Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN Client w. certs

I have cisco VPN client 4.6 on WinXP and the server is IOS easy vpn server (12.4T). Everything works fine with pre-shared keys, but when I try to use certificates for IKE authentication the VPN client never connects.

In its log I always see the following error (everything before the 5th ISAKMP message snipped):

126 19:17:01.612 08/16/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.0.11

127 19:17:01.622 08/16/06 Sev=Info/4 CERT/0x63600013

Cert (cn=FA-RIGHT.lab,ou=lab,o=IG,c=ES) verification succeeded.

128 19:17:01.622 08/16/06 Sev=Warning/3 IKE/0xE3000081

Invalid remote certificate id: ID_FQDN: ID = FA-RIGHT.lab, Certificate = [NULL]

129 19:17:01.622 08/16/06 Sev=Warning/3 IKE/0xE3000058

The peer's certificate doesn't match Phase 1 ID

130 19:17:01.622 08/16/06 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2202)

I cannot understand what's wrong with the cert received from the server. Seems that in message #127 it is successfully verified, but in the #128 the client complains about missing FQDN. How it can be? The cert has commonname set to fqdn.

Anyway, the same thing happens if ip address is used as identity...

Can anybody shed light and help?

alex

==========================

1 REPLY
Silver

Re: VPN Client w. certs

I think the issue is that the client is strict on checking the ID in the certificate to exactly match what has been offered during IKE.

270
Views
0
Helpful
1
Replies