01-21-2004 12:46 PM
Hi.
I am trying to raise a VPN between a Network Contivity appliance and Cisco PIX Firewall with digital certificates and not with preshared key, but the VPN does not rise. We have followed the steps for the configuration of VPN with digital certificates generated by an CA described in the manuals of Cisco PIX.
I attach the log's generated by both machines.
CISCO PIX
ISAKMP (0): Checking ISAKMP transform 1 against priority 12 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: auth RSA sig
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): ID of 0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a'
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): ID of 0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a'
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): ID of 0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1
bogota1 0 Uco10
0
U
ach10U
sistemas10ces1700a'
return status is IKMP_ERR_RETRANS
ISAKMP (0): deleting SA: src 200.32.81.125, dst 200.31.21.2
ISADB: reaper checking SA 0x3b13d0c, conn_id = 0
ISADB: reaper checking SA 0x3a70904, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 200.32.81.125/500 not found - peers:6
ISADB: reaper checking SA 0x3b13d0c, conn_id = 0
CONTIVITY
01/15/2004 17:53:18 0 Branch Office [01] IPSEC branch office connection initiated to rem[200.31.21.29-255.255.255.255]@[200.31.21.2] loc[200.32.81.117-255.255.255.255]
01/15/2004 17:53:18 0 Security [11] Session: IPSEC[cn=pix-conavi.conavi.com] attempting login
01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] has no active sessions
01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] VPN to CONAVI has no active accounts
01/15/2004 17:53:18 0 tHttpdTask [35] BoTestTunnel[200.32.81.125, 200.31.21.2] destroyed by user 'admin' @ '172.16.10.10'
01/15/2004 17:53:18 0 Security [01] Retrieving server certificate: uniqueIdentifier=75baed004e7beaa3bcaaafc2db889f24fd1f70c8, cn=16047, ou=Certificates, o=Bay Networks, c=US
01/15/2004 17:53:18 0 Security [02] Retrieved server certificate: CN=ces1700a, OU=sistemas, O=ach, ST=bogota, C=co, issued by: CN=certicamara
01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 signing data using LOCAL...
01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 data signed using LOCAL
01/15/2004 17:54:22 0 Security [13] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 No response from client - logging out
01/15/2004 17:54:22 0 tIsakmp [34] Failed Login Attempt: Username=cn=pix-conavi.conavi.com: Date/Time=01/15/2004 17:54:22
01/15/2004 17:54:22 0 ISAKMP [02] Deleting ISAKMP SA with 200.31.21.2
01-28-2004 07:44 AM
If there is a setting for pre-shared key authentication using ID type, if the ID type is set to ID_FQDN the contivity will give an error in invalid ID, the ID type on the Pix needs to be set to IPV4. Also PIX has to be configured for IKE identity negotiation instead of the hostname which is done by default. Hope this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: