Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

help, about linux host connect to cisco router with ipsec?

i want to encrypt the connection between a linux host and a cisco router, by using x509 certification,

they all get certification from a middle CA server like this

host ------- CA --------- router

|____________________|

Getting certification from CA is successful, but they cannot establish connection, so I open the debug option on ‘racoon’  and found such log:

……

2012-03-31 15:21:38: DEBUG: begin.

2012-03-31 15:21:38: DEBUG: seen   nptype=5(id)

2012-03-31 15:21:38: DEBUG: seen   nptype=9(sig)

2012-03-31 15:21:38: DEBUG: seen   nptype=11(notify)

2012-03-31 15:21:38: DEBUG: succeed.

2012-03-31 15:21:38: [192.168.5.254]   DEBUG: getrmconf_by_ph1: remote 192.168.5.254[500], identity 192.168.5.254.

2012-03-31 15:21:38: [192.168.5.254]   DEBUG: configuration "anonymous" selected.

2012-03-31 15:21:38: [192.168.5.254]   DEBUG: getrmconf_by_ph1: remote 192.168.5.254[500], identity 192.168.5.254.

2012-03-31 15:21:38: [192.168.5.254]   DEBUG: configuration "anonymous" selected.

2012-03-31 15:21:38: DEBUG: SIGN passed:

2012-03-31 15:21:38: DEBUG:

77632995 4605a2e3 45e0f4e4 cd0e8c21   33d4484f cfc81f27 be78790f ba876dae

fb5beeaa 6e583a5f c5f67783 df88e691   70bf9f24 10348d80 e97bc4bb 2a8dfcb7

2012-03-31 15:21:38: ERROR: no peer's CERT payload found.   <---- why?

Is there some error on my configuration on cisco router?

no ip domain lookup

ip domain name dns.com

ip host dns.com 192.168.5.148

!

!

crypto pki trustpoint 192.168.5.148

enrollment mode ra

enrollment url   http://192.168.5.148:80/certsrv/mscep/mscep.dll

revocation-check crl

!

!

crypto pki certificate chain   192.168.5.148

certificate ca   59AE4EE19D22ED96425DAE4EB95AE798

   30820455 3082033D A0030201 02021059 AE4EE19D 22ED9642 5DAE4EB9   5AE79830

   0D06092A 864886F7 0D010105 0500303B 31133011 060A0992 268993F2   2C640119

   1603636F 6D311330 11060A09 92268993 F22C6401 19160364 6E73310F   300D0603

   55040313 06736572 76657230 1E170D31 32303333 30303335 3034345A   170D3137

   30333330 30343030 31315A30 3B311330 11060A09 92268993 F22C6401   19160363

   6F6D3113 3011060A 09922689 93F22C64 01191603 646E7331 0F300D06   03550403

   13067365 72766572 30820122 300D0609 2A864886 F70D0101 01050003   82010F00

   3082010A 02820101 00AD595D 8EB6722B 0891C929 A89A887A 4B946FF0   79D49037

   7CF6418F CF8E8ACC 5DE6F668 304F3879 2892E3E0 BC7F858F 23F1AF5F   B0A2D402

   3B7F58FE D3FC96FA 7AEEEB98 B252052C 064A57B2 C125521F DFFB04B9   F8A6441C

   169029C6 1683253F 882FDB5B 1DABABB4 F9C0D504 856130FB 865A51A2 27F7DAFB

   2AFA42E6 7399A0D0 9A482341 1591DD3E C7AECE63 61A5A5A0 B90D81ED   FD84B1D8

   C84FCBDC 10D1849D 28FBB3A1 A52827E6 12C2E3D0 63173B12 49102D79   2AE6DE5D

   93E513AB 8D054368 DC312BA3 B70253CB 7A3A8B36 30339F76 3527B5AB   384F8EDB

   026CD0BA A531269C 725F9E62 AED31CB4 B3C3088F 2FA69961 EBAC37B5   ABB05F57

   6007E1F1 A55A0E03 25020301 0001A382 01533082 014F3013 06092B06   01040182

   37140204 061E0400 43004130 0B060355 1D0F0404 03020186 300F0603   551D1301

   01FF0405 30030101 FF301D06 03551D0E 04160414 C96E5771 84A782D9   0711819F

   67047E31 8E566A49 3081E806 03551D1F 0481E030 81DD3081 DAA081D7   A081D486

   81A66C64 61703A2F 2F2F434E 3D736572 7665722C 434E3D75 7365722C   434E3D43

   44502C43 4E3D5075 626C6963 2532304B 65792532 30536572 76696365   732C434E

   3D536572 76696365 732C434E 3D436F6E 66696775 72617469 6F6E2C44   433D646E

   732C4443 3D636F6D 3F636572 74696669 63617465 5265766F 63617469   6F6E4C69

   73743F62 6173653F 6F626A65 6374436C 6173733D 63524C44 69737472   69627574

   696F6E50 6F696E74 86296874 74703A2F 2F757365 722E646E 732E636F   6D2F4365

   7274456E 726F6C6C 2F736572 7665722E 63726C30 1006092B 06010401   82371501

   04030201 00300D06 092A8648 86F70D01 01050500 03820101 00642342   0AA57D43

   B9B5F272 FB4B2CB7 BCB4F63D 96564E47 D3BAC860 63F42A54 D6C666EF   79A46030

   DC1C6F05 63B3EC98 1F6010DA B45B2C53 24E5AFDC 7BADC416 0FA2C453   D68E416C

   03B34FF9 13A0BB38 DAAE62EA 5B566C91 88A4BC38 13079F16 DD8EA646   B671F014

   D107D60C FD33327D 869B254E 9F421E99 FBE98873 28B8A194 9394AA91   1484B306

   AAA14675 4CA1DB80 9C1155EF 71AF0192 E50279F9 2991F3AE 6614954F   22C2DA4B

   5E740DFD B2D70F72 C9689BEC 7B40E401 7E87511D F7DA3BC6 3F47009B   28F09C7A

   BF3E417F 7DE4BAE0 C3CD864B 808461FE F743C135 CA949E6E 307FA3D4   A75238D7

   D7C8E32B 59E5AA92 B5890A8C 24367EE0 C990AC6E 06E2DBD3 58

   quit

username newland privilege 15 secret 5   $1$LeJA$BKZJVPhNw/gBPQQ0YSXRJ.

archive

log config

   hidekeys

!

!

!

!

crypto isakmp policy 1

encr 3des

!

crypto ipsec transform-set linjia   esp-3des esp-sha-hmac

mode transport

!

crypto map linjiamap 1 ipsec-isakmp

set peer 192.168.5.147

set transform-set linjia

match address 101

!!

interface FastEthernet0/1

ip   address 192.168.5.254 255.255.255.0

duplex auto

speed auto

crypto map linjiamap

Or some error on the ‘racoon.conf’?

path include "/etc/racoon";

path certificate   "/etc/racoon/cert";

remote anonymous

{

         exchange_mode main;

         lifetime time 32 hour;

         my_identifier asn1dn;

         certificate_type x509 "example.pem" "example.key";

         proposal {

                 encryption_algorithm des;

                 hash_algorithm sha1;

                 authentication_method   rsasig;

                 dh_group 1;

               }

         proposal {

                 encryption_algorithm des;

                 hash_algorithm sha1;

                 authentication_method   rsasig;

                 dh_group 1;

               }

}

sainfo anonymous

{

         lifetime time 32 hour ;

         encryption_algorithm des;

         authentication_algorithm hmac_sha1;

         compression_algorithm deflate ;

}

981
Views
0
Helpful
0
Replies
CreatePlease to create content