteVPN internal

group-policy TestRemoteVPN attributes

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TestRemoteVPN_splitTunnelAcl

default-domain value Test.com

group-policy TestClientlessVPN internal

group-policy TestClientlessVPN attributes

vpn-access-hours none

vpn-simultaneous-logins 3

vpn-idle-timeout 30

vpn-session-timeout none

username testuser password rODIhpKxinqKRjIF encrypted privilege 0

username testuser attributes

vpn-group-policy TestRemoteVPN

tunnel-group TestRemoteVPN type remote-access

tunnel-group TestRemoteVPN general-attributes

address-pool RemoteVPNIPPool

default-group-policy TestRemoteVPN

tunnel-group TestRemoteVPN ipsec-attributes

trust-point ASDM_TrustPoint0

tunnel-group TestClientlessVPN type remote-access

tunnel-group TestClientlessVPN general-attributes

authentication-server-group (WAN) LOCAL

default-group-policy TestClientlessVPN

strip-realm

tunnel-group TestClientlessVPN webvpn-attributes

authentication certificate