Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Client using CA and authenticating with PIX

I have a problem with the following setup.

1 PIX 515 with a MS Cert Server on the inside.

1 VPN client 3.5 connecting from the outside.

Enrollment for the PIX and Client work fine. IKE negotiation using certificates work between the PIX and the Client.

If I use the client 3.6, network enrollment does not work, so I have to use file based enrollment. Also the IKE negotiation fails and the debug ISAKMP displays ???? sa not acceptable.

Any ideas?

5 REPLIES
Community Member

Re: VPN Client using CA and authenticating with PIX

Adrian

We've had exactly the same problem. 3.5 client could connect using certificates, 3.6 client fails using exactly the same certificate.

It is something to do with the transform sets and policies that are defined on the PIX. We ended defining about 20 and all of a sudden it started working again. I can't remember exactly which one fixed it - I am out of the office today so I will see if I can find the config when I'm back in.

Regards, Barry

Community Member

Re: VPN Client using CA and authenticating with PIX

That would be great. I spent nearly a full day trying to do an original installation with the 3.6 client and thought my configs were wrong. Then I used the 3.5 client and it worked first time.

Community Member

Re: VPN Client using CA and authenticating with PIX

Adrian

This is the policy config that we ended up with. Unfortunately, I can't remember which policy statement eventually sorted out the problem. Sorry.

Just tested this now - and yes, 3.6 client can authenticate using a certificate (using Microsoft CA Server).

isakmp policy 6 authentication rsa-sig

isakmp policy 6 encryption des

isakmp policy 6 hash md5

isakmp policy 6 group 1

isakmp policy 6 lifetime 86400

isakmp policy 7 authentication rsa-sig

isakmp policy 7 encryption des

isakmp policy 7 hash sha

isakmp policy 7 group 1

isakmp policy 7 lifetime 86400

isakmp policy 8 authentication rsa-sig

isakmp policy 8 encryption des

isakmp policy 8 hash md5

isakmp policy 8 group 2

isakmp policy 8 lifetime 86400

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 15 authentication pre-share

isakmp policy 15 encryption des

isakmp policy 15 hash sha

isakmp policy 15 group 2

isakmp policy 15 lifetime 86400

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

Regards, Barry

Community Member

Re: VPN Client using CA and authenticating with PIX

Thanks,

It looks like the later client would not let me use DH Group2. If I set it to DH Group 1 it connects. The older client works on both.

Community Member

Re: VPN Client using CA and authenticating with PIX

I found you post to Cisco Newsgroup regarding the MS CA with PIX VPN, do u managed to deploy this solution in your environment? I have a lot of error “ISAKMP: encryption... What? 7?" on the debug when i connect from a 3.63 client. i managed to enroll a cert for my pix with standalone or entreprise MS CA. but the client still not managed to connect.

99
Views
0
Helpful
5
Replies
CreatePlease to create content