VPN3000 identity certificate problem off internal Microsoft CA
I have been sent a replacement VPN3000 concentrator due to an intermittent (unknown) fault and appear to have a problem with it's identity certificate. We use the VPN3000 for IPSec clients using RSA certificates, IPSec LAN2LAN using pre-shared-keys and WebVPN using an SSL certificate. We use Microsoft certificate services.
In order to replace the concentrator I exported the SSL Thawtre certificate to the new device and the Thawtre CA's, I installed our organisations CA certificate and enrollled with the CA to obtain an identity certificate. The WebVPN works fine but the VPN clients do not authenticate. I have checked through the config of both concentrators (as I am still using the old one) and there is no difference in the setup at all.
Cann anyone help me ?
I have attached a log from the VPN concentrator and the client when attempting to make a connection.
Re: VPN3000 identity certificate problem off internal Microsoft
Are you able to connect with the same client using a pre-shared key instead of Certificates? If you are then try and reinstall the certificate. You could also try to use IPSec over UDP on the client and check IPSec overNAT-T on the concentrator and make sure that UDP 4500 is allowed through the device the client is connecting through.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...