cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12594
Views
5
Helpful
17
Replies

Cisco VPN client + Cisco router + MSW CA + certificates

Sonenberk
Level 1
Level 1

Dear sirs,
Allow me to approach you about the following problem.

I wanted to use a secure connection between Cisco VPN client
(Windows XP) and Cisco 2821 with certificate authentication.
I used Microsoft certificate authority (Windows 2003 server).
Cisco VPN client used eTokenPRO Aladdin as a certificate store.

Enrollment certificate to MSW CA and its placing into eToken ran O.K.
Cisco VPN client hasn't problem with eToken cooperation.
Enrollment certificate from Cisco2821 to MSW CA ran O.K. too.

Cisco 2821 configuration is standard. IOS version 12.4(6).

Connection attempt from Cisco VPN client to Cisco 2821 was
terminated with error messages:

ISAKMP:(1020):Unable to get router cert or routerdoes not have a cert: needed to find DN!
ISAKMP:(1020):SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN
ISAKMP (1020): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : cisco-ca.firm.com
        protocol     : 17
        port         : 500
        length       : 25
ISAKMP:(1020):Total payload length: 25
ISAKMP (1020): no cert chain to send to peer
ISAKMP (1020): peer did not specify issuer and no suitable profile found
ISAKMP (1020): FSM action returned error: 2
ISAKMP:(1020):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1020):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

Are there some refence where is possible to find some information about
this problem? Exists somebody who knows how figure it out these errors?
Thank you very much for your help.

Best regards
P.Sonenberk


P.S. Some more informations for people who was interested in problem above.

Cisco 2821 IP address is 10.1.1.220, client VPN IP address is 10.1.1.133.
MSW CA has IP 10.1.1.50.
Important parts of the Cisco 2821 configuration:

!
hostname cisco-ca
!
................
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
...............
ip domain name firm.com
ip host firm-cu 10.1.1.50
ip host cisco-vpn1 10.1.1.133
ip name-server 10.1.1.33
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4097309259
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4097309259
revocation-check none
rsakeypair TP-self-signed-4097309259
!
crypto pki trustpoint firm-cu
enrollment mode ra
enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
usage ike
serial-number none
ip-address none
password 7 005C31272503535729701A1B5E40523647
revocation-check none
!
crypto pki certificate chain TP-self-signed-4097309259
certificate self-signed 01
  30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  .............
  FEDDCCEA 8FD14836 24CDD736 34
        quit
crypto pki certificate chain firm-cu
certificate 1150A66F000100000013
  30820509 308203F1 A0030201 02020A11 50A66F00 01000000 13300D06 092A8648
  ...............
  9E417C44 2062BFD5 F4FB9C0B AA
        quit
certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
  30820489 30820371 A0030201 02021051 BAC7C822 D1F6A346 9D1ADC32 D0EB8C30
  ...............
  C379F382 36E0A54E 0A6278A7 46
        quit
!
...................
crypto isakmp policy 30
encr 3des
hash md5
authentication rsa-encr
group 2
crypto isakmp identity hostname
!
crypto isakmp client configuration group Group159
key Key159Key
pool SDM_POOL_1
acl 100
!
crypto isakmp client configuration group it
domain firm.com
pool SDM_POOL_1
acl 100
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set 3DES-MD5
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
................
!
end

cisco-ca#show crypto pki trustpoints firm-cu status
Trustpoint firm-cu:
  Issuing CA certificate configured:
    Subject Name:
     cn=firm-cu,dc=firm,dc=local
    Fingerprint MD5: 5026582F 56151047 8CF455F8 2FFAC0D6
    Fingerprint SHA1: 47B74974 7C85EA48 760516DE AAC84C5D 4427E829
  Router General Purpose certificate configured:
    Subject Name:
     hostname=cisco-ca.firm.com
    Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
    Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC00138 DC6F3B7E
  State:
    Keys generated ............. Yes (General Purpose, non-exportable)
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... Yes

cisco-ca#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate

Code Usage         IP-Address/VRF         Keyring          Name
C    Signing                              default          X.500 DN name:
                              cn=firm-cu
                              dc=firm
                              dc=local

C    Signing                              default          cisco-vpn1


IMPORTANT: I hasn't Cisco IOS Software: 12.4(5), 12.3(11)T08, 12.4(4.7)PI03c,
12.4(4.7)T - there is mistake in crypto modul.

1 Accepted Solution

Accepted Solutions

Hey guys, It is odd that the router is not finding the cert after the IKE matches the cert and validates it, I this certainly is not right, however I would go ahead and configure certificate mapping on this router to force the client to be matched to a specific IKE group, for that matter you will need to change your config a little bit to use iskamp profiles:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_isakp.html

View solution in original post

17 Replies 17

Yudong Wu
Level 7
Level 7

Please change isakmp policy command "authentication rsa-encr" to "authentication rsa-sig" and try it again.

Good morning,

thank you very much for your advice, time and your interest.

But I've got these raws in the cisco router configuration:

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

hash md5

group 2

!

crypto isakmp policy 30

encr 3des

hash md5

authentication rsa-encr

group 2

crypto isakmp identity hostname

!

crypto isakmp client configuration group Group159

key Key159Key

pool SDM_POOL_1

acl 100

!

crypto isakmp client configuration group it

domain firm.com

pool SDM_POOL_1

acl 100

!

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set 3DES-MD5

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

The group of the policy number 20 has "authentication rsa-sig" implicit on.

I'm afraid the problem is elsewhere or I don't understand your advice.

Thank you for your cooperate, have a nice rest of this day.

P.Sonenberk

kwu2 napsal(a):

Peter Sonenberk,

>

A new message was posted in the Discussion thread "Cisco VPN client + Cisco router + MSW CA + certificates":

>

https://supportforums.cisco.com/message/3005694#3005694

>

Author : Kevin Wu

Profile : https://supportforums.cisco.com/people/kwu2

>

Message:

Well, in your first post, you did not include the other isakmp policy, I though isakmp policy 30 is the only one.

You'd better to provide the debug output for us to help.

debug crypto isa

debug crypto ipsec

debug crypto pki (there are some options follow)

Good morning,
I'm terribly sorry. Yes, there wasn't full cisco configuration in my  first question.
I'm glad you want to find a solution.

Well, I've used these debug command:

debug crypto pki messages, debug crypto pki transaction, debug crypto  isakmp,
debug crypto ipsec

And there are two devices:
Cisco 2821 IP address is 10.1.1.220, cisco-ca.firm.com.
Personal computer MSW XP client VPN IP address is 10.1.1.133,  cisco-vpn1.firm.com,
with certificate e=jarda@firm.com,cn=cisco-vpn1,ou=it,o=Firm Ltd.,l=Town,st=Discrict,c=State

List of certificates in cisco2821:

---> cisco-ca#sh crypto ca certificate
Certificate
Status: Available
Certificate Serial Number (hex): 1150A66F000100000013
Certificate Usage: General Purpose
Issuer:
   cn=firm-cu
   dc=firm
   dc=local
Subject:
   Name: cisco-ca.firm.com
   hostname=cisco-ca.firm.com
CRL Distribution Points:
   ldap:///CN=firm-cu(1),CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=firm,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
   http://server.firm.local/CertEnroll/firm-cu(1).crl
Validity Date:
   start date: 14:02:31 UTC Jan 14 2010
   end   date: 14:12:31 UTC Jan 14 2011
Associated Trustpoints: firm-cu
Storage: nvram:firm-cu#0.cer

CA Certificate
Status: Available
Certificate Serial Number (hex): 51BAC7C822D1F6A3469D1ADC32D0EB8C
Certificate Usage: Signature
Issuer:
   cn=firm-cu
   dc=firm
   dc=local
Subject:
   cn=firm-cu
   dc=firm
   dc=local
CRL Distribution Points:
   ldap:///CN=firm-cu(1),CN=server,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=firm,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
   http://server.firm.local/CertEnroll/firm-cu(1).crl
Validity Date:
   start date: 07:54:54 UTC Jan 8 2010
   end   date: 08:00:47 UTC Jan 9 2015
Associated Trustpoints: firm-cu
Storage: nvram:firm-cu#EBEBCA.cer

Router Self-Signed Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: General Purpose
Issuer:
   cn=IOS-Self-Signed-Certificate-4097309259
Subject:
   Name: IOS-Self-Signed-Certificate-4097309259
   cn=IOS-Self-Signed-Certificate-4097309259
Validity Date:
   start date: 09:25:18 UTC Jan 11 2010
   end   date: 00:00:00 UTC Jan 1 2020
Associated Trustpoints: TP-self-signed-4097309259
Storage: nvram:IOS-Self-Sig#1.cer


---> cisco-ca#sh crypto ca trustpoints status
Trustpoint TP-self-signed-4097309259:
Issuing CA certificate configured:
   Subject Name:
    cn=IOS-Self-Signed-Certificate-4097309259
   Fingerprint MD5: D9F8C55D 7F669FC8 C40814AC 502D6F87
   Fingerprint SHA1: 7D03D8E0 6489298F 33B97406 EA6655DC 81AB9351
Router General Purpose certificate configured:
   Subject Name:
    cn=IOS-Self-Signed-Certificate-4097309259
   Fingerprint MD5: D9F8C55D 7F669FC8 C40814AC 502D6F87
   Fingerprint SHA1: 7D03D8E0 6489298F 33B97406 EA6655DC 81AB9351
State:
   Keys generated ............. Yes (General Purpose, non-exportable)
   Issuing CA authenticated ....... Yes
   Certificate request(s) ..... Yes


Trustpoint firm-cu:
Issuing CA certificate configured:
   Subject Name:
    cn=firm-cu,dc=firm,dc=local
   Fingerprint MD5: 5026582F 56151047 8CF455F8 2FFAC0D6
   Fingerprint SHA1: 47B74974 7C85EA48 760516DE AAC84C5D 4427E829
Router General Purpose certificate configured:
   Subject Name:
    hostname=cisco-ca.firm.com
   Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
   Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC00138 DC6F3B7E
State:
   Keys generated ............. Yes (General Purpose, non-exportable)
   Issuing CA authenticated ....... Yes
   Certificate request(s) ..... Yes


---> cisco-ca#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate

Code Usage         IP-Address/VRF         Keyring          Name
C    Signing                              default          X.500 DN name:
                             cn=firm-cu
                             dc=firm
                             dc=local

C    Signing                              default          cisco-vpn1



And here are raws of the debug log:

Jan 22 08:18:50.724: ISAKMP (0): received packet from 10.1.1.133 dport  500 sport 500 Global (N) NEW SA
Jan 22 08:18:50.724: ISAKMP: Created a peer struct for 10.1.1.133, peer  port 500
Jan 22 08:18:50.724: ISAKMP: New peer created peer = 0x47106BCC  peer_handle = 0x80000002
Jan 22 08:18:50.724: ISAKMP: Locking peer struct 0x47106BCC, refcount 1  for crypto_isakmp_process_block
Jan 22 08:18:50.724: ISAKMP:(0):Setting client config settings 471083E0
Jan 22 08:18:50.724: ISAKMP:(0):(Re)Setting client xauth list  and state
Jan 22 08:18:50.724: ISAKMP/xauth: initializing AAA request
Jan 22 08:18:50.728: ISAKMP: local port 500, remote port 500
Jan 22 08:18:50.728: ISAKMP:(0):insert sa successfully sa = 47093EF0
Jan 22 08:18:50.728: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 22 08:18:50.728: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

Jan 22 08:18:50.728: ISAKMP:(0): processing SA payload. message ID = 0
Jan 22 08:18:50.728: ISAKMP:(0): processing vendor id payload
Jan 22 08:18:50.728: ISAKMP:(0): vendor ID seems Unity/DPD but major 215  mismatch
Jan 22 08:18:50.728: ISAKMP:(0): vendor ID is XAUTH
Jan 22 08:18:50.728: ISAKMP:(0): processing vendor id payload
Jan 22 08:18:50.732: ISAKMP:(0): vendor ID is DPD
Jan 22 08:18:50.732: ISAKMP:(0): processing vendor id payload
Jan 22 08:18:50.732: ISAKMP:(0): vendor ID seems Unity/DPD but major 123  mismatch
Jan 22 08:18:50.732: ISAKMP:(0): vendor ID is NAT-T v2
Jan 22 08:18:50.732: ISAKMP:(0): processing vendor id payload
Jan 22 08:18:50.732: ISAKMP:(0): processing IKE frag vendor id payload
Jan 22 08:18:50.732: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jan 22 08:18:50.732: ISAKMP:(0): processing vendor id payload
Jan 22 08:18:50.732: ISAKMP:(0): vendor ID is Unity
Jan 22 08:18:50.732: ISAKMP:(0):No pre-shared key with 10.1.1.133!
Jan 22 08:18:50.732: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for  remote peer at 10.1.1.133 is missing
Jan 22 08:18:50.732: ISAKMP:(0): Authentication by xauth preshared
Jan 22 08:18:50.732: ISAKMP:(0):Checking ISAKMP transform 1 against  priority 1 policy
Jan 22 08:18:50.732: ISAKMP:      encryption AES-CBC
Jan 22 08:18:50.732: ISAKMP:      hash SHA
Jan 22 08:18:50.732: ISAKMP:      default group 5
Jan 22 08:18:50.732: ISAKMP:      auth XAUTHInitRSA
Jan 22 08:18:50.732: ISAKMP:      life type in seconds
Jan 22 08:18:50.732: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 22 08:18:50.732: ISAKMP:      keylength of 256
Jan 22 08:18:50.732: ISAKMP:(0):Encryption algorithm offered does not  match policy!
Jan 22 08:18:50.732: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 22 08:18:50.732: ISAKMP:(0):Checking ISAKMP transform 2 against  priority 1 policy
Jan 22 08:18:50.732: ISAKMP:      encryption AES-CBC
Jan 22 08:18:50.732: ISAKMP:      hash MD5
Jan 22 08:18:50.732: ISAKMP:      default group 5
Jan 22 08:18:50.732: ISAKMP:      auth XAUTHInitRSA
Jan 22 08:18:50.732: ISAKMP:      life type in seconds
Jan 22 08:18:50.732: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 22 08:18:50.732: ISAKMP:      keylength of 256

etc. irrelevant raws was droped

Jan 22 08:18:50.752: ISAKMP:(0):Checking ISAKMP transform 19 against  priority 3 policy
Jan 22 08:18:50.752: ISAKMP:      encryption 3DES-CBC
Jan 22 08:18:50.752: ISAKMP:      hash SHA
Jan 22 08:18:50.752: ISAKMP:      default group 5
Jan 22 08:18:50.752: ISAKMP:      auth RSA sig
Jan 22 08:18:50.752: ISAKMP:      life type in seconds
Jan 22 08:18:50.752: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 22 08:18:50.752: ISAKMP:(0):Diffie-Hellman group offered does not  match policy!
Jan 22 08:18:50.752: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 22 08:18:50.752: ISAKMP:(0):Checking ISAKMP transform 20 against  priority 3 policy
Jan 22 08:18:50.752: ISAKMP:      encryption 3DES-CBC
Jan 22 08:18:50.752: ISAKMP:      hash MD5
Jan 22 08:18:50.752: ISAKMP:      default group 5
Jan 22 08:18:50.752: ISAKMP:      auth RSA sig
Jan 22 08:18:50.752: ISAKMP:      life type in seconds
Jan 22 08:18:50.752: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 22 08:18:50.752: ISAKMP:(0):Hash algorithm offered does not match  policy!
Jan 22 08:18:50.752: ISAKMP:(0):atts are not acceptable. Next payload is 3
Jan 22 08:18:50.752: ISAKMP:(0):Checking ISAKMP transform 21 against  priority 3 policy
Jan 22 08:18:50.752: ISAKMP:      encryption 3DES-CBC
Jan 22 08:18:50.752: ISAKMP:      hash SHA
Jan 22 08:18:50.752: ISAKMP:      default group 2
Jan 22 08:18:50.752: ISAKMP:      auth XAUTHInitRSA
Jan 22 08:18:50.752: ISAKMP:      life type in seconds
Jan 22 08:18:50.752: ISAKMP:      life duration (VPI) of  0x0 0x20 0xC4 0x9B
Jan 22 08:18:50.752: ISAKMP:(0):atts are acceptable. Next payload is 3
Jan 22 08:18:50.756: ISAKMP:(0):Acceptable atts:actual life: 86400
Jan 22 08:18:50.756: ISAKMP:(0):Acceptable atts:life: 0
Jan 22 08:18:50.756: ISAKMP:(0):Fill atts in sa vpi_length:4
Jan 22 08:18:50.756: ISAKMP:(0):Fill atts in sa life_in_seconds:2147483
Jan 22 08:18:50.756: CRYPTO_PKI: Identity not specified for session 10001
Jan 22 08:18:50.756: ISAKMP:(0):Returning Actual lifetime: 86400
Jan 22 08:18:50.756: ISAKMP:(0)::Started lifetime timer: 86400.

Jan 22 08:18:50.780: ISAKMP:(0): vendor ID is NAT-T v2
Jan 22 08:18:50.780: ISAKMP:(0):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_MAIN_MODE
Jan 22 08:18:50.780: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1

Jan 22 08:18:50.780: ISAKMP:(0): constructed NAT-T vendor-02 ID
Jan 22 08:18:50.780: ISAKMP:(0): sending packet to 10.1.1.133 my_port  500 peer_port 500 (R) MM_SA_SETUP
Jan 22 08:18:50.780: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jan 22 08:18:50.780: ISAKMP:(0):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_COMPLETE
Jan 22 08:18:51.592: ISAKMP (1001): No NAT Found for self or peer
Jan 22 08:18:51.592: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_MAIN_MODE
Jan 22 08:18:51.592: ISAKMP:(1001):Old State = IKE_R_MM3  New State =  IKE_R_MM3

Jan 22 08:18:51.592: ISAKMP (1001): constructing CERT_REQ for issuer  cn=firm-cu,dc=firm,dc=local
Jan 22 08:18:51.596: ISAKMP:(1001): sending packet to 10.1.1.133 my_port  500 peer_port 500 (R) MM_KEY_EXCH
Jan 22 08:18:51.596: ISAKMP:(1001):Sending an IKE IPv4 Packet.
Jan 22 08:18:51.596: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_COMPLETE
Jan 22 08:18:51.596: ISAKMP:(1001):Old State = IKE_R_MM3  New State =  IKE_R_MM4

Jan 22 08:19:00.504: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:00.508: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jan 22 08:19:00.508: ISAKMP:(1001):Old State = IKE_R_MM4  New State =  IKE_R_MM5

Jan 22 08:19:00.508: ISAKMP:(1001): processing ID payload. message ID = 0
Jan 22 08:19:00.508: ISAKMP (1001): ID payload
       next-payload : 6
       type         : 9
       Dist. name   : e=jarda@firm.com,cn=cisco-vpn1,ou=it,o=Firm Ltd.,l=Town,st=Discrict,c=State
       protocol     : 17
       port         : 500
       length       : 166
Jan 22 08:19:00.508: ISAKMP:(0):: UNITY's identity group: OU = it
Jan 22 08:19:00.508: ISAKMP:(0):: peer matches *none* of the profiles
Jan 22 08:19:00.508: ISAKMP:(1001): processing CERT payload. message ID = 0
Jan 22 08:19:00.508: ISAKMP:(1001): processing a CT_X509_SIGNATURE cert
Jan 22 08:19:00.512: CRYPTO_PKI: Added x509 peer certificate - (1447) bytes
Jan 22 08:19:00.512: ISAKMP:(1001): peer's pubkey isn't cached
Jan 22 08:19:00.512: CRYPTO_PKI: validation path has 1 certs

Jan 22 08:19:00.512: CRYPTO_PKI: Found a issuer match
Jan 22 08:19:00.512: CRYPTO_PKI: Using firm-cu to validate certificate
Jan 22 08:19:00.524: CRYPTO_PKI: Certificate validated without  revocation check
Jan 22 08:19:00.524: CRYPTO_PKI: chain cert was anchored to trustpoint  firm-cu, and chain validation result was: CRYPTO_VALID_CERT_WITH_WARNING
Jan 22 08:19:00.524: CRYPTO_PKI: Validation TP is firm-cu
Jan 22 08:19:00.528: ISAKMP:(1001): OU = it
Jan 22 08:19:00.528: ISAKMP:(0):: UNITY's identity group: OU = it
Jan 22 08:19:00.528: ISAKMP:(0):: peer matches *none* of the profiles
Jan 22 08:19:00.528: ISAKMP:(1001): processing CERT_REQ payload. message  ID = 0
Jan 22 08:19:00.528: ISAKMP:(1001): peer wants a CT_X509_SIGNATURE cert
Jan 22 08:19:00.528: ISAKMP:(1001): issuer not specified in cert request
Jan 22 08:19:00.528: ISAKMP:(1001): No issuer name in cert request.
Jan 22 08:19:00.528: ISAKMP:(1001): processing SIG payload. message ID = 0
Jan 22 08:19:00.532: ISAKMP:(1001): processing NOTIFY INITIAL_CONTACT  protocol 1
       spi 0, message ID = 0, sa = 0x47093EF0
Jan 22 08:19:00.532: ISAKMP:(1001):SA authentication status:
       authenticated
Jan 22 08:19:00.532: ISAKMP:(1001):SA has been authenticated with 10.1.1.133
Jan 22 08:19:00.532: ISAKMP:(1001):SA authentication status:
       authenticated
Jan 22 08:19:00.532: ISAKMP:(1001): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.220 remote  10.1.1.133 remote port 500
Jan 22 08:19:00.532: ISAKMP:(1001):returning IP addr to the address pool
Jan 22 08:19:00.536: ISAKMP: Trying to insert a peer  10.1.1.220/10.1.1.133/500/,  and inserted successfully 47106BCC.
Jan 22 08:19:00.536: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_MAIN_MODE
Jan 22 08:19:00.536: ISAKMP:(1001):Old State = IKE_R_MM5  New State =  IKE_R_MM5

Jan 22 08:19:00.536: IPSEC(key_engine): got a queue event with 1 KMI  message(s)
Jan 22 08:19:00.536: ISAKMP:(1001):Unable to get router cert or  routerdoes not have a cert: needed to find DN!
Jan 22 08:19:00.536: ISAKMP:(1001):SA is doing RSA signature  authentication plus XAUTH using id type ID_FQDN
Jan 22 08:19:00.536: ISAKMP (1001): ID payload
       next-payload : 6
       type         : 2
       FQDN name    : cisco-ca.firm.com
       protocol     : 17
       port         : 500
       length       : 25
Jan 22 08:19:00.536: ISAKMP:(1001):Total payload length: 25
Jan 22 08:19:00.536: ISAKMP (1001): no cert chain to send to peer
Jan 22 08:19:00.536: ISAKMP (1001): peer did not specify issuer and no  suitable profile found
Jan 22 08:19:00.536: ISAKMP (1001): FSM action returned error: 2
Jan 22 08:19:00.536: ISAKMP:(1001):Input = IKE_MESG_INTERNAL,  IKE_PROCESS_COMPLETE
Jan 22 08:19:00.536: ISAKMP:(1001):Old State = IKE_R_MM5  New State =  IKE_P1_COMPLETE

Jan 22 08:19:05.652: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:05.652: ISAKMP:(1001): phase 1 packet is a duplicate of a  previous packet.
Jan 22 08:19:05.652: ISAKMP:(1001): retransmitting due to retransmit phase 1
Jan 22 08:19:05.652: ISAKMP:(1001): no outgoing phase 1 packet to  retransmit. MM_KEY_EXCH
Jan 22 08:19:10.652: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:10.652: ISAKMP:(1001): phase 1 packet is a duplicate of a  previous packet.
Jan 22 08:19:10.652: ISAKMP:(1001): retransmitting due to retransmit phase 1
Jan 22 08:19:10.652: ISAKMP:(1001): no outgoing phase 1 packet to  retransmit. MM_KEY_EXCH
Jan 22 08:19:15.652: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:15.652: ISAKMP:(1001): phase 1 packet is a duplicate of a  previous packet.
Jan 22 08:19:15.652: ISAKMP:(1001): retransmitting due to retransmit phase 1
Jan 22 08:19:15.652: ISAKMP:(1001): no outgoing phase 1 packet to  retransmit. MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP: set new node 328239023 to CONF_XAUTH
Jan 22 08:19:20.677: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP (1001): received packet from 10.1.1.133  dport 500 sport 500 Global (R) MM_KEY_EXCH
Jan 22 08:19:20.677: ISAKMP: Info Notify message requeue retry counter  exceeded sa request from 10.1.1.133 to 10.1.1.220.

Thank you very much for your time and cooperation.
Enjoy your weekend as well.
P.Sonenberk

Based on debug output, I think the problem shoult be here:

Jan 22 08:19:00.528: ISAKMP:(1001): peer wants a CT_X509_SIGNATURE cert
Jan 22 08:19:00.528: ISAKMP:(1001): issuer not specified in cert request
Jan 22 08:19:00.528: ISAKMP:(1001): No issuer name in cert request.

When client sends Cert request, it don't tell the issuer.

Are you using Cisco VPN client, if yes, please check log to see if you could find any error such as "not find root cert".

Good morning,
thank you for your advice.

I've used VPN Cisco client ver.4.6.02.0011 and WXP PC.

Yes, this raws of the log are suspicious, it's the truth:

Jan 22 08:19:00.528: ISAKMP:(1001): issuer not specified in cert request
Jan 22 08:19:00.528: ISAKMP:(1001): No issuer name in cert request.

But this ISAKM step ended with this messages:

Jan 22 08:19:00.532: ISAKMP:(1001):SA authentication status:
       authenticated
Jan 22 08:19:00.532: ISAKMP:(1001):SA has been authenticated with 10.1.1.133
Jan 22 08:19:00.532: ISAKMP:(1001):SA authentication status:
       authenticated

and I can see in Cisco router:

cisco-ca#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.1.220      10.1.1.133      MM_KEY_EXCH       1002 ACTIVE

IPv6 Crypto ISAKMP SA

It's suspicious too.
Bye the way here is VPN Cisco client log:

Cisco Systems VPN Client Version 4.6.02.0011
Copyright (C) 1998-2004 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3

137    11:38:18.016  01/25/10  Sev=Info/4    CERT/0x63600013
Cert (e=jarda@firm.com,cn=cisco-vpn1,ou=it,o=Firm\ Ltd.,l=Town,st=Discrit,c=State verification succeeded.
      
138    11:38:18.016  01/25/10  Sev=Info/4    CM/0x63100002
Begin connection process

139    11:38:18.031  01/25/10  Sev=Info/4    CM/0x63100004
Establish secure connection using Ethernet

140    11:38:18.031  01/25/10  Sev=Info/4    CM/0x63100024
Attempt connection with server "10.1.1.220"

141    11:38:19.031  01/25/10  Sev=Info/6    IKE/0x6300003B
Attempting to establish a connection with 10.1.1.220.

142    11:38:19.203  01/25/10  Sev=Info/4    CERT/0x63600013
Cert (e=jarda@firm.com,cn=cisco-vpn1,ou=it,o=Firm\ Ltd.,l=Town,st=Discrit,c=State verification succeeded.

143    11:38:19.203  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Nat-T), VID(Frag), VID(Unity)) to 10.1.1.220

144    11:38:19.234  01/25/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220

145    11:38:19.234  01/25/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID(Nat-T)) from 10.1.1.220

146    11:38:19.250  01/25/10  Sev=Info/5    IKE/0x63000001
Peer supports NAT-T

147    11:38:19.250  01/25/10  Sev=Info/6    IKE/0x63000001
IOS Vendor ID Contruction successful

148    11:38:19.250  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to 10.1.1.220

149    11:38:20.062  01/25/10  Sev=Info/5    IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220

150    11:38:20.062  01/25/10  Sev=Info/4    IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(dpd), VID(?), VID(Xauth), NAT-D, NAT-D) from 10.1.1.220

151    11:38:20.062  01/25/10  Sev=Info/5    IKE/0x63000001
Peer is a Cisco-Unity compliant peer

152    11:38:20.062  01/25/10  Sev=Info/5    IKE/0x63000001
Peer supports DPD

153    11:38:20.062  01/25/10  Sev=Info/5    IKE/0x63000001
Peer supports DWR Code and DWR Text

154    11:38:20.062  01/25/10  Sev=Info/5    IKE/0x63000001
Peer supports XAUTH

155    11:38:20.453  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 10.1.1.220

156    11:38:25.797  01/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

157    11:38:25.797  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 10.1.1.220

158    11:38:30.797  01/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

159    11:38:30.797  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 10.1.1.220

160    11:38:35.797  01/25/10  Sev=Info/4    IKE/0x63000021
Retransmitting last packet!

161    11:38:35.797  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 10.1.1.220

162    11:38:40.797  01/25/10  Sev=Info/4    IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=F599D0232153B7CD R_Cookie=66AFDB474742802E) reason = DEL_REASON_PEER_NOT_RESPONDING

163    11:38:40.797  01/25/10  Sev=Info/4    IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 10.1.1.220

164    11:38:41.297  01/25/10  Sev=Info/4    IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=F599D0232153B7CD R_Cookie=66AFDB474742802E) reason = DEL_REASON_PEER_NOT_RESPONDING

165    11:38:41.297  01/25/10  Sev=Info/4    CM/0x63100014
Unable to establish Phase 1 SA with server "10.1.1.220" because of "DEL_REASON_PEER_NOT_RESPONDING"

166    11:38:41.312  01/25/10  Sev=Info/5    CM/0x63100025
Initializing CVPNDrv

167    11:38:41.312  01/25/10  Sev=Info/4    IKE/0x63000001
IKE received signal to terminate VPN connection

168    11:38:41.328  01/25/10  Sev=Info/4    IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully


And what about this messages of the cisco log:

Jan 22 08:19:00.536: ISAKMP:(1001):Unable to get router cert or  routerdoes not have a cert: needed to find DN!
Jan 22 08:19:00.536: ISAKMP:(1001):SA is doing RSA signature  authentication plus XAUTH using id type ID_FQDN
Jan 22 08:19:00.536: ISAKMP (1001): ID payload
       next-payload : 6
       type         : 2
       FQDN name    : cisco-ca.firm.com
       protocol     : 17
       port         : 500
       length       : 25
Jan 22 08:19:00.536: ISAKMP:(1001):Total payload length: 25
Jan 22 08:19:00.536: ISAKMP (1001): no cert chain to send to peer
Jan 22 08:19:00.536: ISAKMP (1001): peer did not specify issuer and no  suitable profile found

I am afraid and I think there is something wrong in cisco router configuration...............

Thank you very much for your time and cooperation.
Have a nice day.
P.Sonenberk

Client did send its cert and the router also validated it successfully.

The problem is that router did not send its cert to client since there is no issuer specified in client's cert request.

http://cdetsweb-prd.cisco.com/apps/goto?identifier=CSCsc08040You can try a vpn client with fix of bug CSCsc08040 to see if it make any difference.

Per my understanding, Cisco VPN cliend should specified the issuer in its cert request. But other vendor's client might not do that.

Addmittedly, from router point of view, the router should still send a cert to client by using its existing cert even if there is no issuer specified in client's cert request. (There was a bug about this behavior and it should be fixed in your IOS version 12.4(6)). So, regarding to the configuration, I believe that you can try to configure "isakmp profile" (you can specify trustpoint in profile, you might need to configure a map as well, sorry I don't remember exactly syntax ).

The third thing is a bug on router side.

CSCsu84414

this bug is not a exactly match but it might be related. It won't hurt to try a IOS version with the fix of this bug.

Good morning,
it seems to be a little complicated.........
Well, client certiface has information about "issuer" in.
Report of our client certificate is here:

Certificate data
Serial number    61 3c 42 d1 00 01 00 00 00 0f
Issued to    cisco-vpn1
Issued by    firm-cu
Valid from    01/12/2010
Valid to    01/12/2011
Intended purposes    Client Authentication
Private key Data:
Key Size    1024 bits
Container name    5b1caef5......
Modulus        b0 be 93 7c ............
Key specification    AT-KEYEXHCANGE

I don't know why there is this error messages in Cisco router logs:

Jan 22 08:19:00.528: ISAKMP:(1001): issuer not specified in cert request
Jan 22 08:19:00.528: ISAKMP:(1001): No issuer name in cert request.

I'm sorry, but this URL: http://cdetsweb-prd.cisco.com/apps/goto?identifier=CSCsc08040 is
unavailable - time out for connection ............

>>Addmittedly, from router point of view, the router should still send a cert to client by using its existing cert even if there is no issuer specified in client's cert request.

I agree with you, but there is this error messages in Cisco router logs:

Jan 22 08:19:00.536: ISAKMP:(1001):Unable to get router cert or  routerdoes not have a cert: needed to find DN!
Jan 22 08:19:00.536: ISAKMP:(1001):SA is doing RSA signature  authentication plus XAUTH using id type ID_FQDN
Jan 22 08:19:00.536: ISAKMP (1001): ID payload
       next-payload : 6
       type         : 2
       FQDN name    : cisco-ca.firm.com
       protocol     : 17
       port         : 500
       length       : 25
Jan 22 08:19:00.536: ISAKMP:(1001):Total payload length: 25
Jan 22 08:19:00.536: ISAKMP (1001): no cert chain to send to peer
Jan 22 08:19:00.536: ISAKMP (1001): peer did not specify issuer and no  suitable profile found

Reports of certificates in Cisco router are above.
---> cisco-ca#sh crypto ca certificate
---> cisco-ca#sh crypto ca trustpoints status
---> cisco-ca#sh crypto key pubkey-chain rsa

Fine, isakmp configuration, there could be some mistake......
Does somebody know what mistake? Does anyone have a solution to fix this problem?

Thank you for your cooperation.
Have a nice day.
P.Sonenberk

Hey guys, It is odd that the router is not finding the cert after the IKE matches the cert and validates it, I this certainly is not right, however I would go ahead and configure certificate mapping on this router to force the client to be matched to a specific IKE group, for that matter you will need to change your config a little bit to use iskamp profiles:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gt_isakp.html

Dear Mr. Martinon,

GREAT! "Certificate to ISAKMP Profile Mapping" is solution.

I added this raws to Cisco router configuration:

!
crypto pki certificate map cert_map 10
subject-name co ou=it
!

and raws

!
crypto isakmp profile certpro
  ca trust-point firm-cu
  match certificate cert_map
!

And now is authentication between Cisco VPN client and Cisco 2821 all right.
Cisco VPN client is working well.
(Note: Cisco VPN client has its certificate in eToken PRO Aladdin.)

It's a pity and a little confusing that Cisco configuration examples hasn't notice
about this problem ................

Well, there are still some strange messages in logs, but it's for some
"Cisco guru". For example:

*Feb  2 09:55:19.388: ISAKMP (1002): processing a CT_PKCS7_WRAPPED_X509 cert
*Feb  2 09:55:19.388: ../cert-c/source/certobj.c(853) : E_INPUT_DATA : invalid encoding format for input data
*Feb  2 09:55:19.388: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): BER/DER decoding of certificate has failed

*Feb  2 09:55:19.452: ISAKMP:(1002): peer wants a CT_X509_SIGNATURE cert
*Feb  2 09:55:19.452: ISAKMP:(1002): issuer not specified in cert request
*Feb  2 09:55:19.452: ISAKMP:(1002): No issuer name in cert request.
*Feb  2 09:55:19.452: CRYPTO_PKI: Trust-Point firm-cu picked up
etc.

For hardworking readers the main part of the Cisco router logs are below.

Mr. Martinon, thank you for you help and your time.
Thank you for your cooperation.
Have a nice day.
P.Sonenberk

--------------------------------------

*Feb  2 09:55:18.620: ISAKMP (1002): constructing CERT_REQ for issuer cn=firm-cu,dc=firm,dc=local
*Feb  2 09:55:18.620: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb  2 09:55:18.620: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:18.620: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  2 09:55:18.620: ISAKMP:(1002):Old State = IKE_R_MM3  New State = IKE_R_MM4

*Feb  2 09:55:19.380: ISAKMP (1002): received packet from 10.1.1.133 dport 500 sport 500 Global (R) MM_KEY_EXCH
*Feb  2 09:55:19.384: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Feb  2 09:55:19.384: ISAKMP:(1002):Old State = IKE_R_MM4  New State = IKE_R_MM5

*Feb  2 09:55:19.384: ISAKMP:(1002): processing ID payload. message ID = 0
*Feb  2 09:55:19.384: ISAKMP (1002): ID payload
        next-payload : 6
        type         : 9
        Dist. name   : e=jarda@firm.com,cn=cisco-vpn1,ou=it,o=Firm Ltd.,l=Town,st=Discrict,c=State
        protocol     : 17
        port         : 500
        length       : 166
*Feb  2 09:55:19.384: ISAKMP:(0):: UNITY's identity group: OU = it
*Feb  2 09:55:19.384: ISAKMP:(0):: peer matches *none* of the profiles
*Feb  2 09:55:19.384: ISAKMP:(1002): processing CERT payload. message ID = 0
*Feb  2 09:55:19.388: ISAKMP (1002): processing a CT_PKCS7_WRAPPED_X509 cert
*Feb  2 09:55:19.388: ../cert-c/source/certobj.c(853) : E_INPUT_DATA : invalid encoding format for input data
*Feb  2 09:55:19.388: CRYPTO_PKI: status = 0x705(E_INPUT_DATA : invalid encoding format for input data): BER/DER decoding of certificate has failed
*Feb  2 09:55:19.396: CRYPTO_PKI: Added x509 peer certificate - (1165) bytes
*Feb  2 09:55:19.400: CRYPTO_PKI: Added x509 peer certificate - (1447) bytes
*Feb  2 09:55:19.404: ISAKMP:(1002): peer's pubkey is cached
*Feb  2 09:55:19.404: CRYPTO_PKI: validation path has 1 certs

*Feb  2 09:55:19.404: CRYPTO_PKI: Found a issuer match
*Feb  2 09:55:19.404: CRYPTO_PKI: Using firm-cu to validate certificate
*Feb  2 09:55:19.416: CRYPTO_PKI: Certificate validated without revocation check
*Feb  2 09:55:19.416: CRYPTO_PKI: chain cert was anchored to trustpoint firm-cu, and chain validation result was: CRYPTO_VALID_CERT_WITH_WARNING
*Feb  2 09:55:19.416: CRYPTO_PKI: Validation TP is firm-cu
*Feb  2 09:55:19.448: ISAKMP:(1002): OU = it
*Feb  2 09:55:19.452: ISAKMP:(0): certificate map matches certpro profile
*Feb  2 09:55:19.452: ISAKMP:(0): Trying to re-validate CERT using new profile
*Feb  2 09:55:19.452: ISAKMP:(0): Creating CERT validation list: firm-cu,
*Feb  2 09:55:19.452: ISAKMP:(0): CERT validity confirmed.
*Feb  2 09:55:19.452: ISAKMP:(1002):Profile has no keyring, aborting key search
*Feb  2 09:55:19.452: ISAKMP:(1002): processing CERT_REQ payload. message ID = 0
*Feb  2 09:55:19.452: ISAKMP:(1002): peer wants a CT_X509_SIGNATURE cert
*Feb  2 09:55:19.452: ISAKMP:(1002): issuer not specified in cert request
*Feb  2 09:55:19.452: ISAKMP:(1002): No issuer name in cert request.
*Feb  2 09:55:19.452: CRYPTO_PKI: Trust-Point firm-cu picked up
*Feb  2 09:55:19.452: CRYPTO_PKI: 1 matching trustpoints found
*Feb  2 09:55:19.452: ISAKMP: Examining profile list for trustpoint firm-cu
*Feb  2 09:55:19.452: ISAKMP: Found matching profile for firm-cu
*Feb  2 09:55:19.452: CRYPTO_PKI: Identity selected (firm-cu) for session 20004
*Feb  2 09:55:19.452:  Choosing trustpoint firm-cu as issuer
*Feb  2 09:55:19.452: CRYPTO_PKI: unlocked trustpoint firm-cu, refcount is 0
*Feb  2 09:55:19.452: CRYPTO_PKI: locked trustpoint firm-cu, refcount is 1
*Feb  2 09:55:19.452: CRYPTO_PKI: Identity bound (firm-cu) for session 10003
*Feb  2 09:55:19.452: ISAKMP (1002): sending peer cert issued by cn=firm-cu,dc=firm,dc=local
*Feb  2 09:55:19.452: ISAKMP:(1002): processing SIG payload. message ID = 0
*Feb  2 09:55:19.456: ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1
        spi 0, message ID = 0, sa = 0x458A0FAC
*Feb  2 09:55:19.456: ISAKMP:(1002):SA authentication status:
        authenticated
*Feb  2 09:55:19.456: ISAKMP:(1002):SA has been authenticated with 10.1.1.133
*Feb  2 09:55:19.456: ISAKMP:(1002):SA authentication status:
        authenticated
*Feb  2 09:55:19.456: ISAKMP:(1002): Process initial contact,
bring down existing phase 1 and 2 SA's with local 10.1.1.220 remote 10.1.1.133 remote port 500
*Feb  2 09:55:19.456: ISAKMP:(1002):returning IP addr to the address pool
*Feb  2 09:55:19.460: ISAKMP: Trying to insert a peer 10.1.1.220/10.1.1.133/500/,  and inserted successfully 470A2A70.
*Feb  2 09:55:19.460: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Feb  2 09:55:19.460: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_R_MM5

*Feb  2 09:55:19.476: ISAKMP:(1002):SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN
*Feb  2 09:55:19.476: ISAKMP (1002): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : cisco-ca.firm.com
        protocol     : 17
        port         : 500
        length       : 25
*Feb  2 09:55:19.476: ISAKMP:(1002):Total payload length: 25
*Feb  2 09:55:19.492: ISAKMP (1002): constructing CERT payload for hostname=cisco-ca.firm.com
*Feb  2 09:55:19.492: ISKAMP: growing send buffer from 1024 to 3072
*Feb  2 09:55:19.492: ISAKMP:(1002): using the firm-cu trustpoint's keypair to sign
*Feb  2 09:55:19.520: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb  2 09:55:19.520: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:19.520: ISAKMP:(1002):Returning Actual lifetime: 86400
*Feb  2 09:55:19.520: ISAKMP: set new node 586373909 to CONF_XAUTH
*Feb  2 09:55:19.524: ISAKMP:(1002):Sending NOTIFY RESPONDER_LIFETIME protocol 1
        spi 1188832080, message ID = 586373909
*Feb  2 09:55:19.524: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) MM_KEY_EXCH
*Feb  2 09:55:19.524: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:19.524: ISAKMP:(1002):purging node 586373909
*Feb  2 09:55:19.524: ISAKMP: Sending phase 1 responder lifetime 86400

*Feb  2 09:55:19.524: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Feb  2 09:55:19.524: ISAKMP:(1002):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE

*Feb  2 09:55:19.524: ISAKMP:(1002):Need XAUTH
*Feb  2 09:55:19.524: ISAKMP: set new node 1502050166 to CONF_XAUTH
*Feb  2 09:55:19.524: ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2
*Feb  2 09:55:19.524: ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2
*Feb  2 09:55:19.524: ISAKMP:(1002): initiating peer config to 10.1.1.133. ID = 1502050166
*Feb  2 09:55:19.524: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) CONF_XAUTH
*Feb  2 09:55:19.524: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:19.524: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  2 09:55:19.524: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_XAUTH_REQ_SENT

*Feb  2 09:55:24.524: ISAKMP:(1002): retransmitting phase 2 CONF_XAUTH    1502050166 ...
*Feb  2 09:55:24.524: ISAKMP (1002): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Feb  2 09:55:24.524: ISAKMP (1002): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Feb  2 09:55:24.524: ISAKMP:(1002): retransmitting phase 2 1502050166 CONF_XAUTH
*Feb  2 09:55:24.524: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) CONF_XAUTH
*Feb  2 09:55:24.524: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:35.540: ISAKMP (1002): received packet from 10.1.1.133 dport 500 sport 500 Global (R) CONF_XAUTH
*Feb  2 09:55:35.540: ISAKMP:(1002):processing transaction payload from 10.1.1.133. message ID = 1502050166
*Feb  2 09:55:35.540: ISAKMP: Config payload REPLY
*Feb  2 09:55:35.540: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
*Feb  2 09:55:35.540: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
*Feb  2 09:55:35.540: ISAKMP:(1002):deleting node 1502050166 error FALSE reason "Done with xauth request/reply exchange"
*Feb  2 09:55:35.540: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
*Feb  2 09:55:35.540: ISAKMP:(1002):Old State = IKE_XAUTH_REQ_SENT  New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

*Feb  2 09:55:35.540: ISAKMP: set new node 924775980 to CONF_XAUTH
*Feb  2 09:55:35.540: ISAKMP:(1002): initiating peer config to 10.1.1.133. ID = 924775980
*Feb  2 09:55:35.540: ISAKMP:(1002): sending packet to 10.1.1.133 my_port 500 peer_port 500 (R) CONF_XAUTH
*Feb  2 09:55:35.540: ISAKMP:(1002):Sending an IKE IPv4 Packet.
*Feb  2 09:55:35.544: ISAKMP:(1002):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
*Feb  2 09:55:35.544: ISAKMP:(1002):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT  New State = IKE_XAUTH_SET_SENT

*Feb  2 09:55:35.544: ISAKMP (1002): received packet from 10.1.1.133 dport 500 sport 500 Global (R) CONF_XAUTH
*Feb  2 09:55:35.544: ISAKMP:(1002):processing transaction payload from 10.1.1.133. message ID = 924775980
*Feb  2 09:55:35.544: ISAKMP: Config payload ACK
*Feb  2 09:55:35.544: ISAKMP:(1002):       (blank) XAUTH ACK Processed
*Feb  2 09:55:35.544: ISAKMP:(1002):deleting node 924775980 error FALSE reason "Transaction mode done"
*Feb  2 09:55:35.544: ISAKMP:(1002):Talking to a Unity Client
*Feb  2 09:55:35.544: ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
*Feb  2 09:55:35.544: ISAKMP:(1002):Old State = IKE_XAUTH_SET_SENT  New State = IKE_P1_COMPLETE

*Feb  2 09:55:35.548: CRYPTO_PKI: unlocked trustpoint firm-cu, refcount is 0
*Feb  2 09:55:35.548: ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Feb  2 09:55:35.548: ISAKMP:(1002):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Feb  2 09:55:35.564: ISAKMP (1002): received packet from 10.1.1.133 dport 500 sport 500 Global (R) QM_IDLE
*Feb  2 09:55:35.564: ISAKMP: set new node 269007336 to QM_IDLE
*Feb  2 09:55:35.564: ISAKMP:(1002):processing transaction payload from 10.1.1.133. message ID = 269007336
*Feb  2 09:55:35.564: ISAKMP: Config payload REQUEST
*Feb  2 09:55:35.564: ISAKMP:(1002):checking request:
*Feb  2 09:55:35.564: ISAKMP:    IP4_ADDRESS
*Feb  2 09:55:35.564: ISAKMP:    IP4_NETMASK
*Feb  2 09:55:35.564: ISAKMP:    IP4_DNS
*Feb  2 09:55:35.564: ISAKMP:    IP4_NBNS

etc.

Hi Peter,

I am glad this worked for you, does this mean that your client connects fine already? Logs show something else..

Hi Ivan,

>Logs show something else..
What do you mean?

Cisco VPN client got IP address form Cisco router and connection was
opened. I can see IP address (192.168.200.1) from Cisco in WXP (PC with VPN client) route table
and I can do login to Cisco router as its user. Cisco VPN client displays "a shut lock".
By the way there is log from Cisco VPN client (main part) below.
Cisco has IP address 10.1.1.220, client has IP address 10.1.1.133.

Important raws are:

26     10:55:38.312  02/02/10  Sev=Info/4       CERT/0x63600013
Cert (1.2.840.113549.1.9.2=#1311636973636f2d63612e6d6f706f732e637a) verification succeeded.

77     10:56:02.750  02/02/10  Sev=Info/4       CM/0x6310001A
One secure connection established

Thank you very much for your cooperation.
Have a nice day.
P.Sonenberk

--------------------------------------

12     10:55:25.000  02/02/10  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D, VID(?), VID(Unity)) to 10.1.1.220
13     10:55:25.828  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220
14     10:55:25.828  02/02/10  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Unity), VID(dpd), VID(?), VID(Xauth), NAT-D, NAT-D) from 10.1.1.220
15     10:55:25.828  02/02/10  Sev=Info/5       IKE/0x63000001
Peer is a Cisco-Unity compliant peer
16     10:55:25.828  02/02/10  Sev=Info/5       IKE/0x63000001
Peer supports DPD
17     10:55:25.828  02/02/10  Sev=Info/5       IKE/0x63000001
Peer supports DWR Code and DWR Text
18     10:55:25.828  02/02/10  Sev=Info/5       IKE/0x63000001
Peer supports XAUTH
19     10:55:38.000  02/02/10  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 10.1.1.220
20     10:55:38.000  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220
21     10:55:38.000  02/02/10  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (Retransmission) from 10.1.1.220
22     10:55:38.000  02/02/10  Sev=Info/4       IKE/0x63000021
Retransmitting last packet!
23     10:55:38.000  02/02/10  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 10.1.1.220
24     10:55:38.187  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220
25     10:55:38.187  02/02/10  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 10.1.1.220
26     10:55:38.312  02/02/10  Sev=Info/4       CERT/0x63600013
Cert (1.2.840.113549.1.9.2=#1311636973636f2d63612e6d6f706f732e637a) verification succeeded.
27     10:55:38.312  02/02/10  Sev=Info/4       IKE/0x63000083
IKE Port in use - Local Port =  0x01F4, Remote Port = 0x01F4
28     10:55:38.312  02/02/10  Sev=Info/5       IKE/0x63000072
Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end is NOT behind a NAT device
29     10:55:38.312  02/02/10  Sev=Info/4       CM/0x6310000E
Established Phase 1 SA.  1 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
30     10:55:38.312  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220

etc.

52     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220
53     10:55:56.921  02/02/10  Sev=Info/4       IKE/0x63000014
RECEIVING <<< ISAKMP OAK TRANS *(HASH, ATTR) from 10.1.1.220
54     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x63000010
MODE_CFG_REPLY: Attribute = INTERNAL_IPV4_ADDRESS: , value = 192.168.200.1
55     10:55:56.921  02/02/10  Sev=Info/5       IKE/0xA3000017
MODE_CFG_REPLY: The received (INTERNAL_ADDRESS_EXPIRY) attribute and value (-1062680575) is not supported
56     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SAVEPWD: , value = 0x00000000
57     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x6300000E
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_DEFDOMAIN: , value = firm.com
58     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x6300000D
MODE_CFG_REPLY: Attribute = MODECFG_UNITY_SPLIT_INCLUDE (# of split_nets), value = 0x00000001
59     10:55:56.921  02/02/10  Sev=Info/5       IKE/0x6300000F
SPLIT_NET #1
        subnet = 192.168.201.0
        mask = 255.255.255.0
        protocol = 0
        src port = 0
        dest port=0

etc.

63     10:55:56.937  02/02/10  Sev=Info/4       IKE/0x63000056
Received a key request from Driver: Local IP = 192.168.200.1, GW IP = 10.1.1.220, Remote IP = 0.0.0.0
64     10:55:56.937  02/02/10  Sev=Info/4       IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(HASH, SA, NON, ID, ID) to 10.1.1.220
65     10:55:56.953  02/02/10  Sev=Info/5       IKE/0x6300002F
Received ISAKMP packet: peer = 10.1.1.220

etc.

73     10:56:02.562  02/02/10  Sev=Info/4       CM/0x63100034
The Virtual Adapter was enabled:
        IP=192.168.200.1/255.255.255.0
        DNS=0.0.0.0,0.0.0.0
        WINS=0.0.0.0,0.0.0.0
        Domain=firm.com
        Split DNS Names=
74     10:56:02.562  02/02/10  Sev=Warning/2    CVPND/0xE3400013
AddRoute failed to add a route: code 87
        Destination     127.0.0.1
        Netmask 255.255.255.255
        Gateway 10.1.1.1
        Interface       10.1.1.133
75     10:56:02.562  02/02/10  Sev=Warning/3    CM/0xA3100023
Failed to add route to the dhcp server.
76     10:56:02.562  02/02/10  Sev=Info/6       CM/0x63100036
The routing table was updated for the Virtual Adapter
77     10:56:02.750  02/02/10  Sev=Info/4       CM/0x6310001A
One secure connection established
78     10:56:03.000  02/02/10  Sev=Info/4       CM/0x63100038
Address watch added for 10.1.1.133.  Current hostname: Jarda-servis, Current address(es): 192.168.200.1, 10.1.1.133.
79     10:56:03.000  02/02/10  Sev=Info/4       CM/0x63100038
Address watch added for 192.168.200.1.  Current hostname: Jarda-servis, Current address(es): 192.168.200.1, 10.1.1.133.

Oh, OK, great to hear, I was concerned by the following message:

*Feb  2 09:55:35.540: ISAKMP:(1002):deleting node 1502050166 error FALSE reason "Done with xauth request/reply exchange"

But if it is all good then glad it works now.

Please rate useful posts

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: