Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
748
Views
0
Helpful
4
Replies

Dynamic VPN with Certs and aggressive mode disabled

martinbuffleo
Level 1
Level 1

‎08-25-2010 07:47 AM

SO I have a dynamic VPN working between my 5510 static and my 5505 dynamic.

And the moment it is on PSK 5505 use aggressive mode and all is working well.

I wont to disable agressive mode fo have set up a Windows CA and issues certificates to the two firewalls.

I have upload the root CA to both firewall and the certs on each firewall are under the same trust point.

How do I migrate now?

I have set up IKE policies for rsa-sig authentication.

Under IKE authentication I have set ASDM_trustpoint0

And on the 5505 spoke I have set"Static Crypto map entrys parameters" "CA Certificate" to ASDM_trustpoint0

As soon as I disable agressive mode I get the following entreis on the 5505.

4Aug 25 201015:43:43IP = 62.XXX.222.42, Information Exchange processing failed

5Aug 25 201015:43:51IP = 62.XXX.222.42, Received an un-encrypted INVALID_COOKIE notify message, dropping

Is there any way that I can confirm that each firewall likes the others certificate?

Labels:
0 Helpful
4 Replies 4

Loren Kolnes
Cisco Employee
Cisco Employee

‎08-25-2010 08:04 AM

Hi,

You can enable the following debug in the CLI:

debug cry ca 128

debug cry ca transactions 128

Make sure logging is enabled on the firewall

logging enable

logging buffered debugging

Clear the logging buffer, "clear logging buffer", then try to bring up the tunnel.

Additionaly can you post the output of the following commands:

sh run crypto

sh run tunnel-group

sh run cry ca trustpoint

sh cry ca cert

Thanks,

Loren

0 Helpful

martinbuffleo
Level 1
Level 1
In response to Loren Kolnes

‎08-25-2010 08:26 AM

5505 hub

Result of the command: "sh run crypto"

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 2 match address outside_1_cryptomap
crypto map outside_map 2 set peer Mad-Sat-FW
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto map outsideDynamic_map 1 match address outsideDynamic_1_cryptomap
crypto map outsideDynamic_map 1 set peer 62.xxx.222.42
crypto map outsideDynamic_map 1 set transform-set ESP-AES-256-SHA
crypto map outsideDynamic_map 1 set trustpoint ASDM_TrustPoint0
crypto map outsideDynamic_map interface outsideDynamic
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SH3-FW
serial-number
keypair RSA-2048
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 61be060c000000000013
    3082060b 308204f3 a0030201 02020a61 be060c00 00000000 13300d06 092a8648

    ........
      28c23ff0 fb9d7a18 6468429f bf1c49
  quit
certificate ca 52b35e48df7386814b52838b6827bfc5
    3082036f 30820257 a0030201 02021052 b35e48df 7386814b 52838b68 27bfc530
    0d06092a 864886f7 0d010105 0500304a 31153013 060a0992 268993f2 2c640119
    .....

    5d0855cb 6724afa5 56da4bcf 6dc788d1 9f6478
  quit
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp enable outsideDynamic
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal


Result of the command: "sh run tunnel-group"

tunnel-group 172.16.60.1 type ipsec-l2l
tunnel-group 172.16.60.1 ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0
tunnel-group 62.173.222.42 type ipsec-l2l
tunnel-group 62.173.222.42 ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0


Result of the command: "sh run cry ca trustpoint"

crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=SHADE3-FW
serial-number
keypair RSA-2048
crl configure


Result of the command: "sh cry ca cert"

Certificate
  Status: Available
  Certificate Serial Number: 61be060c000000000013
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=T-SVR-DC1
    dc=sh-net
    dc=local
  Subject Name:
    cn=SH3-FW
  CRL Distribution Points:
    [1]  ldap:///CN=T-SVR-DC1,CN=T-Svr-DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sh-net,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://t-svr-dc1.sh-net.local/CertEnroll/T-SVR-DC1.crl
  Validity Date:
    start date: 14:37:19 GMT/BDT Aug 25 2010
    end   date: 14:37:19 GMT/BDT Aug 24 2012
  Associated Trustpoints: ASDM_TrustPoint0

CA Certificate
  Status: Available
  Certificate Serial Number: 52b35e48df7386814b52838b6827bfc5
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=T-SVR-DC1
    dc=shade-net
    dc=local
  Subject Name:
    cn=T-SVR-DC1
    dc=sh-net
    dc=local
  Validity Date:
    start date: 10:10:47 GMT/BDT Aug 25 2010
    end   date: 10:20:46 GMT/BDT Aug 25 2015
  Associated Trustpoints: ASDM_TrustPoint0

5510

Result of the command: "sh run crypto"

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SH3-FW.sh-net.local 1 match address outsidePublic_cryptomap
crypto dynamic-map SH3-FW.sh-net.local 1 set transform-set ESP-AES-256-SHA
crypto map outside_map 2 match address outside_1_cryptomap_1
crypto map outside_map 2 set peer SH3-FW
crypto map outside_map 2 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto map outsidePublic_map0 1 ipsec-isakmp dynamic SH3-FW.shade-net.local
crypto map outsidePublic_map0 interface outsidePublic
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Mad-Sat-FW
serial-number
keypair RSA-2048
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ca 52b35e48df7386814b52838b6827bfc5
    3082036f 30820257 a0030201 02021052 b35e48df 7386814b 52838b68 27bfc530
    0d06092a 864886f7 0d010105 0500304a 31153013 060a0992 268993f2 2c640119
    ....
    f5cdf398 0dca60b2 f892e7f9 fa84f8b9 80d0a449 d9124f55 dda8a1a6 38a18ff5
    5d0855cb 6724afa5 56da4bcf 6dc788d1 9f6478
  quit
certificate 61ba15d4000000000012
    3082060d 308204f5 a0030201 02020a61 ba15d400 00000000 12300d06 092a8648
    86f70d01 01050500 304a3115 3013060a 09922689 93f22c64 01191605 6c6f6361
    ....

    5dc3a86b be775ccb 618b05b0 1d8df5d3 cebac187 8f7fb258 42a269c6 a7b369c3
    4c062daa 77430a0a 3fa47809 43fd59ca da
  quit
crypto isakmp enable outside
crypto isakmp enable outsidePublic
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal


Result of the command: "sh run tunnel-group"

tunnel-group 172.16.61.230 type ipsec-l2l
tunnel-group 172.16.61.230 ipsec-attributes
pre-shared-key *
tunnel-group SH3-FW.shade-net.local type ipsec-l2l
tunnel-group SH3-FW.shade-net.local ipsec-attributes
pre-shared-key *
trust-point ASDM_TrustPoint0


Result of the command: "sh run cry ca trustpoint"

crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Mad-Sat-FW
serial-number
keypair RSA-2048
crl configure


Result of the command: "sh cry ca cert"

CA Certificate
  Status: Available
  Certificate Serial Number: 52b35e48df7386814b52838b6827bfc5
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=T-SVR-DC1
    dc=sh-net
    dc=local
  Subject Name:
    cn=T-SVR-DC1
    dc=sh-net
    dc=local
  Validity Date:
    start date: 10:10:47 GMT/BDT Aug 25 2010
    end   date: 10:20:46 GMT/BDT Aug 25 2015
  Associated Trustpoints: ASDM_TrustPoint0

Certificate
  Status: Available
  Certificate Serial Number: 61ba15d4000000000012
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=T-SVR-DC1
    dc=sh-net
    dc=local
  Subject Name:
    cn=Mad-Sat-FW
  CRL Distribution Points:
    [1]  ldap:///CN=T-SVR-DC1,CN=T-Svr-DC1,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sh-net,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
    [2]  http://t-svr-dc1.sh-net.local/CertEnroll/T-SVR-DC1.crl
  Validity Date:
    start date: 14:33:01 GMT/BDT Aug 25 2010
    end   date: 14:33:01 GMT/BDT Aug 24 2012
  Associated Trustpoints: ASDM_TrustPoint0

Also seeing

4Aug 25 201016:27:50IP = 62.xxx.222.14, Header invalid, missing SA payload! (next payload = 132)

on the 5510 Hub

and

5Aug 25 201016:30:33IP = 62.xxx.222.42, IKE Initiator: New Phase 1, Intf inside, IKE Peer 62.xxx.222.42 local Proxy Address 192.168.3.0, remote Proxy Address 172.16.0.0, Crypto map (outsideDynamic_map)

on the 5505 spoke

Message was edited by: martinbuffleo

0 Helpful

martinbuffleo
Level 1
Level 1
In response to martinbuffleo

‎08-25-2010 08:36 AM

I think its a certificate error just seen the following on my hub:

3Aug 25 201016:35:06Certificate validation failed. Peer certificate key usage is invalid, serial number: 61BE060C000000000013, subject name: cn=SH-FW.

0 Helpful

martinbuffleo
Level 1
Level 1
In response to martinbuffleo

‎08-26-2010 02:52 AM

It was a certificate error.

I have binned all certs and used 21 day trial certs from Thawte.

VPN is now in. Give me 21 days to find certs that work.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents