Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX to VPN Client 4.0.1 with MS CA - Failed (PHASE 1)

I want to connect to a PIX with a Cisco VPN Client with MS CA (CEP). Enrollment and MSCEP works fine.

All certificates are granted. ATTS are acceptable in debug mode, but the VPN Client always logs then following lines.

337 16:55:36.762 09/12/03 Sev=Info/4 CERT/0x63600014

Cert (cn=optivpn.opti.com,1.2.840.113549.1.9.2=#13106f70746976706e2e6f7074692e636f6d) verification succeeded.

338 16:55:36.772 09/12/03 Sev=Warning/3 IKE/0xE3000080

Invalid remote certificate id: ID_IPV4_ADDR: ID = 0x268114D4, Certificate = 0x00000000

339 16:55:36.772 09/12/03 Sev=Warning/3 IKE/0xE3000058

The peer's certificate doesn't match Phase 1 ID

Has that something to do with the nameing conventions in the certificate (o,ou ...)? Do I use the wrong certificates ?

Thanks in advance for any help.

Best regards,

Marco

3 REPLIES
Cisco Employee

Re: PIX to VPN Client 4.0.1 with MS CA - Failed (PHASE 1)

The error you're seeing means that the ID being proposed by the client for Phase 1 is not the same ID proposed by the PIX. The PIX will either propose IP Address or Hostname (depending on what it's configured for). The ID of the cert has to be one or the other. When the cert request is done for the client the IP Address or Domain Name field must be filled in.

Try adding:

isakmp identity hostname

into the PIX config if you haven't already, or if it is in there get rid of it by doing:

isakmp identity address

Sorry to be so vague but the client and the PIX need to propose the same type of ID, and I can't tell what it's currently configured for currently with the info provided.

New Member

Re: PIX to VPN Client 4.0.1 with MS CA - Failed (PHASE 1)

Thank you very much for your quick ansewer.

Today I tested the two commands but with no success.

That's why I will send you a detail config, maybe that will help you to find my mistake.

The VPN Client - Config:

My VPN Client has two Certificates installed:

1) Root Certificate from the Microsoft CA

Common Name: opticomCA

Department: NOCDA

Company: VPN

State: Hessen

Country: DE

Email: CASRV@oc-ag.de

MD5 Thumbprint 6780B01F86A7F0236FC2848D15354FBC

SHA1 Thumbprint 21226BB72FE4014A883E862F48D15FEF5F7AC440

Key Size 512

Subject cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de

Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de

Serial Number 3DD010B24188F3BB4A193C480FC0E5FB

Not valid before Fr 12. Sep 17:43:36 2003

Not valid after Mo 12. Sep 17:51:46 2005

2) Enrollment from Cisco Client (CISCO-Store)

Common Name:212.20.129.38

Department: VPN

Company: opticom gmbh

State: Hessen

Country: DE

Email: mmetz@opticom-gmbh.com

MD5 Thumbprint DD2EC2C77B5AB31E3ADE9A1449D563A6

SHA1 Thumbprint 07103D46CBCEAF71F96D61BB2FAC67EAB1338644

Key Size 1024

Subject cn=212.20.129.38,ou=VPN,o=opticom gmbh,st=Hessen,c=DE,e=mmetz@opticom-gmbh.com

Issuer cn=opticomCA,ou=NOCDA,o=VPN,l=Darmstadt,st=Hessen,c=DE,e=CASRV@oc-ag.de

Serial Number 1E0E8214000000000006

Not valid before Mo 15. Sep 11:20:22 2003

Not valid after Mi 15. Sep 11:30:22 2004

Here the show crypto ca cer output from the pix:

RA Signature Certificate

Status: Available

Certificate Serial Number: 6103fb49000000000002

Key Usage: Signature

CN = opti.com RA

OU = VPN

O = opticom

L = Darmstadt

ST = Hessen

C = DE

EA =<16> RA@oc-ag.de

Validity Date:

start date: 16:54:12 GMT/BDT Sep 12 2003

end date: 17:04:12 GMT/BDT Sep 12 2004

Certificate

Status: Available

Certificate Serial Number: 610d2088000000000004

Key Usage: General Purpose

Subject Name:

CN = optivpn.opti.com

UNSTRUCTURED NAME = optivpn.opti.com

Validity Date:

start date: 17:04:11 GMT/BDT Sep 12 2003

end date: 17:14:11 GMT/BDT Sep 12 2004

CA Certificate

Status: Available

Certificate Serial Number: 3dd010b24188f3bb4a193c480fc0e5fb

Key Usage: General Purpose

CN = opticomCA

OU = NOCDA

O = VPN

L = Darmstadt

ST = Hessen

C = DE

EA =<16> CASRV@oc-ag.de

Validity Date:

start date: 16:43:36 GMT/BDT Sep 12 2003

end date: 16:51:46 GMT/BDT Sep 12 2005

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 6103fc24000000000003

Key Usage: Encryption

CN = opti.com RA

OU = VPN

O = opticom

L = Darmstadt

ST = Hessen

C = DE

EA =<16> RA@oc-ag.de

Validity Date:

start date: 16:54:12 GMT/BDT Sep 12 2003

end date: 17:04:12 GMT/BDT Sep 12 2004

Here my running config (OS 6.3(3)):

hostname optivpn

domain-name opti.com

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto dynamic-map outside_dyn_map 2000 match address outside_cryptomap_dyn_2000

crypto dynamic-map outside_dyn_map 2000 set transform-set ESP-3DES-MD5

crypto dynamic-map outside_dyn_map 2020 match address outside_cryptomap_dyn_2020

crypto dynamic-map outside_dyn_map 2020 set transform-set ESP-AES-256-MD5

crypto dynamic-map outside_dyn_map 2040 match address outside_cryptomap_dyn_2040

crypto dynamic-map outside_dyn_map 2040 set transform-set ESP-3DES-MD5

crypto map inside_map interface inside

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map client configuration address initiate

crypto map outside_map client configuration address respond

crypto map outside_map client authentication RADIUS

crypto map outside_map interface outside

isakmp enable outside

isakmp identity address

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption aes-256

isakmp policy 10 hash sha

isakmp policy 10 group 5

isakmp policy 10 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash md5

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

isakmp policy 50 authentication rsa-sig

isakmp policy 50 encryption aes-256

isakmp policy 50 hash md5

isakmp policy 50 group 5

isakmp policy 50 lifetime 86400

isakmp policy 70 authentication rsa-sig

isakmp policy 70 encryption 3des

isakmp policy 70 hash md5

isakmp policy 70 group 2

isakmp policy 70 lifetime 86400

vpngroup optida address-pool ma-vpn

vpngroup optida dns-server opticom3 opticom4

vpngroup optida wins-server opticom3

vpngroup optida default-domain opti.com

vpngroup optida split-tunnel optida_splitTunnelAcl

vpngroup optida idle-time 1800

vpngroup optida password xxxxxxx

vpngroup opticomCA address-pool ma-vpn

vpngroup opticomCA dns-server opticom3 opticom3

vpngroup opticomCA default-domain opti.com

vpngroup opticomCA split-tunnel opticomCA_splitTunnelAcl

vpngroup opticomCA pfs

vpngroup opticomCA idle-time 1800

vpngroup VPN address-pool ma-vpn

vpngroup VPN default-domain opti.com

vpngroup VPN split-tunnel VPN_splitTunnelAcl

vpngroup VPN idle-time 1800

ca identity exchxonf 172.16.50.9:/certsrv/mscep/mscep.dll

ca configure exchxonf ra 1 20 crloptional

Thanks a lot in advance for your help.

Best regards,

Marco

New Member

Re: PIX to VPN Client 4.0.1 with MS CA - Failed (PHASE 1)

Here a few debugs while connecting to the PIX:

debug crypto isakmp

crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): processing vendor id payload

ISAKMP (0): received xauth v6 vendor id

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0:0): vendor ID is NAT-T

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5

00

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

ISAKMP (0): processing SIG payload. message ID = 0

ISAKMP (0): processing NOTIFY payload 24578 protocol 1

spi 0, message ID = 0

ISAKMP (0): processing notify INITIAL_CONTACT

ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload

next-payload : 6

type : 1

protocol : 17

port : 500

length : 8

ISAKMP (0): Total payload length: 12

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:217.185.70.154, dest:212.20.129.38 spt:500 dpt:5

00

ISAKMP (0): processing DELETE payload. message ID = 1236643255, spi size = 16

ISAKMP (0): deleting SA: src 217.185.70.154, dst 212.20.129.38

return status is IKMP_NO_ERR_NO_TRANS

ISADB: reaper checking SA 0x12b734c, conn_id = 0

ISADB: reaper checking SA 0x121b204, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 217.185.70.154/500 not found - peers:1

ISADB: reaper checking SA 0x12b734c, conn_id = 0

IPSEC Debugging:

optivpn(config)# IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 217.185.70.154

IPSEC(key_engine): got a queue event...

IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP

IPSEC(key_engine_delete_sas): delete all SAs shared with 217.185.70.154

Debug crypto ca:

CRYPTO_PKI: Certificate verified, chain status= 1

133
Views
0
Helpful
3
Replies
CreatePlease to create content