04-11-2009 07:28 AM
Hi,
I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.
I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:
ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt
:500
VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt
:500
VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0
ISAKMP: larval sa found
Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.
04-13-2009 07:09 AM
Can you post your pix config along with the "show crypto ca cert" from it?
04-14-2009 06:04 AM
Here is my config:
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
hostname pixfirewall
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside aa.bb.cc.210 255.255.255.224
ip address inside x.y.z..100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool x.y.z.101-x.y.z.103
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 aa.bb.cc.193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 8 set transform-set myset
crypto map mymap 8 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
vpngroup corpit address-pool testpool
vpngroup corpit dns-server x.y.z.5
vpngroup corpit split-tunnel 101
vpngroup corpit idle-time 1800
ca identity corpit x.y.z..70:/certsrv/mscep/mscep.dll
ca configure corpit ra 1 20 crloptional
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:fb499613d4493e07e34d4b6a63818c45
: end
Here is my sh cry ca cert output:
pixfirewall(config)# sh cry ca cert
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 61319878000000000005
Key Usage: Encryption
EA = ribin.jones@rm.oom
CN = IT
OU = MIS
O = RM
L = TVM
ST = KL
C = IN
Validity Date:
start date: 18:48:30 UTC Apr 10 2009
end date: 18:48:30 UTC Apr 10 2011
CA Certificate
Status: Available
Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f
Key Usage: Signature
CN = corpit
DC = revenuemed
DC = net
Validity Date:
start date: 17:49:06 UTC Apr 10 2009
RA Signature Certificate
Status: Available
Certificate Serial Number: 61319607000000000004
Key Usage: Signature
EA = ribin.jones@rm.com
CN = IT
OU = MIS
O = Revenuemed
L = Trivandrum
ST = Kerala
C = IN
Validity Date:
start date: 18:48:30 UTC Apr 10 2009
end date: 18:48:30 UTC Apr 10 2011
Certificate
Status: Available
Certificate Serial Number: 6132fc9c000000000006
Key Usage: General Purpose
Subject Name:
CN = pixfirewall.example.com
UNSTRUCTURED NAME = pixfirewall.example.com
Validity Date:
start date: 18:50:02 UTC Apr 10 2009
end date: 18:50:02 UTC Apr 10 2011
Please note that I am able to get the VPN connected using preshared key method with this config adding the below lines:
isakmp policy 8 authentication pre-share
vpngroup corpit password ********
Thanks
04-14-2009 06:05 AM
Infact this is my sh cry ca cert output:
pixfirewall(config)# sh cry ca cert
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 61319878000000000005
Key Usage: Encryption
EA = ribin.jones@rm.oom
CN = IT
OU = MIS
O = RM
L = TVM
ST = KL
C = IN
Validity Date:
start date: 18:48:30 UTC Apr 10 2009
end date: 18:48:30 UTC Apr 10 2011
CA Certificate
Status: Available
Certificate Serial Number: 3187a8df8a126e924f648a37f9be703f
Key Usage: Signature
CN = corpit
DC = revenuemed
DC = net
Validity Date:
start date: 17:49:06 UTC Apr 10 2009
RA Signature Certificate
Status: Available
Certificate Serial Number: 61319607000000000004
Key Usage: Signature
EA = ribin.jones@rm.com
CN = IT
OU = MIS
O = RM
L = TVM
ST = KL
C = IN
Validity Date:
start date: 18:48:30 UTC Apr 10 2009
end date: 18:48:30 UTC Apr 10 2011
Certificate
Status: Available
Certificate Serial Number: 6132fc9c000000000006
Key Usage: General Purpose
Subject Name:
CN = pixfirewall.example.com
UNSTRUCTURED NAME = pixfirewall.example.com
Validity Date:
start date: 18:50:02 UTC Apr 10 2009
end date: 18:50:02 UTC Apr 10 2011
04-14-2009 06:30 AM
Well it looks good, on the IKE debugs it seem to find no IKE policy that matches so it never goes to the cert authentication, I wonder if you have to a higher level of encryption? Do you know if your PIX has 3des enabled? Can you add another isakmp policy with 3des md5 and rsa-sig? If not then let's go ahead and enable isakmp and crypto ca debugging.
04-14-2009 07:24 AM
Hi Martino,
Thanks for the response.
I will add another isakmp policy with 3des md5 and rsa-sig.
Infact, my testing scenario has been dismantled due to some rearrangements at my office...Will get back once I am done with the testing scenario again.
04-14-2009 09:33 AM
Hi,
I will split my post into 3 and send.
Here is my PIX config:
sh run
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
hostname pixfirewall
domain-name example.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
pager lines 24
mtu outside 1500
mtu inside 1500
ip address outside xx.yy.zz210 255.255.255.224
ip address inside 192.168.26.100 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool testpool 192.168.26.101-192.168.26.103
pdm history enable
arp timeout 14400
nat (inside) 0 access-list 101
route outside 0.0.0.0 0.0.0.0 xx.yy.zz193 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 :00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup corpit address-pool testpool
vpngroup corpit dns-server 192.168.25.5
vpngroup corpit split-tunnel 101
vpngroup corpit idle-time 1800
ca identity corpit 192.168.26.70:/certsrv/mscep/mscep.dll
ca configure corpit ra 1 20 crloptional
telnet timeout 5
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:8af7fc6de4add41af1277fec264db3ea
: end
04-14-2009 09:35 AM
Below is the debugs I receive in PIX when I try to connect:
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500
ISAKMP: Deleting peer node for xx.yy.zz196
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACTIPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196
ISADB: reaper checking SA 0x93b934, conn_id = 0
ISAKMP (0): SA has been authenticated
ISAKMP: Created a peer struct for xx.yy.zz196, peer port 38919
ISAKMP (0): ID payload
next-payload : 6
type : 2
protocol : 17
port : 500
length : 27
ISAKMP (0): Total payload length: 31
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500
ISAKMP_TRANSACTION exchange
ISAKMP (0:0): processing transaction payload from xx.yy.zz196. message ID = 11219492
ISAKMP: Config payload CFG_REQUEST
ISAKMP (0:0): checking request:
ISAKMP: attribute IP4_ADDRESS (1)
ISAKMP: attribute IP4_NETMASK (2)
ISAKMP: attribute IP4_DNS (3)
ISAKMP: attribute IP4_NBNS (4)
ISAKMP: attribute ADDRESS_EXPIRY (5)
Unsupported Attr: 5
ISAKMP: attribute UNKNOWN (28672)
Unsupported Attr: 28672
crypto_isakmp_process_block:src:xx.yy.zz196, dest:xx.yy.zz210 spt:1944 dpt:500
ISADB: reaper checking SA 0x93b934, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for xx.yy.zz196/1944 not found - peers:0
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with xx.yy.zz196
04-14-2009 09:40 AM
Here is the output from my VPN client when I try to connect:
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
397 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
398 22:56:28.517 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
399 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
400 22:56:28.533 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
402 22:56:28.548 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
403 22:56:28.720 04/14/09 Sev=Info/4 CM/0x63100002
Begin connection process
404 22:56:28.705 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
405 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100004
Establish secure connection
406 22:56:28.736 04/14/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "xx.yy.zz210"
407 22:56:28.736 04/14/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with xx.yy.zz210.
408 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
409 22:56:28.752 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
410 22:56:28.923 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=Ribin,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
411 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
412 22:56:28.923 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to xx.yy.zz210
413 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
414 22:56:28.955 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
415 22:56:29.471 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
416 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA) from xx.yy.zz210
417 22:56:29.471 04/14/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
418 22:56:29.471 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to xx.yy.zz210
419 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
420 22:56:30.080 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from xx.yy.zz210
421 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
422 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD
423 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
424 22:56:30.080 04/14/09 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
425 22:56:30.283 04/14/09 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
426 22:56:31.002 04/14/09 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 128.
427 22:56:31.002 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to xx.yy.zz210
428 22:56:31.440 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
429 22:56:31.440 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from xx.yy.zz210
430 22:56:31.612 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.
04-14-2009 09:40 AM
431 22:56:31.612 04/14/09 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0798, Remote Port = 0x01F4
432 22:56:31.612 04/14/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
434 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
435 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
436 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to xx.yy.zz210
437 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = xx.yy.zz210
438 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from xx.yy.zz210
439 22:56:31.627 04/14/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
442 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED
443 22:56:31.627 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to xx.yy.zz210
444 22:56:34.910 04/14/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=86A60C1D439D66CD R_Cookie=4D67FC9D1466F792) reason = DEL_REASON_IKE_NEG_FAILED
445 22:56:34.910 04/14/09 Sev=Info/4 CM/0x6310000F
Phase 1 SA deleted before Mode Config is completed cause by "DEL_REASON_IKE_NEG_FAILED". 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
446 22:56:34.910 04/14/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
447 22:56:34.925 04/14/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
448 22:56:34.925 04/14/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
449 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
450 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
451 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
452 22:56:34.925 04/14/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I see "Negotiating Security Policies" and then it gets "Not Connected"
04-14-2009 09:46 AM
Well we got some progress, the fact that you got that on your client means that phase 1 IKE and cert validation has passed (did this show after using 3des?), in our case, the problem lies when the pix is not assigning an ip address to the vpn client:
440 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE3000023
No private IP address was assigned by the peer
441 22:56:31.627 04/14/09 Sev=Warning/2 IKE/0xE300009B
Failed to process ModeCfg Reply (NavigatorTM:175)
One more question for you, your vpn client cert has the ou equal to the pix vpngroup name right? Can you paste the screenshot of the cert details on your client? Can you please go ahead and re enter the line where the pool is defined on your pix?
04-14-2009 10:21 AM
Hi,
Yes we made this progress after using 3des. Thanks for that.
Further details:
CN = corpit
DC = revenuemed
DC = net
Earlier when I checked my Certificate, I see the OU as MIS (but the vpngroup I mentioned was corpit). So I changed the vpngroup to MIS in the PIX configuration.
Now I get the below logs in the vpn client when I try to connect.
Cisco Systems VPN Client Version 5.0.04.0300
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
92 23:50:43.367 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
93 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
94 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
95 23:50:43.383 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
96 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
97 23:50:43.399 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
98 23:50:43.571 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
99 23:50:43.586 04/14/09 Sev=Info/4 CM/0x63100002
Begin connection process
100 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100004
Establish secure connection
101 23:50:43.602 04/14/09 Sev=Info/4 CM/0x63100024
Attempt connection with server "220.227.79.210"
102 23:50:43.602 04/14/09 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 220.227.79.210.
103 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600026
Attempting to find a Certificate using Serial Hash.
104 23:50:43.633 04/14/09 Sev=Info/6 CERT/0x63600027
Found a Certificate using Serial Hash.
105 23:50:43.821 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (e=ribin.jones@revenuemed.com,cn=test2,ou=MIS,o=RevenueMed,l=Trivandrum,st=Kerala,c=IN) verification succeeded.
106 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000001
Starting IKE Phase 1 Negotiation
107 23:50:43.821 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 220.227.79.210
108 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
109 23:50:43.836 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
110 23:50:44.352 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
111 23:50:44.352 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA) from 220.227.79.210
112 23:50:44.367 04/14/09 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
113 23:50:44.367 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 220.227.79.210
114 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
115 23:50:44.977 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 220.227.79.210
116 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
04-14-2009 10:21 AM
117 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001
Peer supports DPD
118 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
119 23:50:44.977 04/14/09 Sev=Info/5 IKE/0x63000082
Received IOS Vendor ID with unknown capabilities flag 0x00000025
120 23:50:45.180 04/14/09 Sev=Info/6 CERT/0x63600034
Attempting to sign the hash for Windows XP or higher.
121 23:50:45.571 04/14/09 Sev=Info/6 CERT/0x63600035
Done with the hash signing with signature length of 128.
122 23:50:45.571 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 220.227.79.210
123 23:50:46.024 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
124 23:50:46.024 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 220.227.79.210
125 23:50:46.196 04/14/09 Sev=Info/4 CERT/0x63600015
Cert (cn=pixfirewall.example.com,1.2.840.113549.1.9.2=#13177069786669726577616c6c2e6578616d706c652e636f6d) verification succeeded.
126 23:50:46.196 04/14/09 Sev=Info/4 IKE/0x63000083
IKE Port in use - Local Port = 0x0926, Remote Port = 0x01F4
127 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
128 23:50:46.196 04/14/09 Sev=Info/4 CM/0x6310000E
Established Phase 1 SA. 1 Crypto Active IKE SA, 1 User Authenticated IKE SA in the system
129 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005E
Client sending a firewall request to concentrator
130 23:50:46.211 04/14/09 Sev=Info/5 IKE/0x6300005D
Firewall Policy: Product=Cisco Systems Integrated Client Firewall, Capability= (Centralized Protection Policy).
131 23:50:46.211 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK TRANS *(HASH, ATTR) to 220.227.79.210
132 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
133 23:50:46.243 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 220.227.79.210
134 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.26.101
135 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_DNS(1): , value = 192.168.25.5
136 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data
137 23:50:46.243 04/14/09 Sev=Info/4 IKE/0xA3000015
MODE_CFG_REPLY: Received MODECFG_UNITY_SPLIT_INCLUDE attribute with no data
138 23:50:46.243 04/14/09 Sev=Info/5 IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_PFS: , value = 0x00000000
139 23:50:46.243 04/14/09 Sev=Info/4 CM/0x63100019
Mode Config data received
140 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.26.101, GW IP = 220.227.79.210, Remote IP = 0.0.0.0
141 23:50:46.258 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 220.227.79.210
142 23:50:46.336 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
143 23:50:46.336 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:NO_PROPOSAL_CHOSEN) from 220.227.79.210
04-14-2009 10:22 AM
144 23:50:46.336 04/14/09 Sev=Warning/3 IKE/0xA300004B
Received a NOTIFY message with an invalid protocol id (0)
145 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
146 23:50:46.383 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:STATUS_RESP_LIFETIME) from 220.227.79.210
147 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000045
RESPONDER-LIFETIME notify has value of 86400 seconds
148 23:50:46.383 04/14/09 Sev=Info/5 IKE/0x63000047
This SA has already been alive for 3 seconds, setting expiry to 86397 seconds from now
149 23:50:46.790 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
150 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
151 23:50:51.290 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210
152 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
153 23:50:56.291 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210
154 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
155 23:51:01.291 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 220.227.79.210
156 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=ED9273A7
157 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 220.227.79.210
158 23:51:06.292 04/14/09 Sev=Info/6 IKE/0x6300003D
Sending DPD request to 220.227.79.210, our seq# = 1330055753
159 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210
160 23:51:06.292 04/14/09 Sev=Info/4 IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=ED9273A7
161 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 220.227.79.210
162 23:51:06.354 04/14/09 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK INFO *(HASH, NOTIFY:DPD_ACK) from 220.227.79.210
163 23:51:06.354 04/14/09 Sev=Info/5 IKE/0x63000040
Received DPD ACK from 220.227.79.210, seq# received = 1330055753, seq# expected = 1330055753
164 23:51:15.089 04/14/09 Sev=Info/6 GUI/0x63B0000D
Disconnecting VPN connection.
165 23:51:15.089 04/14/09 Sev=Info/4 CM/0x63100009
Abort connection attempt before first Phase 2 SA is up
166 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
167 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB
168 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 220.227.79.210
169 23:51:15.089 04/14/09 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=17E2D19E9DFAE5D4 R_Cookie=4D67FC9DEA61BF05) reason = DEL_REASON_RESET_SADB
170 23:51:15.089 04/14/09 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
171 23:51:15.121 04/14/09 Sev=Info/6 CM/0x63100046
Set tunnel established flag in registry to 0.
172 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
173 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
174 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
175 23:51:15.543 04/14/09 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
I see QM_IDLE in the pix for some time when I try to connect, but after some seconds, I get "Not connected" message in the client and there is no VPN also.
04-14-2009 10:26 AM
Try setting the transform set to 3des too see if that changes something, also go ahead and enable debug crypto ipsec on the pix.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide