Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Move CA from Win2K3 to Win2012R2 - how to configure ASA

Hi Guys,

i've a littel problem with a ASA in combination with a Microsoft CA.

First, i will describe you the enviroment we have which works

CERTSRV => A Windows Server 2003 Server, with CA in Standanlone, activated NDES / SCEP Service and a RADIUS / IAS Service to let the ASA authenticate VPN User against the local Window User. The CA Root Cert has a key lenght of 512bit

Our goal is the move the CA and the RADIUS to a Windows 2012 R2 Server. Due the restriction of the windows 2012 ca to reject ca certs which less the 1024 bit we cannot simply import the current ca cert-pair into the new ca.

Also we wont upgrade the ca key-pair on our current win2k3 ca, because we cannot estimate the side-effects and the ASA VPNs must work.

So we came to fabulos idea to clone the win2k3 CERTSRV into VM. there we generate a new key-pair with 1024bit length. Then export this key, export the database from live system and import both successfully into the new 2012 R2 CA. SCEP and NAP Services are installed and tested succesfully. We are able to create a new client cert with SCEP.

Our actual problem is that we dont know how to handle the new, upgraded CA in the ASA Configuration.

I added the new CA in the CA Certificates Menu

ca_certs_overview.png

Here is the relevant part of the ASA log (debug level)

7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE SENDING Message (msgid=6b028bd2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing qm hash payload

7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing IKE delete payload

7|Feb 27 2014|11:56:58|715046|||||Group = DefaultRAGroup, IP = [CLIENT_IP], constructing blank hash payload

7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], sending delete/delete with reason message

7|Feb 27 2014|11:56:58|713906|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE SA MM:49765104 terminating:  flags 0x0105c002, refcnt 0, tuncnt 0

7|Feb 27 2014|11:56:58|715065|||||Group = DefaultRAGroup, IP = [CLIENT_IP], IKE MM Responder FSM error history (struct &0xadcda9c0)  <state>, <event>:  MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_CERT_FAIL-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_ACTIVATE_NEW_SA-->MM_BLD_MSG6, NullEvent-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT

5|Feb 27 2014|11:56:58|713904|||||Group = DefaultRAGroup, IP = [CLIENT_IP], Certificate Validation Failed

3|Feb 27 2014|11:56:58|717027|||||Certificate chain failed validation. Certificate chain is either invalid or not authorized.

7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.

7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint1 to validate certificate.

7|Feb 27 2014|11:56:58|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.

7|Feb 27 2014|11:56:58|717029|||||Identified client certificate within certificate chain. serial number: 1F00000951EB42CE6BD7157E2E000400000951, subject name: [CERT ATTRIBUTES].

7|Feb 27 2014|11:56:58|717025|||||Validating certificate chain containing 1 certificate(s).

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Connection landed on tunnel_group DefaultRAGroup

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via default group...

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IP ADDR...

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via IKE ID...

3|Feb 27 2014|11:56:58|713020|||||IP = [CLIENT_IP], No Group found by matching OU(s) from ID payload:  

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via OU...

4|Feb 27 2014|11:56:58|717037|||||Tunnel group search using certificate maps failed for peer certificate: serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]

7|Feb 27 2014|11:56:58|717036|||||Looking for a tunnel group match based on certificate maps for peer certificate with serial number: 1F00000951EB42CE6BD7157E2E000400000951, [CERT_ATTRIBUTES]

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], Trying to find group via cert rules...

6|Feb 27 2014|11:56:58|713172|||||IP = [CLIENT_IP], Automatic NAT Detection Status:     Remote end is NOT behind a NAT device     This   end is NOT behind a NAT device

7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing notify payload

7|Feb 27 2014|11:56:58|713906|||||Dump of received Signature, len 256:

7|Feb 27 2014|11:56:58|715076|||||IP = [CLIENT_IP], Computing hash for ISAKMP

7|Feb 27 2014|11:56:58|715001|||||IP = [CLIENT_IP], processing RSA signature

7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert request payload

7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing cert payload

7|Feb 27 2014|11:56:58|713906|||||IP = [CLIENT_IP], DER_ASN1_DN ID received, len 145

7|Feb 27 2014|11:56:58|715047|||||IP = [CLIENT_IP], processing ID payload

7|Feb 27 2014|11:56:58|713236|||||IP = [CLIENT_IP], IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + CERT_REQ (7) + SIG (9) + NOTIFY (11) + NONE (0) total length : 3111

7|Feb 27 2014|11:56:58|715063|||||IP = [CLIENT_IP], Successfully assembled an encrypted pkt from rcv'd fragments!

Do you know which is the best practise for us ?

best regards from germany

Edit: I see. I missed some more informationen. Old VPN Client, with certs created on the old Win2k3 CertSrv are working

6|Feb 27 2014|13:27:52|717028|||||Certificate chain was successfully validated with revocation status check.

6|Feb 27 2014|13:27:52|717022|||||Certificate was successfully validated. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTRB] .

7|Feb 27 2014|13:27:52|717030|||||Found a suitable trustpoint ASDM_TrustPoint0 to validate certificate.

7|Feb 27 2014|13:27:52|717029|||||Identified client certificate within certificate chain. serial number: 5D974DBD00010000084D, subject name: [CERT_ATTR].

7|Feb 27 2014|13:27:52|717025|||||Validating certificate chain containing 1 certificate(s).

7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Connection landed on tunnel_group DefaultRAGroup

7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via default group...

7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IP ADDR...

7|Feb 27 2014|13:27:52|713906|||||IP = [CLIENT_ID], Trying to find group via IKE ID...

Here are the configuration of the trustpoints

crypto ca trustpoint ASDM_TrustPoint0

revocation-check crl

enrollment url http://U.X.Y.Z:80/certsrv/mscep/mscep.dll

fqdn xxxxx

subject-name [CERT_ATTRB]

keypair asa01.key

crl configure

  no protocol ldap

crypto ca trustpoint ASDM_TrustPoint1

enrollment terminal

crl configure

crypto ca trustpoint ASDM_TrustPoint2

revocation-check crl none

enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll

no client-types

crl configure

  no protocol ldap

crypto ca trustpoint ASDM_TrustPoint3

crl configure

crypto ca trustpoint ASDM_TrustPoint4

revocation-check crl none

enrollment url http://W.X.Y.Z:80/certsrv/mscep/mscep.dll

no client-types

crl configure

  no protocol ldap

crypto ca trustpoint ASDM_TrustPoint5

enrollment terminal

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate 2a5a90e900010000083c

    -----

  quit

certificate ca 1e185567c7bc7e91473edd472e033d78

    ------

  quit

crypto ca certificate chain ASDM_TrustPoint1

certificate ca 10acffbf9fb6429947e0cdea136cf8eb

    -----

  quit

crypto ca certificate chain ASDM_TrustPoint2

certificate ca 10acffbf9fb6429947e0cdea136cf8eb

    --------

  quit

crypto ca certificate chain ASDM_TrustPoint4

certificate ca 10acffbf9fb6429947e0cdea136cf8eb

   ----------

  quit

crypto ca certificate chain ASDM_TrustPoint5

certificate ca 3ae8ce8cf1619498418f9982315e6ad9

    ---------

  quit

Everyone's tags (4)
206
Views
0
Helpful
0
Replies