10-18-2008 01:27 AM
Hi,i have problem in connecting to ASA with cisco VPN Client.this is my senario:
ASA
inside address:15.15.15.1
client is connected to inside interface(ethernet 1)
!!!!Client
ip address:15.15.15.2
im using microsoft ca for creating certificates for ASA and my client.i got CA root Certificate in my ASA and ASA's signed certificate by CA. this is my ASA configuration:
ASA!!!!!
interface Ethernet1
nameif inside
security-level 100
ip address 15.15.15.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
access-list tr1 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2
55.0
access-list tr2 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2
55.0
access-list ping extended permit icmp any any
pager lines 24
mtu inside 1500
ip local pool vpn 17.17.17.2-17.17.17.10
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list tr1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ipsec esp-3des esp-md5-hmac
crypto dynamic-map dy 1 set transform-set ipsec
crypto map cry 1 ipsec-isakmp dynamic dy
crypto map cry interface inside
crypto ca trustpoint CA1
revocation-check crl none
enrollment url http://15.15.15.10:80/certsrv/mscep/mscep.dll
subject-name CN=ASA
keypair my.ca
crl configure
crypto ca certificate chain CA1
certificate xxx
quit
certificate xxx
quit
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy sevan internal
username sevan password xxx encrypted privilege 15
username sevan attributes
group-lock value DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
tunnel-group DefaultRAGroup ipsec-attributes
trust-point CA1
prompt hostname context
Cryptochecksum:xxx
: end
user with username sevan will connect to ASA so i got CA root certificate and Cetificate with CN=sevan in my cisco VPN client.when i try to connect to asa nothing hapens and i get this debug message on ASA!!!!
10-18-2008 01:29 AM
Debug Message:
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing ID payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert request payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing RSA signature
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, Computing hash for ISAKMP
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing notify payload
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via OU...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from
ID payload: Unknown
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IKE ID...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from
ID payload: Unknown
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IP ADDR...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via default group
...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Connection landed on tunnel_group Defa
ultRAGroup
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, peer ID
type 9 received (DER_ASN1_DN)
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting ID payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting cert payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting RSA signature
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, Computin
g hash for ISAKMP
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting dpd vid payload
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE SENDING Message (msgid=0) w
ith payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + NONE (0) total
length : 1118
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE RECEIVED Message (msgid=650
d4596) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi
ng hash payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi
ng delete
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Connection ter
minated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, IKE SA M
M:4bbf0716 terminating: flags 0x0105c802, refcnt 0, tuncnt 0
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Removing peer
from peer table failed, no match!
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Error: Unable
to remove PeerTblEntry
10-21-2008 05:25 AM
HI.I found the problem myself. so i share with you... there were two problem 1-I didnt configured OU and O in my certificates 2-my isakmp identity was address.
Here is the guide:
**1**By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group.
**2**Usually, the IP address identity is used for preshared key authentication. The keyword hostname is generally used for certificate-based connections. The auto keyword automatically determines the ISAKMP identity. This is recommended if you have a combination of some IPSec tunnels using preshared keys and others using certificates for authentication.
04-07-2010 08:14 PM
Hey BH2020. I just wanted to say THANKS!! for answering your own question. I have been bashin my head in for about 1 month with cert authentication for vpnclient and sslvpn. I wish TAC documentation was remotely as clear as yours.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: