Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Remote VPN with certificate authentication

Hi,

I got a PIX in which I have successfully configured remote VPN with pre-shared key authentication. Now, due to security concerns, I need to implement the remote VPN with certificate authentication.

I installed a Windows 2003 CA server and configured the PIX accordingly. Even I got the certificate enrolled in my PIX. Now, I generated a certificate for a user and when I try to connect after importing the certicate to the vpn client, I see the following error:

ISAKMP (0): Checking ISAKMP transform 2 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 3 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 4 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 5

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 5 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 6 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:xx.xx.xx.xx, dest:yy.yy.yy.yy spt:3313 dpt

:500

VPN Peer:ISAKMP: Peer Info for xx.xx.xx.xx/500 not found - peers:0

ISAKMP: larval sa found

Please guide me in this. I am not sure whether this is an error in my PIX configuration or in my Certificate server.

2 REPLIES

Re: Remote VPN with certificate authentication

Community Member

Re: Remote VPN with certificate authentication

Hi Andrew,

Thanks for the post. Infact, I did see that documentation and proceeded. But, couldn't succeed. I solved the issue otherway round.

Thanks,

Ribin

185
Views
0
Helpful
2
Replies
CreatePlease to create content