cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
793
Views
0
Helpful
3
Replies

Ipad to ASA with certifcate authentication ASA local CA

ghaugsness
Level 1
Level 1

Hi all,

     I have been working on trying to get an IPAD using the built in VPN client to connect to an ASA5510 version 8.2(5). I have attached the debug from where I have gotten so far.  Phase 1 is failing somewhere but the messages aren't real clear or at leat not to me.  The ASA is acting as the local CA for the certificate. I inherited the config from another guy as he couldn't get it working and I have made some progress but still not luck in getting the tunnel to just come up. Access to resources will be next but I'd like to just see the ipad show connected.  I am wonderig if the Certificate the guy created for the local CA isn't fully up to snuff since the issuer-name isn't in DNS today.

Any info is greatly appreciated and I have been a lot of docs I could find on the internet about this topic.

Thanks.

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Greg,

I am not sure if this is the only problem you have but at least I can see the following on the debug:

Transform-Id: KEY_IKE

        Reserved2: 0000

        Life Type: seconds

        Life Duration (Hex): 0e 10

        Encryption Algorithm: AES-CBC

        Key Length: 256

        Authentication Method: XAUTH_INIT_RSA_SIG

        Hash Algorithm: SHA1

        Group Description: Group 2

And the following is setup in your ASA:

crypto isakmp enable outside

crypto isakmp policy 1

authentication rsa-sig

encryption aes-256

hash sha

group 5

Please change the diffie-hellman group so the isakamp phase (1) can match on both sites!

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

      Thanks for taking a look but if you look at the debug it clearly shows that the proposals are acceptable.

Feb 10 13:33:59 [IKEv1 DEBUG]: IP = 98.100.115.254, IKE SA Proposal # 1, Transform # 1 acceptable  Matches global IKE entry # 1

I took your suggestion and changed from group 5 to group 2 and the debug then complained that it received group 5 but configured for group 2, so I changed it back to group 5. It looks like the ipad with certificates relies on group 5 instead of group 2.

I am still trying to really figure out why phase 1 is failing.

Thanks.

Greg

Hi Greg,

It seems that you want to control via the tunnel-group-map DefaultCertificateMap  if the CN chain of the issuer-name field of the CA cert contains "hhcolorlab" :

crypto ca certificate map DefaultCertificateMap 1

issuer-name attr cn co hhcolorlab

But If I check your crypto CA server definition, I can see that the CN chain of the issuer-name field of the CA contain "hhcolorca" and not "hhcolorlab"

crypto ca server

subject-name-default cn=hhcolorca, o=hhcolorlab c=US

Can you check if there is not a litle mistake here ?

Vincent

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: