02-10-2012 11:33 AM
Hi all,
I have been working on trying to get an IPAD using the built in VPN client to connect to an ASA5510 version 8.2(5). I have attached the debug from where I have gotten so far. Phase 1 is failing somewhere but the messages aren't real clear or at leat not to me. The ASA is acting as the local CA for the certificate. I inherited the config from another guy as he couldn't get it working and I have made some progress but still not luck in getting the tunnel to just come up. Access to resources will be next but I'd like to just see the ipad show connected. I am wonderig if the Certificate the guy created for the local CA isn't fully up to snuff since the issuer-name isn't in DNS today.
Any info is greatly appreciated and I have been a lot of docs I could find on the internet about this topic.
Thanks.
02-10-2012 09:57 PM
Hello Greg,
I am not sure if this is the only problem you have but at least I can see the following on the debug:
Transform-Id: KEY_IKE
Reserved2: 0000
Life Type: seconds
Life Duration (Hex): 0e 10
Encryption Algorithm: AES-CBC
Key Length: 256
Authentication Method: XAUTH_INIT_RSA_SIG
Hash Algorithm: SHA1
Group Description: Group 2
And the following is setup in your ASA:
crypto isakmp enable outside
crypto isakmp policy 1
authentication rsa-sig
encryption aes-256
hash sha
group 5
Please change the diffie-hellman group so the isakamp phase (1) can match on both sites!
Regards,
Julio
02-13-2012 05:19 PM
Hi Julio,
Thanks for taking a look but if you look at the debug it clearly shows that the proposals are acceptable.
Feb 10 13:33:59 [IKEv1 DEBUG]: IP = 98.100.115.254, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
I took your suggestion and changed from group 5 to group 2 and the debug then complained that it received group 5 but configured for group 2, so I changed it back to group 5. It looks like the ipad with certificates relies on group 5 instead of group 2.
I am still trying to really figure out why phase 1 is failing.
Thanks.
Greg
02-14-2012 09:17 AM
Hi Greg,
It seems that you want to control via the tunnel-group-map DefaultCertificateMap if the CN chain of the issuer-name field of the CA cert contains "hhcolorlab" :
crypto ca certificate map DefaultCertificateMap 1
issuer-name attr cn co hhcolorlab
But If I check your crypto CA server definition, I can see that the CN chain of the issuer-name field of the CA contain "hhcolorca" and not "hhcolorlab"
crypto ca server
subject-name-default cn=hhcolorca, o=hhcolorlab c=US
Can you check if there is not a litle mistake here ?
Vincent
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: