I have a problem with VPN configuration of our PIX Firewall.
We use this configuration:
PIX 515E (3 interfaces) running the latest 8.0(3) firmware.
We are using an L2TP IPSec VPN with certificates from our Microsoft CA and using the native Windows XP client. This setup was running O.K. with the old firmware (6.x), but after upgrading our PIX to 8.0(3) the VPN clients cannot connect anymore. We tried to debug our configuration and found the following errors:
5|Jan 11 2008|09:22:46|713904|||Group = DefaultRAGroup, IP = 18.104.22.168, Peer Certificate authentication failed: General Error
3|Jan 11 2008|09:22:46|717027|||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
3|Jan 11 2008|09:22:46|717009|||Certificate validation failed. Peer certificate key usage is invalid, serial number: 13780BA600000000027B, subject name: firstname.lastname@example.org,cn=AleÅ¡ Hybner,ou=UIT,o=SVAS,l=Kladno,st=Kladno,c=CR.
The cert in your case may not be an acceptable one. You can configure PIX to bypass keyusage verification by configuring:
crypto ca trustpoint
The reason is because pre-8.0 code did not enforce the key usages so it worked fine but with 8.0, it is enforced so the ignore-ipsec-keyusage reverts this back to no checking as in the pre-8.0 codebase.
Ok sorry about the confusion. I'm trying to permit L2TP THROUGH the PIX to a Windows 2K3 server, which is a CA, using the Microsoft native client on an XP pro SP2 machine and certificate authentication. There is a static NAT entry from the outside IP address on the PIX to the inside address of the server. I wonder if this is not part of the problem. When I run a trace of the connection attempt, the ISAKMP never gets past the negotiation stage, and the request times out. The debug commands dont show anything either.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...