Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Contivity to PIX VPN with digital certificates

Hi.

I am trying to raise a VPN between a Network Contivity appliance and Cisco PIX Firewall with digital certificates and not with preshared key, but the VPN does not rise. We have followed the steps for the configuration of VPN with digital certificates generated by an CA described in the manuals of Cisco PIX.

I attach the log's generated by both machines.

CISCO PIX

ISAKMP (0): Checking ISAKMP transform 1 against priority 12 policy

ISAKMP: encryption 3DES-CBC

ISAKMP: hash MD5

ISAKMP: auth RSA sig

ISAKMP: default group 2

ISAKMP (0): atts are acceptable. Next payload is 3

ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing CERT_REQ payload. message ID = 0

ISAKMP (0): peer wants a CT_X509_SIGNATURE cert

return status is IKMP_NO_ERROR

crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): ID of 0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a'

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): ID of 0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a'

return status is IKMP_ERR_RETRANS

crypto_isakmp_process_block:src:200.32.81.125, dest:200.31.21.2 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing ID payload. message ID = 0

ISAKMP (0): processing CERT payload. message ID = 0

ISAKMP (0): processing a CT_X509_SIGNATURE cert

ISAKMP (0): cert approved with warning

ISAKMP (0): ID of 0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a (type 9) doesn't match certificate with DN '0R1

bogota1 0 Uco10

0

U

ach10U

sistemas10ces1700a'

return status is IKMP_ERR_RETRANS

ISAKMP (0): deleting SA: src 200.32.81.125, dst 200.31.21.2

ISADB: reaper checking SA 0x3b13d0c, conn_id = 0

ISADB: reaper checking SA 0x3a70904, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 200.32.81.125/500 not found - peers:6

ISADB: reaper checking SA 0x3b13d0c, conn_id = 0

CONTIVITY

01/15/2004 17:53:18 0 Branch Office [01] IPSEC branch office connection initiated to rem[200.31.21.29-255.255.255.255]@[200.31.21.2] loc[200.32.81.117-255.255.255.255]

01/15/2004 17:53:18 0 Security [11] Session: IPSEC[cn=pix-conavi.conavi.com] attempting login

01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] has no active sessions

01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com] VPN to CONAVI has no active accounts

01/15/2004 17:53:18 0 tHttpdTask [35] BoTestTunnel[200.32.81.125, 200.31.21.2] destroyed by user 'admin' @ '172.16.10.10'

01/15/2004 17:53:18 0 Security [01] Retrieving server certificate: uniqueIdentifier=75baed004e7beaa3bcaaafc2db889f24fd1f70c8, cn=16047, ou=Certificates, o=Bay Networks, c=US

01/15/2004 17:53:18 0 Security [02] Retrieved server certificate: CN=ces1700a, OU=sistemas, O=ach, ST=bogota, C=co, issued by: CN=certicamara

01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 signing data using LOCAL...

01/15/2004 17:53:18 0 Security [01] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 data signed using LOCAL

01/15/2004 17:54:22 0 Security [13] Session: IPSEC[cn=pix-conavi.conavi.com]:117352 No response from client - logging out

01/15/2004 17:54:22 0 tIsakmp [34] Failed Login Attempt: Username=cn=pix-conavi.conavi.com: Date/Time=01/15/2004 17:54:22

01/15/2004 17:54:22 0 ISAKMP [02] Deleting ISAKMP SA with 200.31.21.2

1 REPLY
Silver

Re: Contivity to PIX VPN with digital certificates

If there is a setting for pre-shared key authentication using ID type, if the ID type is set to ID_FQDN the contivity will give an error in invalid ID, the ID type on the Pix needs to be set to IPV4. Also PIX has to be configured for IKE identity negotiation instead of the hostname which is done by default. Hope this helps.

248
Views
0
Helpful
1
Replies
CreatePlease to create content