Remote Access VPN authenticate with MS certificates

Unanswered Question
Sep 20th, 2009
User Badges:

Dear all

I would like to configure remote access vpn authenticate with certificate.


I have configured it base on a cisco configuration example.

http://www.cisco.com/application/pdf/paws/100413/asavpnclient_ca.pdf


but I have changed some settings because I would like to map the ISAKMP session based on the OU in the certificate.


and I got the following problem:

Sep 18 00:47:58 [IKEv1 DEBUG]: IP = 172.23.18.23, processing notify payload

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Trying to find group via OU...

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Connection landed on tunnel_group doi

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Peer Certificate authentication failed: General Error

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE MM Responder FSM error history (struct &0xd5dc2c50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6, EV_GROUP_LOOKUP-->MM_WAIT_MSG5, EV_PROCESS_MSG-->MM_WAIT_MSG5, EV_VALIDATE_MSG

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE SA MM:883ff569 terminating: flags 0x0105c002, refcnt 0, tuncnt 0

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, sending delete/delete with reason message

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing blank hash payload

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing IKE delete payload

Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing qm hash payload

Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, IKE_DECODE SENDING Message (msgid=82a7cfe0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)


I would like to know the meaning of the debug log,

Peer Certificate authentication failed: General Error


&


Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!

Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry

Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)

Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68


I have already deployed a new CA server in VM and got the same result. any suggestions about that??

Thanks a lot


Regards,

Weng Kin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Alexandro Carra... Mon, 09/21/2009 - 14:19
User Badges:
  • Cisco Employee,

enable 'debug crypto ca mess & trans 200' and post that output if possible. how many trustpoints do you have configured on the ASA? do you have subordinate certs on the id cert the pc has installed? do you have crypto isakmp identity hostname configured?


http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2190820 ?


Alex.

wengkinwong Tue, 09/22/2009 - 19:39
User Badges:

Hi Alex,

no debug message come out from "debug crypto ca mess & trans 200", two trustpoints i have configured.


This is my basic configuration about the remote access vpn.


ASA Version 8.0(3)

!

hostname CP-SP-VPNASA

domain-name vpn.netcraft.com.mo

names

name 172.23.249.3 netcraftca

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 172.23.249.1 255.255.255.0

!

interface Ethernet0/1

nameif me

security-level 100

ip address 192.168.1.0 255.255.255.0

!

interface Ethernet0/2

nameif ep

security-level 90

ip address 192.168.2.0 255.255.255.0

!

interface Ethernet0/3

nameif af

security-level 80

ip address 192.168.3.0 255.255.255.0

!

interface Management0/0

shutdown

no nameif

no security-level

no ip address

!

ftp mode passive

clock timezone GMT 8

dns server-group DefaultDNS

domain-name vpn.netcraft.com.mo

pager lines 24

mtu outside 1500

mtu meid 1500

mtu ep 1500

mtu afis 1500

ip local pool vpnpool 10.1.1.10-10.1.1.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set netcraftset esp-3des esp-md5-hmac

crypto dynamic-map netcraftdynmap 10 set transform-set netcraftset

crypto map vpnmap 65535 ipsec-isakmp dynamic netcraftdynmap

crypto map vpnmap interface outside

crypto ca trustpoint ca1

enrollment terminal

crl configure

crypto ca trustpoint ca2

enrollment terminal

subject-name CN=CP-SP-VPNASA

crl configure

crypto ca certificate chain ca1

certificate ca

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 65535

authentication rsa-sig

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

tunnel-group doi type remote-access

tunnel-group doi general-attributes

address-pool vpnpool

tunnel-group doi ipsec-attributes

trust-point ca2

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect netbios

inspect rsh

inspect rtsp

inspect skinny

inspect esmtp

inspect sqlnet

inspect sunrpc

inspect tftp

inspect sip

inspect xdmcp

!

service-policy global_policy global

prompt hostname context


(I deleted the CA & host identity certicate from the configuration)


I have installed the client certificate according to the procedure in document id 100413.


Any ideas??

Thanks for you reply


Regards,

Weng Kin


s.aliyarukunju Tue, 11/29/2011 - 06:21
User Badges:

Hi Weng,


Just would like to ask you , have you managed to sucessfully implement the remote access VPN with CA server ?


Actually i am also looking for a working solution.If you have any tutorial or other working solution , kindly let me know.


Best Regards

Shijimon

Actions

This Discussion