09-12-2003 07:09 AM - edited 02-21-2020 12:46 PM
I want to connect to a PIX with a Cisco VPN Client with MS CA (CEP). Enrollment and MSCEP works fine.
All certificates are granted. ATTS are acceptable in debug mode, but the VPN Client always logs then following lines.
337 16:55:36.762 09/12/03 Sev=Info/4 CERT/0x63600014
Cert (cn=optivpn.opti.com,1.2.840.113549.1.9.2=#13106f70746976706e2e6f7074692e636f6d) verification succeeded.
338 16:55:36.772 09/12/03 Sev=Warning/3 IKE/0xE3000080
Invalid remote certificate id: ID_IPV4_ADDR: ID = 0x268114D4, Certificate = 0x00000000
339 16:55:36.772 09/12/03 Sev=Warning/3 IKE/0xE3000058
The peer's certificate doesn't match Phase 1 ID
Has that something to do with the nameing conventions in the certificate (o,ou ...)? Do I use the wrong certificates ?
Thanks in advance for any help.
Best regards,
Marco
09-14-2003 06:18 PM
The error you're seeing means that the ID being proposed by the client for Phase 1 is not the same ID proposed by the PIX. The PIX will either propose IP Address or Hostname (depending on what it's configured for). The ID of the cert has to be one or the other. When the cert request is done for the client the IP Address or Domain Name field must be filled in.
Try adding:
isakmp identity hostname
into the PIX config if you haven't already, or if it is in there get rid of it by doing:
isakmp identity address
Sorry to be so vague but the client and the PIX need to propose the same type of ID, and I can't tell what it's currently configured for currently with the info provided.
09-15-2003 01:53 AM
Thank you very much for your quick ansewer.
Today I tested the two commands but with no success.
That's why I will send you a detail config, maybe that will help you to find my mistake.
The VPN Client - Config:
My VPN Client has two Certificates installed:
1) Root Certificate from the Microsoft CA
Common Name: opticomCA
Department: NOCDA
Company: VPN
State: Hessen
Country: DE
Email: CASRV@oc-ag.de
MD5 Thumbprint 6780B01F86A7F0236FC2848D15354FBC
SHA1 Thumbprint 21226BB72FE4014A883E862F48D15FEF5F7AC440
Key Size 512
Subject cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Serial Number 3DD010B24188F3BB4A193C480FC0E5FB
Not valid before Fr 12. Sep 17:43:36 2003
Not valid after Mo 12. Sep 17:51:46 2005
2) Enrollment from Cisco Client (CISCO-Store)
Common Name:212.20.129.38
Department: VPN
Company: opticom gmbh
State: Hessen
Country: DE
Email: mmetz@opticom-gmbh.com
MD5 Thumbprint DD2EC2C77B5AB31E3ADE9A1449D563A6
SHA1 Thumbprint 07103D46CBCEAF71F96D61BB2FAC67EAB1338644
Key Size 1024
Subject cn=212.20.129.38,ou=VPN,o=opticom gmbh,st=Hessen,c=DE,e=mmetz@opticom-gmbh.com
Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de
Serial Number 1E0E8214000000000006
Not valid before Mo 15. Sep 11:20:22 2003
Not valid after Mi 15. Sep 11:30:22 2004
Here the show crypto ca cer output from the pix:
RA Signature Certificate
Status: Available
Certificate Serial Number: 6103fb49000000000002
Key Usage: Signature
CN = opti.com RA
OU = VPN
O = opticom
L = Darmstadt
ST = Hessen
C = DE
EA =<16> RA@oc-ag.de
Validity Date:
start date: 16:54:12 GMT/BDT Sep 12 2003
end date: 17:04:12 GMT/BDT Sep 12 2004
Certificate
Status: Available
Certificate Serial Number: 610d2088000000000004
Key Usage: General Purpose
Subject Name:
CN = optivpn.opti.com
UNSTRUCTURED NAME = optivpn.opti.com
Validity Date:
start date: 17:04:11 GMT/BDT Sep 12 2003
end date: 17:14:11 GMT/BDT Sep 12 2004
CA Certificate
Status: Available
Certificate Serial Number: 3dd010b24188f3bb4a193c480fc0e5fb
Key Usage: General Purpose
CN = opticomCA
OU = NOCDA
O = VPN
L = Darmstadt
ST = Hessen
C = DE
EA =<16> CASRV@oc-ag.de
Validity Date:
start date: 16:43:36 GMT/BDT Sep 12 2003
end date: 16:51:46 GMT/BDT Sep 12 2005
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 6103fc24000000000003
Key Usage: Encryption
CN = opti.com RA
OU = VPN
O = opticom
L = Darmstadt
ST = Hessen
C = DE
EA =<16> RA@oc-ag.de
Validity Date:
start date: 16:54:12 GMT/BDT Sep 12 2003
end date: 17:04:12 GMT/BDT Sep 12 2004
Here my running config (OS 6.3(3)):
hostname optivpn
domain-name opti.com
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map outside_dyn_map 2000 match address outside_cryptomap_dyn_2000
crypto dynamic-map outside_dyn_map 2000 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 2020 match address outside_cryptomap_dyn_2020
crypto dynamic-map outside_dyn_map 2020 set transform-set ESP-AES-256-MD5
crypto dynamic-map outside_dyn_map 2040 match address outside_cryptomap_dyn_2040
crypto dynamic-map outside_dyn_map 2040 set transform-set ESP-3DES-MD5
crypto map inside_map interface inside
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication RADIUS
crypto map outside_map interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash md5
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption aes-256
isakmp policy 50 hash md5
isakmp policy 50 group 5
isakmp policy 50 lifetime 86400
isakmp policy 70 authentication rsa-sig
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
vpngroup optida address-pool ma-vpn
vpngroup optida dns-server opticom3 opticom4
vpngroup optida wins-server opticom3
vpngroup optida default-domain opti.com
vpngroup optida split-tunnel optida_splitTunnelAcl
vpngroup optida idle-time 1800
vpngroup optida password xxxxxxx
vpngroup opticomCA address-pool ma-vpn
vpngroup opticomCA dns-server opticom3 opticom3
vpngroup opticomCA default-domain opti.com
vpngroup opticomCA split-tunnel opticomCA_splitTunnelAcl
vpngroup opticomCA pfs
vpngroup opticomCA idle-time 1800
vpngroup VPN address-pool ma-vpn
vpngroup VPN default-domain opti.com
vpngroup VPN split-tunnel VPN_splitTunnelAcl
vpngroup VPN idle-time 1800
ca identity exchxonf 172.16.50.9:/certsrv/mscep/mscep.dll
ca configure exchxonf ra 1 20 crloptional
Thanks a lot in advance for your help.
Best regards,
Marco
09-15-2003 02:42 AM
Here a few debugs while connecting to the PIX:
debug crypto isakmp
crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0:0): vendor ID is NAT-T
ISAKMP (0): processing vendor id payload
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 0
ISAKMP (0): processing notify INITIAL_CONTACT
ISAKMP (0): SA has been authenticated
ISAKMP (0): ID payload
next-payload : 6
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. message ID = 1236643255, spi size = 16
ISAKMP (0): deleting SA: src 217.185.70.154, dst 212.20.129.38
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0x12b734c, conn_id = 0
ISADB: reaper checking SA 0x121b204, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 217.185.70.154/500 not found - peers:1
ISADB: reaper checking SA 0x12b734c, conn_id = 0
IPSEC Debugging:
optivpn(config)# IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 217.185.70.154
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with 217.185.70.154
Debug crypto ca:
CRYPTO_PKI: Certificate verified, chain status= 1
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: