×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Contivity to PIX VPN with digital certificates

Unanswered Question

Hi.


I am trying to raise a VPN between a Network Contivity appliance and Cisco PIX Firewall with digital certificates and not with preshared key, but the VPN does not rise. We have followed the steps for the configuration of VPN with digital certificates generated by an CA described in the manuals of Cisco PIX.


I attach the log's generated by both machines.


CISCO PIX


ISAKMP (0): Checking ISAKMP transform 1 against priority 12 policy


ISAKMP: encryption 3DES-CBC


ISAKMP: hash MD5


ISAKMP: auth RSA sig


ISAKMP: default group 2


ISAKMP (0): atts are acceptable. Next payload is 3


ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR


return status is IKMP_NO_ERROR


crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500


OAK_MM exchange


ISAKMP (0): processing KE payload. message ID = 0



ISAKMP (0): processing NONCE payload. message ID = 0



ISAKMP (0): processing CERT_REQ payload. message ID = 0


ISAKMP (0): peer wants a CT_X509_SIGNATURE cert


return status is IKMP_NO_ERROR


crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500


OAK_MM exchange


ISAKMP (0): processing ID payload. message ID = 0


ISAKMP (0): processing CERT payload. message ID = 0


ISAKMP (0): processing a CT_X509_SIGNATURE cert


ISAKMP (0): cert approved with warning


ISAKMP (0): ID of 0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a'


return status is IKMP_ERR_RETRANS


crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500


OAK_MM exchange


ISAKMP (0): processing ID payload. message ID = 0


ISAKMP (0): processing CERT payload. message ID = 0


ISAKMP (0): processing a CT_X509_SIGNATURE cert


ISAKMP (0): cert approved with warning


ISAKMP (0): ID of 0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a'


return status is IKMP_ERR_RETRANS


crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500


OAK_MM exchange


ISAKMP (0): processing ID payload. message ID = 0


ISAKMP (0): processing CERT payload. message ID = 0


ISAKMP (0): processing a CT_X509_SIGNATURE cert


ISAKMP (0): cert approved with warning


ISAKMP (0): ID of 0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1


bogota1 0 Uco10


0


U


ach10U


sistemas10ces1700a'


return status is IKMP_ERR_RETRANS


ISAKMP (0): deleting SA: src 200.32.81.125, dst 200.31.21.2


ISADB: reaper checking SA 0x3b13d0c, conn_id = 0


ISADB: reaper checking SA 0x3a70904, conn_id = 0 DELETE IT!



VPN Peer:ISAKMP: Peer Info for 200.32.81.125/500 not found - peers:6



ISADB: reaper checking SA 0x3b13d0c, conn_id = 0




CONTIVITY


01/15/2004 17:53:18 0 Branch Office [01] IPSEC branch office connection initiated to rem[200.31.21.29-255.255.255.255]@[200.31.21.2] loc[200.32.81.117-255.255.255.255]


01/15/2004 17:53:18 0 Security [11] Session: IPSEC[cn=pix-conavi.conavi.com] attempting login


01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] has no active sessions


01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] VPN to CONAVI has no active accounts


01/15/2004 17:53:18 0 tHttpdTask [35] BoTestTunnel[200.32.81.125, 200.31.21.2] destroyed by user 'admin' @ '172.16.10.10'


01/15/2004 17:53:18 0 Security [01] Retrieving server certificate: uniqueIdentifier=75baed004e7beaa3bcaaafc2db889f24fd1f70c8, cn=16047, ou=Certificates, o=Bay Networks, c=US


01/15/2004 17:53:18 0 Security [02] Retrieved server certificate: CN=ces1700a, OU=sistemas, O=ach, ST=bogota, C=co, issued by: CN=certicamara


01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 signing data using LOCAL...


01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 data signed using LOCAL


01/15/2004 17:54:22 0 Security [13] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 No response from client - logging out


01/15/2004 17:54:22 0 tIsakmp [34] Failed Login Attempt: Username=cn=pix-conavi.conavi.com: Date/Time=01/15/2004 17:54:22


01/15/2004 17:54:22 0 ISAKMP [02] Deleting ISAKMP SA with 200.31.21.2



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Wed, 01/28/2004 - 07:44
User Badges:
  • Silver, 250 points or more

If there is a setting for pre-shared key authentication using ID type, if the ID type is set to ID_FQDN the contivity will give an error in invalid ID, the ID type on the Pix needs to be set to IPV4. Also PIX has to be configured for IKE identity negotiation instead of the hostname which is done by default. Hope this helps.


Actions

This Discussion