cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
668
Views
9
Helpful
3
Replies

Remote VPN With Microsoft CA issue

blackhat2020
Level 1
Level 1

Hi,i have problem in connecting to ASA with cisco VPN Client.this is my senario:

ASA

inside address:15.15.15.1

client is connected to inside interface(ethernet 1)

!!!!Client

ip address:15.15.15.2

im using microsoft ca for creating certificates for ASA and my client.i got CA root Certificate in my ASA and ASA's signed certificate by CA. this is my ASA configuration:

ASA!!!!!

interface Ethernet1

nameif inside

security-level 100

ip address 15.15.15.1 255.255.255.0

!

interface Ethernet2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet3

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet4

shutdown

no nameif

no security-level

no ip address

!

passwd xxx

ftp mode passive

access-list tr1 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2

55.0

access-list tr2 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2

55.0

access-list ping extended permit icmp any any

pager lines 24

mtu inside 1500

ip local pool vpn 17.17.17.2-17.17.17.10

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list tr1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ipsec esp-3des esp-md5-hmac

crypto dynamic-map dy 1 set transform-set ipsec

crypto map cry 1 ipsec-isakmp dynamic dy

crypto map cry interface inside

crypto ca trustpoint CA1

revocation-check crl none

enrollment url http://15.15.15.10:80/certsrv/mscep/mscep.dll

subject-name CN=ASA

keypair my.ca

crl configure

crypto ca certificate chain CA1

certificate xxx

quit

certificate xxx

quit

crypto isakmp identity address

crypto isakmp enable inside

crypto isakmp policy 1

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

!

!

group-policy sevan internal

username sevan password xxx encrypted privilege 15

username sevan attributes

group-lock value DefaultRAGroup

tunnel-group DefaultRAGroup general-attributes

address-pool vpn

tunnel-group DefaultRAGroup ipsec-attributes

trust-point CA1

prompt hostname context

Cryptochecksum:xxx

: end

user with username sevan will connect to ASA so i got CA root certificate and Cetificate with CN=sevan in my cisco VPN client.when i try to connect to asa nothing hapens and i get this debug message on ASA!!!!

3 Replies 3

blackhat2020
Level 1
Level 1

Debug Message:

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing ID payload

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert payload

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert request payload

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing RSA signature

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, Computing hash for ISAKMP

Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing notify payload

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via OU...

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from

ID payload: Unknown

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IKE ID...

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from

ID payload: Unknown

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IP ADDR...

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via default group

...

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Connection landed on tunnel_group Defa

ultRAGroup

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, peer ID

type 9 received (DER_ASN1_DN)

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc

ting ID payload

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc

ting cert payload

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc

ting RSA signature

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, Computin

g hash for ISAKMP

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc

ting dpd vid payload

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE SENDING Message (msgid=0) w

ith payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + NONE (0) total

length : 1118

Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE RECEIVED Message (msgid=650

d4596) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi

ng hash payload

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi

ng delete

Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Connection ter

minated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A

Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, IKE SA M

M:4bbf0716 terminating: flags 0x0105c802, refcnt 0, tuncnt 0

Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Removing peer

from peer table failed, no match!

Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Error: Unable

to remove PeerTblEntry

HI.I found the problem myself. so i share with you... there were two problem 1-I didnt configured OU and O in my certificates 2-my isakmp identity was address.

Here is the guide:

**1**By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group.

**2**Usually, the IP address identity is used for preshared key authentication. The keyword hostname is generally used for certificate-based connections. The auto keyword automatically determines the ISAKMP identity. This is recommended if you have a combination of some IPSec tunnels using preshared keys and others using certificates for authentication.

Hey BH2020.  I just wanted to say THANKS!! for answering your own question.  I have been bashin my head in for about 1 month with cert authentication for vpnclient and sslvpn.  I wish TAC documentation was remotely as clear as yours.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: