10-18-2008 01:27 AM
Hi,i have problem in connecting to ASA with cisco VPN Client.this is my senario:
ASA
inside address:15.15.15.1
client is connected to inside interface(ethernet 1)
!!!!Client
ip address:15.15.15.2
im using microsoft ca for creating certificates for ASA and my client.i got CA root Certificate in my ASA and ASA's signed certificate by CA. this is my ASA configuration:
ASA!!!!!
interface Ethernet1
nameif inside
security-level 100
ip address 15.15.15.1 255.255.255.0
!
interface Ethernet2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet4
shutdown
no nameif
no security-level
no ip address
!
passwd xxx
ftp mode passive
access-list tr1 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2
55.0
access-list tr2 extended permit ip 15.15.15.0 255.255.255.0 17.17.17.0 255.255.2
55.0
access-list ping extended permit icmp any any
pager lines 24
mtu inside 1500
ip local pool vpn 17.17.17.2-17.17.17.10
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list tr1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ipsec esp-3des esp-md5-hmac
crypto dynamic-map dy 1 set transform-set ipsec
crypto map cry 1 ipsec-isakmp dynamic dy
crypto map cry interface inside
crypto ca trustpoint CA1
revocation-check crl none
enrollment url http://15.15.15.10:80/certsrv/mscep/mscep.dll
subject-name CN=ASA
keypair my.ca
crl configure
crypto ca certificate chain CA1
certificate xxx
quit
certificate xxx
quit
crypto isakmp identity address
crypto isakmp enable inside
crypto isakmp policy 1
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
!
!
group-policy sevan internal
username sevan password xxx encrypted privilege 15
username sevan attributes
group-lock value DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool vpn
tunnel-group DefaultRAGroup ipsec-attributes
trust-point CA1
prompt hostname context
Cryptochecksum:xxx
: end
user with username sevan will connect to ASA so i got CA root certificate and Cetificate with CN=sevan in my cisco VPN client.when i try to connect to asa nothing hapens and i get this debug message on ASA!!!!
10-18-2008 01:29 AM
Debug Message:
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing ID payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing cert request payload
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing RSA signature
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, Computing hash for ISAKMP
Oct 18 12:13:42 [IKEv1 DEBUG]: IP = 15.15.15.2, processing notify payload
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via OU...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from
ID payload: Unknown
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IKE ID...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, No Group found by matching OU(s) from
ID payload: Unknown
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via IP ADDR...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Trying to find group via default group
...
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, Connection landed on tunnel_group Defa
ultRAGroup
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, peer ID
type 9 received (DER_ASN1_DN)
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting ID payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting cert payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting RSA signature
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, Computin
g hash for ISAKMP
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, construc
ting dpd vid payload
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE SENDING Message (msgid=0) w
ith payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + NONE (0) total
length : 1118
Oct 18 12:13:42 [IKEv1]: IP = 15.15.15.2, IKE_DECODE RECEIVED Message (msgid=650
d4596) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi
ng hash payload
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, processi
ng delete
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Connection ter
minated for peer . Reason: Peer Terminate Remote Proxy N/A, Local Proxy N/A
Oct 18 12:13:42 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 15.15.15.2, IKE SA M
M:4bbf0716 terminating: flags 0x0105c802, refcnt 0, tuncnt 0
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Removing peer
from peer table failed, no match!
Oct 18 12:13:42 [IKEv1]: Group = DefaultRAGroup, IP = 15.15.15.2, Error: Unable
to remove PeerTblEntry
10-21-2008 05:25 AM
HI.I found the problem myself. so i share with you... there were two problem 1-I didnt configured OU and O in my certificates 2-my isakmp identity was address.
Here is the guide:
**1**By default, the Cisco ASA binds the client connection to a specific group using the OU value. However, you can use any DN certificate information to associate the client to a respective group.
**2**Usually, the IP address identity is used for preshared key authentication. The keyword hostname is generally used for certificate-based connections. The auto keyword automatically determines the ISAKMP identity. This is recommended if you have a combination of some IPSec tunnels using preshared keys and others using certificates for authentication.
04-07-2010 08:14 PM
Hey BH2020. I just wanted to say THANKS!! for answering your own question. I have been bashin my head in for about 1 month with cert authentication for vpnclient and sslvpn. I wish TAC documentation was remotely as clear as yours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide