09-13-2006 01:53 AM
Hello!
I've configured IPSec VPN on my PIX (v.7.2.1) with certificate authentication. Sufficient lines of the config are posted below. VPN is initiated from the PIX side. When PIX tries to negotiate ISAKMP options to the peer, it doesn't send policies which use rsa-sig. Only 'pre-shared key' policies are sent to the peer. What is the problem?
Thanks in advance.
PIX CONFIG:
===========
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map inetmap 20 match address ac-cryptomap-test
crypto map inetmap 20 set peer <ip_address>
crypto map inetmap 20 set transform-set ESP-3DES-SHA
crypto map inetmap interface outside
crypto ca trustpoint CA1
enrollment url http://<ip_address>:80
crl configure
ldap-defaults <ip_address>
crypto ca certificate chain CA1
certificate 0a
<deleted>
quit
certificate ca 01
<deleted>
isakmp enable outside
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
DEBUG OUTPUT:
=============
debug cry isa 255
<This packet is sent by the PIX>
SENDING PACKET to <IP_ADDRESS>
ISAKMP Header
Initiator COOKIE: 66 e1 e5 3c f6 17 08 66
Responder COOKIE: 00 00 00 00 00 00 00 00
Next Payload: Security Association
Version: 1.0
Exchange Type: Identity Protection (Main Mode)
Flags: (none)
MessageID: 00000000
Length: 148
Payload Security Association
Next Payload: Vendor ID
Reserved: 00
Payload Length: 56
DOI: IPsec
Situation:(SIT_IDENTITY_ONLY)
Payload Proposal
Next Payload: None
Reserved: 00
Payload Length: 44
Proposal #: 1
Protocol-Id: PROTO_ISAKMP
SPI Size: 0
# of transforms: 1
Payload Transform
Next Payload: None
Reserved: 00
Payload Length: 36
Transform #: 1
Transform-Id: KEY_IKE
Reserved2: 0000
Group Description: Group 2
Encryption Algorithm: 3DES-CBC
Hash Algorithm: SHA1
Authentication Method: Preshared key
Life Type: seconds
Life Duration (Hex): 00 01 51 80
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
Payload Vendor ID
Next Payload: Vendor ID
Reserved: 00
Payload Length: 20
Data (In Hex):
7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
Payload Vendor ID
Next Payload: None
Reserved: 00
Payload Length: 24
Data (In Hex):
40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
c0 00 00 00
09-18-2006 08:56 PM
Hi,
Do you have "Isakmp Identity Address" on your Pix Configuration. If so, that could be an issue for Phase 1 of your VPN Tunnel not coming up.
You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.
In your case, if you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.
Please refer the URL for details on the command:
http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ike.htm
I hope it helps.
Regards,
Arul
09-18-2006 10:10 PM
Hello Arul!
Thank you for you reply.
I've already resolved the problem. If anyone interested I can post solution here.
09-19-2006 06:33 AM
Hi,
Thanks for the update! Glad that your issue is resolved :-)
If you dont mind, could you please let me know what are the steps that you took to resolve the issue.
Thanks,
Arul
11-06-2006 09:55 PM
don't know if anyone responded but I am interested in the resolution.
please post or repost, as I did not see it the fist time, when you get a chance.
tks.
~samir
11-09-2006 12:40 AM
Hello all!
This is the solution.
The following line is missing:
crypto map
11-09-2006 02:21 AM
hi,
What command do have the same function in PIX version 6.x or IOS Router ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: