cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1147
Views
0
Helpful
8
Replies

Pix 8.0(3) + MS Certificate + L2TP = Problem

tigurius
Level 1
Level 1

Hello,

I have a problem with VPN configuration of our PIX Firewall.

We use this configuration:

PIX 515E (3 interfaces) running the latest 8.0(3) firmware.

We are using an L2TP IPSec VPN with certificates from our Microsoft CA and using the native Windows XP client. This setup was running O.K. with the old firmware (6.x), but after upgrading our PIX to 8.0(3) the VPN clients cannot connect anymore. We tried to debug our configuration and found the following errors:

5|Jan 11 2008|09:22:46|713904|||Group = DefaultRAGroup, IP = 85.160.26.229, Peer Certificate authentication failed: General Error

3|Jan 11 2008|09:22:46|717027|||Certificate chain failed validation. Certificate chain is either invalid or not authorized.

3|Jan 11 2008|09:22:46|717009|||Certificate validation failed. Peer certificate key usage is invalid, serial number: 13780BA600000000027B, subject name: ea=ales.hybner@svas.cz,cn=Aleš Hybner,ou=UIT,o=SVAS,l=Kladno,st=Kladno,c=CR.

Can anybody help?

Thanks Jan

8 Replies 8

amritpatek
Level 6
Level 6

The cert in your case may not be an acceptable one. You can configure PIX to bypass keyusage verification by configuring:

crypto ca trustpoint

ignore-ipsec-keyusage

The reason is because pre-8.0 code did not enforce the key usages so it worked fine but with 8.0, it is enforced so the ignore-ipsec-keyusage reverts this back to no checking as in the pre-8.0 codebase.

Now it works, thank you very much for your help.

attrib7575
Level 1
Level 1

Would you mind revealing your configuration for L2tp with Microsoft CA certificates and XP clients? I've been trying to do that to no avail.

No problem. I deleted the IP Addresses and changed domain names. I did most of the config using the WWW interface, later I did some finetuning with the command line. If you need futher help, just ask.

Very nice of you thanks! Although it looks like I've done the same things. I can get a W2k client l2TP vpn to work, but not an XP. Dont know why.

Although I do see some commands that I'm not sure of. Crypto map? Ipsec transform-set?

I'll have to look these up. Not too familiar with IOS. I thought it was just a metter of letting through 1701, isakmp, esp, 4500.

I am a bit confused. Are you trying to make a L2TP connection to the PIX or through the PIX to another server? If you want to connect with L2TP to the PIX, these commands are necessary.

Ok sorry about the confusion. I'm trying to permit L2TP THROUGH the PIX to a Windows 2K3 server, which is a CA, using the Microsoft native client on an XP pro SP2 machine and certificate authentication. There is a static NAT entry from the outside IP address on the PIX to the inside address of the server. I wonder if this is not part of the problem. When I run a trace of the connection attempt, the ISAKMP never gets past the negotiation stage, and the request times out. The debug commands dont show anything either.

Thanks again

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: