Pix 8.0(3) + MS Certificate + L2TP = Problem

Unanswered Question
Jan 16th, 2008


I have a problem with VPN configuration of our PIX Firewall.

We use this configuration:

PIX 515E (3 interfaces) running the latest 8.0(3) firmware.

We are using an L2TP IPSec VPN with certificates from our Microsoft CA and using the native Windows XP client. This setup was running O.K. with the old firmware (6.x), but after upgrading our PIX to 8.0(3) the VPN clients cannot connect anymore. We tried to debug our configuration and found the following errors:

5|Jan 11 2008|09:22:46|713904|||Group = DefaultRAGroup, IP =, Peer Certificate authentication failed: General Error

3|Jan 11 2008|09:22:46|717027|||Certificate chain failed validation. Certificate chain is either invalid or not authorized.

3|Jan 11 2008|09:22:46|717009|||Certificate validation failed. Peer certificate key usage is invalid, serial number: 13780BA600000000027B, subject name: ea=[email protected],cn=AleÅ¡ Hybner,ou=UIT,o=SVAS,l=Kladno,st=Kladno,c=CR.

Can anybody help?

Thanks Jan

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Tue, 01/22/2008 - 10:25

The cert in your case may not be an acceptable one. You can configure PIX to bypass keyusage verification by configuring:

crypto ca trustpoint


The reason is because pre-8.0 code did not enforce the key usages so it worked fine but with 8.0, it is enforced so the ignore-ipsec-keyusage reverts this back to no checking as in the pre-8.0 codebase.

attrib7575 Thu, 03/20/2008 - 14:20

Would you mind revealing your configuration for L2tp with Microsoft CA certificates and XP clients? I've been trying to do that to no avail.

tigurius Fri, 03/21/2008 - 01:59

No problem. I deleted the IP Addresses and changed domain names. I did most of the config using the WWW interface, later I did some finetuning with the command line. If you need futher help, just ask.

attrib7575 Fri, 03/21/2008 - 06:34

Very nice of you thanks! Although it looks like I've done the same things. I can get a W2k client l2TP vpn to work, but not an XP. Dont know why.

attrib7575 Fri, 03/21/2008 - 06:37

Although I do see some commands that I'm not sure of. Crypto map? Ipsec transform-set?

I'll have to look these up. Not too familiar with IOS. I thought it was just a metter of letting through 1701, isakmp, esp, 4500.

tigurius Fri, 03/21/2008 - 14:02

I am a bit confused. Are you trying to make a L2TP connection to the PIX or through the PIX to another server? If you want to connect with L2TP to the PIX, these commands are necessary.

attrib7575 Mon, 03/24/2008 - 07:41

Ok sorry about the confusion. I'm trying to permit L2TP THROUGH the PIX to a Windows 2K3 server, which is a CA, using the Microsoft native client on an XP pro SP2 machine and certificate authentication. There is a static NAT entry from the outside IP address on the PIX to the inside address of the server. I wonder if this is not part of the problem. When I run a trace of the connection attempt, the ISAKMP never gets past the negotiation stage, and the request times out. The debug commands dont show anything either.

Thanks again


This Discussion