10-09-2002 03:17 AM - edited 02-21-2020 10:04 AM
I have a problem with the following setup.
1 PIX 515 with a MS Cert Server on the inside.
1 VPN client 3.5 connecting from the outside.
Enrollment for the PIX and Client work fine. IKE negotiation using certificates work between the PIX and the Client.
If I use the client 3.6, network enrollment does not work, so I have to use file based enrollment. Also the IKE negotiation fails and the debug ISAKMP displays ???? sa not acceptable.
Any ideas?
10-09-2002 03:23 AM
Adrian
We've had exactly the same problem. 3.5 client could connect using certificates, 3.6 client fails using exactly the same certificate.
It is something to do with the transform sets and policies that are defined on the PIX. We ended defining about 20 and all of a sudden it started working again. I can't remember exactly which one fixed it - I am out of the office today so I will see if I can find the config when I'm back in.
Regards, Barry
10-09-2002 03:26 AM
That would be great. I spent nearly a full day trying to do an original installation with the 3.6 client and thought my configs were wrong. Then I used the 3.5 client and it worked first time.
10-10-2002 01:53 AM
Adrian
This is the policy config that we ended up with. Unfortunately, I can't remember which policy statement eventually sorted out the problem. Sorry.
Just tested this now - and yes, 3.6 client can authenticate using a certificate (using Microsoft CA Server).
isakmp policy 6 authentication rsa-sig
isakmp policy 6 encryption des
isakmp policy 6 hash md5
isakmp policy 6 group 1
isakmp policy 6 lifetime 86400
isakmp policy 7 authentication rsa-sig
isakmp policy 7 encryption des
isakmp policy 7 hash sha
isakmp policy 7 group 1
isakmp policy 7 lifetime 86400
isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption des
isakmp policy 8 hash md5
isakmp policy 8 group 2
isakmp policy 8 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication pre-share
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 2
isakmp policy 15 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
Regards, Barry
10-15-2002 03:21 AM
Thanks,
It looks like the later client would not let me use DH Group2. If I set it to DH Group 1 it connects. The older client works on both.
04-16-2003 06:04 AM
I found you post to Cisco Newsgroup regarding the MS CA with PIX VPN, do u managed to deploy this solution in your environment? I have a lot of error ISAKMP: encryption... What? 7?" on the debug when i connect from a 3.63 client. i managed to enroll a cert for my pix with standalone or entreprise MS CA. but the client still not managed to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide