Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
2
Replies

Router to PC VPN with device authen only via RSA Sig

mmydlowski
Level 1
Level 1

‎07-31-2007 06:58 AM

Problem establishing a vpn between a cisco router and a PC based Cisco VPN Client

using version 4.6 (had problems with 4.8 & 5.0). Only trying to accomplish

device authenication with digital certificates without any interest in user

authenication/authorization, so I've eliminated the Xauth from IKE and login

stuff from the client config.

I've got to take about half a dozen users into production asap...

I am thinking the access list may be the problem since the pc client is

expecting to have encrypted communications, but the cisco router is

still doing all it's checks and balances with IKE/ISAKMP to finish device

authenication with one certificate on each. Error message seem straight

forward, but I'm new to the vpn config's and have tested pki for

about 6 months wo/ going into production. Attached are logs with recommended

debug turned on for crypto ike/ipsec/pki/etc.

Labels:
Preview file
7 KB
Preview file
5 KB
0 Helpful
2 Replies 2

b.hsu
Level 5
Level 5

‎08-06-2007 12:13 PM

From the problem description, it sounds to me that you can in fact install the Cisco VPN client on the PC running the software, and use this to conect to a VPN end-point to carry the information. For more information on VPN configuration please click following url:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml#maintask1

0 Helpful

mmydlowski
Level 1
Level 1
In response to b.hsu

‎08-07-2007 06:53 AM

Thank you for your response!

After further investigation, I'm more concerned about Cisco's IOS 12.4 "Certificate Server" being able to consistently build certificates. Do I need to depend upon a certain Test release like 12.4T because 12.4 isn't ready ....? It's in the 12.4 documentation as though it's ready and I couldn't find any comments in the caveats...

I have tried to build a "request for a certificate" with both with the Cisco VPN Client 4.8/5.0, and Mozilla's add-on to firefox called Key Manager, but both failed.

Just loading base64 instream directly into the IOS crypto cmd to enroll via the terminal fails regularly, besides trying to use SCEP (Cisco's simple certificate enrollment protocol).

I don't care how it gets done, because I like Cisco's architecture so much, but it's got to be reliable.

I don't mind getting involved with Cisco's testing and I believe I can replicate the errors.

Attached is an error of the IOS 12.4 failing...

Preview file
1 KB
0 Helpful
Customers Also Viewed These Support Documents