Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Pix 8.0(3) + MS Certificate + L2TP = Problem

Hello,

I have a problem with VPN configuration of our PIX Firewall.

We use this configuration:

PIX 515E (3 interfaces) running the latest 8.0(3) firmware.

We are using an L2TP IPSec VPN with certificates from our Microsoft CA and using the native Windows XP client. This setup was running O.K. with the old firmware (6.x), but after upgrading our PIX to 8.0(3) the VPN clients cannot connect anymore. We tried to debug our configuration and found the following errors:

5|Jan 11 2008|09:22:46|713904|||Group = DefaultRAGroup, IP = 85.160.26.229, Peer Certificate authentication failed: General Error

3|Jan 11 2008|09:22:46|717027|||Certificate chain failed validation. Certificate chain is either invalid or not authorized.

3|Jan 11 2008|09:22:46|717009|||Certificate validation failed. Peer certificate key usage is invalid, serial number: 13780BA600000000027B, subject name: ea=ales.hybner@svas.cz,cn=Aleš Hybner,ou=UIT,o=SVAS,l=Kladno,st=Kladno,c=CR.

Can anybody help?

Thanks Jan

8 REPLIES
Silver

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

The cert in your case may not be an acceptable one. You can configure PIX to bypass keyusage verification by configuring:

crypto ca trustpoint

ignore-ipsec-keyusage

The reason is because pre-8.0 code did not enforce the key usages so it worked fine but with 8.0, it is enforced so the ignore-ipsec-keyusage reverts this back to no checking as in the pre-8.0 codebase.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

Now it works, thank you very much for your help.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

Would you mind revealing your configuration for L2tp with Microsoft CA certificates and XP clients? I've been trying to do that to no avail.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

No problem. I deleted the IP Addresses and changed domain names. I did most of the config using the WWW interface, later I did some finetuning with the command line. If you need futher help, just ask.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

Very nice of you thanks! Although it looks like I've done the same things. I can get a W2k client l2TP vpn to work, but not an XP. Dont know why.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

Although I do see some commands that I'm not sure of. Crypto map? Ipsec transform-set?

I'll have to look these up. Not too familiar with IOS. I thought it was just a metter of letting through 1701, isakmp, esp, 4500.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

I am a bit confused. Are you trying to make a L2TP connection to the PIX or through the PIX to another server? If you want to connect with L2TP to the PIX, these commands are necessary.

Community Member

Re: Pix 8.0(3) + MS Certificate + L2TP = Problem

Ok sorry about the confusion. I'm trying to permit L2TP THROUGH the PIX to a Windows 2K3 server, which is a CA, using the Microsoft native client on an XP pro SP2 machine and certificate authentication. There is a static NAT entry from the outside IP address on the PIX to the inside address of the server. I wonder if this is not part of the problem. When I run a trace of the connection attempt, the ISAKMP never gets past the negotiation stage, and the request times out. The debug commands dont show anything either.

Thanks again

716
Views
0
Helpful
8
Replies
CreatePlease to create content