ISAKMP policy using rsa-sig doesn't work on a PIX

tcherkon · ‎09-13-2006

Hello!

I've configured IPSec VPN on my PIX (v.7.2.1) with certificate authentication. Sufficient lines of the config are posted below. VPN is initiated from the PIX side. When PIX tries to negotiate ISAKMP options to the peer, it doesn't send policies which use rsa-sig. Only 'pre-shared key' policies are sent to the peer. What is the problem?

Thanks in advance.

PIX CONFIG:

===========

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map inetmap 20 match address ac-cryptomap-test

crypto map inetmap 20 set peer <ip_address>

crypto map inetmap 20 set transform-set ESP-3DES-SHA

crypto map inetmap interface outside

crypto ca trustpoint CA1

enrollment url http://<ip_address>:80

crl configure

ldap-defaults <ip_address>

crypto ca certificate chain CA1

certificate 0a

quit

certificate ca 01

isakmp enable outside

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

isakmp policy 30 authentication pre-share

isakmp policy 30 encryption 3des

isakmp policy 30 hash sha

isakmp policy 30 group 2

isakmp policy 30 lifetime 86400

DEBUG OUTPUT:

=============

debug cry isa 255

SENDING PACKET to <IP_ADDRESS>

ISAKMP Header

Initiator COOKIE: 66 e1 e5 3c f6 17 08 66

Responder COOKIE: 00 00 00 00 00 00 00 00

Next Payload: Security Association

Version: 1.0

Exchange Type: Identity Protection (Main Mode)

Flags: (none)

MessageID: 00000000

Length: 148

Payload Security Association

Next Payload: Vendor ID

Reserved: 00

Payload Length: 56

DOI: IPsec

Situation:(SIT_IDENTITY_ONLY)

Payload Proposal

Next Payload: None

Reserved: 00

Payload Length: 44

Proposal #: 1

Protocol-Id: PROTO_ISAKMP

SPI Size: 0

# of transforms: 1

Payload Transform

Next Payload: None

Reserved: 00

Payload Length: 36

Transform #: 1

Transform-Id: KEY_IKE

Reserved2: 0000

Group Description: Group 2

Encryption Algorithm: 3DES-CBC

Hash Algorithm: SHA1

Authentication Method: Preshared key

Life Type: seconds

Life Duration (Hex): 00 01 51 80

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f

Payload Vendor ID

Next Payload: Vendor ID

Reserved: 00

Payload Length: 20

Data (In Hex):

7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56

Payload Vendor ID

Next Payload: None

Reserved: 00

Payload Length: 24

Data (In Hex):

40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

c0 00 00 00

ajagadee · ‎09-18-2006

Hi,

Do you have "Isakmp Identity Address" on your Pix Configuration. If so, that could be an issue for Phase 1 of your VPN Tunnel not coming up.

You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.

In your case, if you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.

Please refer the URL for details on the command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ike.htm

I hope it helps.

Regards,

Arul

tcherkon · ‎09-18-2006

Hello Arul!

Thank you for you reply.

I've already resolved the problem. If anyone interested I can post solution here.

ajagadee · ‎09-19-2006

Hi,

Thanks for the update! Glad that your issue is resolved :-)

If you dont mind, could you please let me know what are the steps that you took to resolve the issue.

Thanks,

Arul

spatel · ‎11-06-2006

don't know if anyone responded but I am interested in the resolution.

please post or repost, as I did not see it the fist time, when you get a chance.

tks.

~samir

tcherkon · ‎11-09-2006

Hello all!

This is the solution.

The following line is missing:

crypto map set trustpoint

martin_lx1980 · ‎11-09-2006

hi,

What command do have the same function in PIX version 6.x or IOS Router ?