08-25-2010 07:47 AM
SO I have a dynamic VPN working between my 5510 static and my 5505 dynamic.
And the moment it is on PSK 5505 use aggressive mode and all is working well.
I wont to disable agressive mode fo have set up a Windows CA and issues certificates to the two firewalls.
I have upload the root CA to both firewall and the certs on each firewall are under the same trust point.
How do I migrate now?
I have set up IKE policies for rsa-sig authentication.
Under IKE authentication I have set ASDM_trustpoint0
And on the 5505 spoke I have set"Static Crypto map entrys parameters" "CA Certificate" to ASDM_trustpoint0
As soon as I disable agressive mode I get the following entreis on the 5505.
4 | Aug 25 2010 | 15:43:43 | IP = 62.XXX.222.42, Information Exchange processing failed |
5 | Aug 25 2010 | 15:43:51 | IP = 62.XXX.222.42, Received an un-encrypted INVALID_COOKIE notify message, dropping |
Is there any way that I can confirm that each firewall likes the others certificate?
08-25-2010 08:04 AM
Hi,
You can enable the following debug in the CLI:
debug cry ca 128
debug cry ca transactions 128
Make sure logging is enabled on the firewall
logging enable
logging buffered debugging
Clear the logging buffer, "clear logging buffer", then try to bring up the tunnel.
Additionaly can you post the output of the following commands:
sh run crypto
sh run tunnel-group
sh run cry ca trustpoint
sh cry ca cert
Thanks,
Loren
08-25-2010 08:26 AM
5505 hub
Result of the command: "sh run crypto"
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer Mad-Sat-FW
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto map outsideDynamic_map 1 match address outsideDynamic_1_cryptomap
crypto map outsideDynamic_map 1 set peer 62.xxx.222.42
crypto map outsideDynamic_map 1 set transform-set ESP-AES-256-SHA
crypto map outsideDynamic_map 1 set trustpoint ASDM_TrustPoint0
crypto map outsideDynamic_map interface outsideDynamic
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SH3-FW
serial-number
keypair RSA-2048
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 61be060c000000000013
3082060b 308204f3 a0030201 02020a61 be060c00 00000000 13300d06 092a8648
........
28c23ff0 fb9d7a18 6468429f bf1c49
quit
certificate ca 52b35e48df7386814b52838b6827bfc5
3082036f 30820257 a0030201 02021052 b35e48df 7386814b 52838b68 27bfc530
0d06092a 864886f7 0d010105 0500304a 31153013 060a0992 268993f2 2c640119
.....
5d0855cb 6724afa5 56da4bcf 6dc788d1 9f6478
quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable outsideDynamic
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
Result of the command: "sh run tunnel-group"
tunnel-group 172.16.60.1 type ipsec-l2l
tunnel-group 172.16.60.1 ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
tunnel-group 62.173.222.42 type ipsec-l2l
tunnel-group 62.173.222.42 ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
Result of the command: "sh run cry ca trustpoint"
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SHADE3-FW
serial-number
keypair RSA-2048
crl configure
Result of the command: "sh cry ca cert"
Certificate
Status: Available
Certificate Serial Number: 61be060c000000000013
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=T-SVR-DC1
dc=sh-net
dc=local
Subject Name:
cn=SH3-FW
CRL Distribution Points:
[1] ldap:///CN=T-SVR-DC1,CN=T-Svr-DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sh-net,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://t-svr-dc1.sh-net.local/CertEnroll/T-SVR-DC1.crl
Validity Date:
start date: 14:37:19 GMT/BDT Aug 25 2010
end date: 14:37:19 GMT/BDT Aug 24 2012
Associated Trustpoints: ASDM_TrustPoint0
CA Certificate
Status: Available
Certificate Serial Number: 52b35e48df7386814b52838b6827bfc5
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=T-SVR-DC1
dc=shade-net
dc=local
Subject Name:
cn=T-SVR-DC1
dc=sh-net
dc=local
Validity Date:
start date: 10:10:47 GMT/BDT Aug 25 2010
end date: 10:20:46 GMT/BDT Aug 25 2015
Associated Trustpoints: ASDM_TrustPoint0
5510
Result of the command: "sh run crypto"
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SH3-FW.sh-net.local 1 match address outsidePublic_cryptomap
crypto dynamic-map SH3-FW.sh-net.local 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_1_cryptomap_1
crypto map outside_map 2 set peer SH3-FW
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto map outsidePublic_map0 1 ipsec-isakmp dynamic SH3-FW.shade-net.local
crypto map outsidePublic_map0 interface outsidePublic
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Mad-Sat-FW
serial-number
keypair RSA-2048
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 52b35e48df7386814b52838b6827bfc5
3082036f 30820257 a0030201 02021052 b35e48df 7386814b 52838b68 27bfc530
0d06092a 864886f7 0d010105 0500304a 31153013 060a0992 268993f2 2c640119
....
f5cdf398 0dca60b2 f892e7f9 fa84f8b9 80d0a449 d9124f55 dda8a1a6 38a18ff5
5d0855cb 6724afa5 56da4bcf 6dc788d1 9f6478
quit
certificate 61ba15d4000000000012
3082060d 308204f5 a0030201 02020a61 ba15d400 00000000 12300d06 092a8648
86f70d01 01050500 304a3115 3013060a 09922689 93f22c64 01191605 6c6f6361
....
5dc3a86b be775ccb 618b05b0 1d8df5d3 cebac187 8f7fb258 42a269c6 a7b369c3
4c062daa 77430a0a 3fa47809 43fd59ca da
quit
crypto isakmp enable outside
crypto isakmp enable outsidePublic
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
Result of the command: "sh run tunnel-group"
tunnel-group 172.16.61.230 type ipsec-l2l
tunnel-group 172.16.61.230 ipsec-attributes
pre-shared-key *
tunnel-group SH3-FW.shade-net.local type ipsec-l2l
tunnel-group SH3-FW.shade-net.local ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
Result of the command: "sh run cry ca trustpoint"
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Mad-Sat-FW
serial-number
keypair RSA-2048
crl configure
Result of the command: "sh cry ca cert"
CA Certificate
Status: Available
Certificate Serial Number: 52b35e48df7386814b52838b6827bfc5
Certificate Usage: Signature
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=T-SVR-DC1
dc=sh-net
dc=local
Subject Name:
cn=T-SVR-DC1
dc=sh-net
dc=local
Validity Date:
start date: 10:10:47 GMT/BDT Aug 25 2010
end date: 10:20:46 GMT/BDT Aug 25 2015
Associated Trustpoints: ASDM_TrustPoint0
Certificate
Status: Available
Certificate Serial Number: 61ba15d4000000000012
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Issuer Name:
cn=T-SVR-DC1
dc=sh-net
dc=local
Subject Name:
cn=Mad-Sat-FW
CRL Distribution Points:
[1] ldap:///CN=T-SVR-DC1,CN=T-Svr-DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sh-net,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
[2] http://t-svr-dc1.sh-net.local/CertEnroll/T-SVR-DC1.crl
Validity Date:
start date: 14:33:01 GMT/BDT Aug 25 2010
end date: 14:33:01 GMT/BDT Aug 24 2012
Associated Trustpoints: ASDM_TrustPoint0
Also seeing
4 | Aug 25 2010 | 16:27:50 | IP = 62.xxx.222.14, Header invalid, missing SA payload! (next payload = 132) |
on the 5510 Hub
and
5 | Aug 25 2010 | 16:30:33 | IP = 62.xxx.222.42, IKE Initiator: New Phase 1, Intf inside, IKE Peer 62.xxx.222.42 local Proxy Address 192.168.3.0, remote Proxy Address 172.16.0.0, Crypto map (outsideDynamic_map) |
on the 5505 spoke
Message was edited by: martinbuffleo
08-25-2010 08:36 AM
I think its a certificate error just seen the following on my hub:
3 | Aug 25 2010 | 16:35:06 | Certificate validation failed. Peer certificate key usage is invalid, serial number: 61BE060C000000000013, subject name: cn=SH-FW. |
08-26-2010 02:52 AM
It was a certificate error.
I have binned all certs and used 21 day trial certs from Thawte.
VPN is now in. Give me 21 days to find certs that work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide