Problem IPSec / SSL VPN (WebVPN) ASA5550 and Microsoft CA

Unanswered Question
May 28th, 2009

Hi,

We want to connect by Cisco VPN Client to ASA5550 (IOS 8.0(4)) over VPN witch certificates generated by Microsoft CA (Server 2008 Enterprise).

ASA has own certificate generated by MS CA and client cert are also generated by MS CA.

(link:http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml )

What is wrong ??

Log from Cisco VPN Client:

Cisco Systems VPN Client Version 5.0.02.0090

Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.

Client Type(s): Windows, WinNT

Running on: 6.0.6001 Service Pack 1

23 11:49:58.219 05/25/09 Sev=Warning/3 IKE/0xE3000081

Invalid remote certificate id: ID_IPV4_ADDR: ID = 0x3DD827C3, Certificate = 0x00000000

24 11:49:58.219 05/25/09 Sev=Warning/3 IKE/0xE3000059

The peer's certificate doesn't match Phase 1 ID

25 11:49:58.219 05/25/09 Sev=Warning/2 IKE/0xE30000A7

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2238)

Have You any solution?

The same config on the PIX 515E and the same VPN Client works!!

Additional log from ASA in attachment.

Mateusz

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pradeepde Wed, 06/03/2009 - 13:30

"Error: Unable to remove PeerTblEntry" Make sure you have license for 3DES.

Also add crypto isakmp nat-traversal 20

Make sure your ISP supports Bridging (a few doesnt in some countries)

Make sure you choose group auth in vpn client and typed TunnelGroup1 in VPN client. Ensure your NAT configuration also.

Actions

This Discussion