Re: ASA VPN Remote Access with local CA failed

cdicesare · ‎10-18-2010

Hello,

I have a ASA 5505 firewall (IOS version 6.3.2) and I try to perform test in VPN with the local certification authority (certificate) and password user with :

-Remote access mode with the Windows VPN Client

-Remote access mode with the Anyconnect Client

The "double authentications" works fine with the anyconnect client.

However, it's doesn't work with the Windows VPN Client if I want use certificate and password. It's working fine, if I use in the Windows VPN client the authentication group "HOME VPN" + PSK.

I have search in the Cisco website end I don't find a solution.

When I launch a connexion with my windows VPN client, I have the following message when I perform a monitoring since ASDM :

6    Oct 18 2010    22:15:06                        Certificate chain was successfully validated with warning, revocation status was not checked.
6    Oct 18 2010    22:15:06                        Certificate was successfully validated. serial number: 04, subject name: cn=oneal.
3    Oct 18 2010    22:15:06                        IP = 83.204.147.250, No Group found by matching OU(s) from ID payload:   Unknown
3    Oct 18 2010    22:15:06                        IP = 83.204.147.250, No Group found by matching OU(s) from ID payload:   Unknown
6    Oct 18 2010    22:15:06                        IP = 83.204.147.250, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end   IS   behind a NAT device
6    Oct 18 2010    22:15:06        83.204.147.250    33615    interface_outside_ASA    4500    Built inbound UDP connection 437651 for outside:83.204.147.250/33615 (83.204.147.250/33615) to identity:interface_outside_ASA/4500 (interface_outside_ASA/4500)
5    Oct 18 2010    22:15:05                        Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5    Oct 18 2010    22:15:05                        Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5    Oct 18 2010    22:15:05                        Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
5    Oct 18 2010    22:15:05                        Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2
6    Oct 18 2010    22:15:05        83.204.147.250    9687    interface_outside_ASA    500    Built inbound UDP connection 437649 for outside:83.204.147.250/9687 (83.204.147.250/9687) to identity:interface_outside_ASA/500 (interface_outside_ASA/500)

Here the part of VPN configuration of my ASA

access-list outside_access_in extended permit ip n-192.168.84.241-VPNSSL_Pool 255.255.255.248 any
access-list outside_access_in extended permit tcp any host interface_outside_ASA object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any host interface_outside_ASA eq ftp inactive
access-list outside_access_in remark Autorise le PC en Wifi a acceder au LAN
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host PC_Wifi host h-nat-192.168.4.201 inactive
access-list outside_access_in extended deny ip any any
access-list outside_access_in remark Autorise le PC en Wifi a acceder au LAN
access-list inside_access_in remark Acces VPN admin
access-list inside_access_in extended permit tcp 192.168.84.248 255.255.255.248 any
access-list inside_nat_static extended permit ip host h-serveur-cable host PC_Wifi
access-list test extended permit ip host h-serveur-cable host PC_Wifi
access-list inside_nat_static_1 extended permit tcp host h-serveur-cable eq www any
access-list inside_access_in_1 extended permit ip object-group G-PC-Cable-inside any
access-list inside_access_in_1 extended deny ip any any
access-list inside_nat0_outbound extended permit ip 192.168.84.0 255.255.255.0 n-192.168.84.241-VPNSSL_Pool 255.255.255.248
access-list Webports-ACL extended permit tcp any any object-group WEBPORTS
access-list outside_authentication extended permit tcp DMZ_livebox 255.255.255.0 host interface_outside_ASA
access-list outside_authentication extended permit tcp any host interface_outside_ASA eq www
access-list inside_nat_static_2 extended permit tcp host h-serveur-cable eq ftp any
access-list debug_h-cable extended permit ip host h-cable any
access-list anyconnect-filter-test extended permit ip 192.168.84.248 255.255.255.248 any

access-list Filter_WebAcl webtype deny url http://www.toto.fr log informational interval 300
access-list Allow_WebACL webtype permit url http://www.labanque.com log default
access-list Allow_WebACL webtype permit url http://*mail* log default
access-list Allow_WebACL webtype permit url http://*google* log default
access-list Allow_WebACL webtype permit url https://*google* log default
pager lines 24
logging enable
logging timestamp
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN-Pool 192.168.84.249-192.168.84.254
ip local pool VPN-SSL-Pool 192.168.84.241-192.168.84.246 mask 255.255.255.248
ip local pool clientVPNpool 192.168.84.60-192.168.84.70 mask 255.255.255.0
ipv6 access-list inside_access_ipv6_in deny ip any any inactive
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-632.bin
no asdm history enable
arp timeout 14400
global (inside) 1 192.168.84.202 netmask 255.255.255.0
global (inside) 2 interface
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 192.168.84.0 255.255.255.0
static (inside,outside) tcp interface www access-list inside_nat_static_1
static (inside,outside) tcp interface ftp access-list inside_nat_static_2
static (inside,outside) h-nat-192.168.4.201 access-list test
access-group inside_access_in_1 in interface inside
access-group inside_access_ipv6_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record DAP_test
user-message "DAP (securite)"
webvpn
appl-acl Filter_WebAcl
appl-acl Allow_WebACL
url-list value Intranet
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication match outside_authentication outside LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.0.0 255.255.0.0 outside
http 192.168.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_3DES_MD5
crypto map outside_map 20 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
crl configure
crypto ca server
cdp-url http://website./+CSCOCA+/asa_ca.crl
smtp from-address test@gmail.com
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
    XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no vpn-addr-assign aaa
telnet timeout 5
ssh 192.168.0.0 255.255.0.0 inside
ssh 192.168.0.0 255.255.0.0 outside
ssh timeout 50
ssh version 2
console timeout 0
dhcpd lease 999999
!
dhcpd address h-serveur-cable-192.168.84.33 inside
dhcpd dns 80.10.246.2 80.10.246.129 interface inside
dhcpd domain home interface inside
dhcpd enable inside
!

threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server 134.214.100.6 source outside
webvpn
enable outside
csd image disk0:/securedesktop_asa-3.3.0.118-k9.pkg
svc image disk0:/anyconnect-win-2.5.0217-k9.pkg 4
svc image disk0:/anyconnect-wince-ARMv4I-2.5.0217-k9.pkg 5 regex "Windows CE"
svc enable
port-forward Home_Port_Forwarding 3128 192.168.84.2 3128 Acces Squid
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
vpn-tunnel-protocol svc
default-domain value cisco.com
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol webvpn
webvpn
url-list value Intranet
customization value DfltCustomization
group-policy WebVPNPolicy-HOME internal
group-policy WebVPNPolicy-HOME attributes
banner value Politique WebVPNPolicy-home utilise
vpn-tunnel-protocol IPSec svc webvpn
address-pools value VPN-SSL-Pool
ipv6-address-pools none
webvpn
url-list value Intranet
filter none
svc ask none default webvpn
customization value VPNSSL-HOME
url-entry enable
username test3 password XXXXXXXXXXXXXX encrypted
username test3 attributes
vpn-group-policy WebVPNPolicy-HOME
username oneal password XXXXXXXXXXXXXXX encrypted
username oneal attributes
vpn-group-policy WebVPNPolicy-HOME
username cedric password XXXXXXXXXXXXXXXXXXX encrypted privilege 0
username cedric attributes
vpn-group-policy WebVPNPolicy-HOME
service-type remote-access
webvpn
port-forward enable Home_Port_Forwarding
customization value VPNSSL-HOME
sso-server none
username admin password XXXXXXXXXXXXXXXXXX encrypted privilege 15
tunnel-group DefaultL2LGroup general-attributes
default-group-policy WebVPNPolicy-HOME
tunnel-group DefaultL2LGroup ipsec-attributes
peer-id-validate nocheck
tunnel-group DefaultRAGroup general-attributes
address-pool clientVPNpool
default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
no authentication chap
authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
authorization-server-group LOCAL
tunnel-group DefaultWEBVPNGroup webvpn-attributes
customization TEST
tunnel-group HOME-VPN type remote-access
tunnel-group HOME-VPN general-attributes
address-pool VPN-SSL-Pool
authentication-server-group (inside) LOCAL
authorization-server-group LOCAL
authorization-server-group (inside) LOCAL
default-group-policy WebVPNPolicy-HOME
authorization-required
tunnel-group HOME-VPN webvpn-attributes
customization VPNSSL-HOME
authentication aaa certificate
group-url https://XXXXX.ath.cx enable
group-url https://XXXXX.ath.cx/home enable
tunnel-group HOME-VPN ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
trust-point LOCAL-CA-SERVER
tunnel-group HOME-VPN ppp-attributes
no authentication chap
no authentication ms-chap-v1
tunnel-group TunnelGroup1 type ipsec-l2l
tunnel-group TunnelGroup1 general-attributes
default-group-policy WebVPNPolicy-HOME
tunnel-group-map default-group HOME-VPN
!
class-map Webports-Class
match access-list Webports-ACL
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map type inspect http http-Policy
parameters
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
inspect ip-options
class Webports-Class
inspect http http-Policy
!
service-policy global_policy global
smtp-server 209.85.229.109
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Marcin Latosiewicz · ‎10-19-2010

We don't officially support Local CA for purpose of IPsec VPN termination.

I also understand that you're using ASA 8.3.2 not 6.3.2?

This is what your user send in certificate it seems...

cn=oneal

where is the OU? How do you map certificate to tunnel group?

There is some "generic" DH group mismatch message there, can you maybe try to add:

crypto isakmp policy 15
authentication rsa-sig
encryption aes
hash sha
group 2

I just want to stress out that it might not be supported with local CA but if you're willing to spend the time, we can try to make it work ;-)

You already got your client to send the cert it seems not too bad.

Marcin

cdicesare · ‎10-19-2010

Thank you for your reply.
The IOS ASA version is 8.2(3) and the ASDM image is 6.3(2).

Exactly oneal is a username which is define in the ASA.

I try to add the following command
crypto isakmp policy 15
authentication rsa-sig
encryption aes
hash sha
group 2

I have always the message
"5 Oct 19 2010 21:46:17 Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 5 Cfg'd: Group 2"

Where can I define a OU ? It's in the creation of the user certificate ?
It's not very clear for me the maping certificate to tunnel group. Can you give me more information for this ? Do you have an example ?

I have this on the ASA configuration

tunnel-group-map default-group HOME-VPN

On the creation of the username oneal, I must define the OU equal to "HOME-VPN" ?

Thank you in advance for your help.

I make test with the ASA 5505 on a lab. It's not for the production environnement

Marcin Latosiewicz · ‎10-19-2010

Well OU you probably specify when deifning Local CA.

default tunnel group is indeed a good option for you, it's a fall back if you don't find a tunnel-group by any othe means.

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/t.html#wp1569434

Can you attach those debugs while user connects

------

deb cry isa 127

deb cry ips 127

deb cry ca m

deb cry ca t

-----

and show me the "show run tunnel-group" "show run group-policy" and "show run crypto map" at minimum?

Marcin

cdicesare · ‎10-20-2010

Hello Marcin

Thank you for this information. I'm attentively going to read the documentation which you provided me.

You will find in attached file the debug and logs.

Cédric

Marcin Latosiewicz · ‎10-21-2010

Cedric,

"Attempt to get Phase 1 ID data failed while constructing ID"

if you do "show crypto ca cert" do you see an identity certificate for trust-point LOCAL-CA-SERVE.

This is the trustpoint you have chosen to identify this ASA when it's responding.

Marcin

cdicesare · ‎10-22-2010

Marcin,

Here, the result of the command "show crypto ca cert"

LCSC-FW# show crypto ca certificates
CA Certificate
Status: Available
Certificate Serial Number: 01
Certificate Usage: Signature
Public Key Type: RSA (1024 bits)
Issuer Name:
    cn=XXXX.ath.cx
Subject Name:
    cn=XXXX.ath.cx
Validity Date:
    start date: 09:18:20 CEDT Aug 3 2010
    end   date: 09:18:20 CEDT Aug 2 2013
Associated Trustpoints: LOCAL-CA-SERVER

The cn corresponding to the hostname of my firewall + ath.cx ( cn=XXXX.ath.cx)

Why my certificate works fine for the anyconnect connexion and not for the VPN client ?

Marcin Latosiewicz · ‎10-22-2010

Cedric,

You're missing Identity cert to send to the IPsec peer.

You'd have to somehow sign a CSR from the ASA by ASA's local CA.

I would like to stress out this is not supported and TAC/BU will not work with this setup.

Take a PC and enroll it via normal way, as username use hostname of the ASA itself.

DO NOT install the cert.

You should receive a pkcs12 formated file, you need to make sure it's in base64 form.

openssl base64 -in cert.p12 -out cert.b64

When/if prompted for password check:

crypto ca server user-db show-otp

You should now be able to import your cert.

crypto ca import CHANGE_NAME pkcs12

In case of SSL apparently only a client needs to present certificate which the server ASA needs to authenticate - and it can do it against it's Local CA.

Marcin