Remote Access VPN authenticate with MS certificates

Unanswered Question
Sep 20th, 2009

Dear all

I would like to configure remote access vpn authenticate with certificate.

I have configured it base on a cisco configuration example.

http://www.cisco.com/application/pdf/paws/100413/asavpnclient_ca.pdf

but I have changed some settings because I would like to map the ISAKMP session based on the OU in the certificate.

and I got the following problem:

Sep 18 00:47:58 [IKEv1 DEBUG]: IP = 172.23.18.23, processing notify payload

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Trying to find group via OU...

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Connection landed on tunnel_group doi

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Peer Certificate authentication failed: General Error

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE MM Responder FSM error history (struct &0xd5dc2c50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6, EV_GROUP_LOOKUP-->MM_WAIT_MSG5, EV_PROCESS_MSG-->MM_WAIT_MSG5, EV_VALIDATE_MSG

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE SA MM:883ff569 terminating: flags 0x0105c002, refcnt 0, tuncnt 0

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, sending delete/delete with reason message

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing blank hash payload

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing IKE delete payload

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing qm hash payload

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, IKE_DECODE SENDING Message (msgid=82a7cfe0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

I would like to know the meaning of the debug log,

Peer Certificate authentication failed: General Error

&

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

I have already deployed a new CA server in VM and got the same result. any suggestions about that??

Thanks a lot

Regards,

Weng Kin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wengkinwong Tue, 09/22/2009 - 19:39

Hi Alex,

no debug message come out from "debug crypto ca mess & trans 200", two trustpoints i have configured.

This is my basic configuration about the remote access vpn.

ASA Version 8.0(3)

!

hostname CP-SP-VPNASA

domain-name vpn.netcraft.com.mo

names

name 172.23.249.3 netcraftca

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.23.249.1 255.255.255.0

!

interface Ethernet0/1

nameif me

security-level 100

ip address 192.168.1.0 255.255.255.0

!

interface Ethernet0/2

nameif ep

security-level 90

ip address 192.168.2.0 255.255.255.0

!

interface Ethernet0/3

nameif af

security-level 80

ip address 192.168.3.0 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone GMT 8

dns server-group DefaultDNS

domain-name vpn.netcraft.com.mo

pager lines 24

mtu outside 1500

mtu meid 1500

mtu ep 1500

mtu afis 1500

ip local pool vpnpool 10.1.1.10-10.1.1.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set netcraftset esp-3des esp-md5-hmac

crypto dynamic-map netcraftdynmap 10 set transform-set netcraftset

crypto map vpnmap 65535 ipsec-isakmp dynamic netcraftdynmap

crypto map vpnmap interface outside

crypto ca trustpoint ca1

enrollment terminal

crl configure

crypto ca trustpoint ca2

enrollment terminal

subject-name CN=CP-SP-VPNASA

crl configure

crypto ca certificate chain ca1

certificate ca

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 65535

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group doi type remote-access

tunnel-group doi general-attributes

address-pool vpnpool

tunnel-group doi ipsec-attributes

trust-point ca2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context

(I deleted the CA & host identity certicate from the configuration)

I have installed the client certificate according to the procedure in document id 100413.

Any ideas??

Thanks for you reply

Regards,

Weng Kin

s.aliyarukunju Tue, 11/29/2011 - 06:21

Hi Weng,

Just would like to ask you , have you managed to sucessfully implement the remote access VPN with CA server ?

Actually i am also looking for a working solution.If you have any tutorial or other working solution , kindly let me know.

Best Regards

Shijimon

Actions

This Discussion