Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISAKMP policy using rsa-sig doesn't work on a PIX

Hello!

I've configured IPSec VPN on my PIX (v.7.2.1) with certificate authentication. Sufficient lines of the config are posted below. VPN is initiated from the PIX side. When PIX tries to negotiate ISAKMP options to the peer, it doesn't send policies which use rsa-sig. Only 'pre-shared key' policies are sent to the peer. What is the problem?

Thanks in advance.

PIX CONFIG:

===========

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map inetmap 20 match address ac-cryptomap-test

crypto map inetmap 20 set peer <ip_address>

crypto map inetmap 20 set transform-set ESP-3DES-SHA

crypto map inetmap interface outside

crypto ca trustpoint CA1

enrollment url http://<ip_address>:80

crl configure

ldap-defaults <ip_address>

crypto ca certificate chain CA1

certificate 0a

<deleted>

quit

certificate ca 01

<deleted>

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

DEBUG OUTPUT:

=============

debug cry isa 255

<This packet is sent by the PIX>

SENDING PACKET to <IP_ADDRESS>

ISAKMP Header

Initiator COOKIE: 66 e1 e5 3c f6 17 08 66

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: Security Association

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (none)

MessageID: 00000000

Length: 148

Payload Security Association

Next Payload: Vendor ID

Reserved: 00

Payload Length: 56

DOI: IPsec

Situation:(SIT_IDENTITY_ONLY)

Payload Proposal

Next Payload: None

Reserved: 00

Payload Length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 1

Payload Transform

Next Payload: None

Reserved: 00

Payload Length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Group Description: Group 2

Encryption Algorithm: 3DES-CBC

Hash Algorithm: SHA1

Authentication Method: Preshared key

Life Type: seconds

Life Duration (Hex): 00 01 51 80

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56

Payload Vendor ID

Next Payload: None

Reserved: 00

Payload Length: 24

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

c0 00 00 00

6 REPLIES
Cisco Employee

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

Hi,

Do you have "Isakmp Identity Address" on your Pix Configuration. If so, that could be an issue for Phase 1 of your VPN Tunnel not coming up.

You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.

In your case, if you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.

Please refer the URL for details on the command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ike.htm

I hope it helps.

Regards,

Arul

New Member

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

Hello Arul!

Thank you for you reply.

I've already resolved the problem. If anyone interested I can post solution here.

Cisco Employee

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

Hi,

Thanks for the update! Glad that your issue is resolved :-)

If you dont mind, could you please let me know what are the steps that you took to resolve the issue.

Thanks,

Arul

New Member

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

don't know if anyone responded but I am interested in the resolution.

please post or repost, as I did not see it the fist time, when you get a chance.

tks.

~samir

New Member

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

Hello all!

This is the solution.

The following line is missing:

crypto map set trustpoint

New Member

Re: ISAKMP policy using rsa-sig doesn't work on a PIX

hi,

What command do have the same function in PIX version 6.x or IOS Router ?

205
Views
5
Helpful
6
Replies
CreatePlease login to create content