In a Lab envirement I?am trying to set up router to touter vpn connection with CA authentication.
1 st problem:
When enrolling with CA (server 2003 CA) both router received requested certificates but with a log that the certificate enrollment request was rejected and the ca management console doesn't show any info about neither "issued certificates' nor "failed requests"
Here is the output:
R3(ca-trustpoint)#cry ca auth myca
Certificate has the following attributes:
Fingerprint: 7621D1D8 B8C7FA81 D08DDAE7 DBE22779
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
R3(config)#cry ca enroll myca
% The 'show crypto ca certificate' command will also show the fingerprint.
Signing Certificate Reqeust Fingerprint:
DC477448 9DB46518 587E1142 FC086987
Encryption Certificate Request Fingerprint:
25EEE021 1F4A359F 89C9D650 F04651D2
Jun 23 13:56:00.947: %CRYPTO-6-CERTREJECT: Certificate enrollment request was re
jected by Certificate Authority
Jun 23 13:56:12.550: %CRYPTO-6-CERTREJECT: Certificate enrollment request was re
jected by Certificate Authority
And the command ? sh cry key pub rsa ? on both routers shows me the requested certificate from my CA.
2nd problem (i guess the result of the first): failed phaseI authentication:
Jun 23 15:06:12.676: ISAKMP: received ke message (1/1)
Jun 23 15:06:12.680: ISAKMP (0:0): SA request profile is (NULL)
Jun 23 15:06:12.680: ISAKMP: local port 500, remote port 500
Jun 23 15:06:12.680: ISAKMP: set new node 0 to QM_IDLE
Jun 23 15:06:12.680: ISAKMP: Find a dup sa in the avl tree during calling isadb_
insert sa = 820DF85C
Jun 23 15:06:12.684: ISAKMP (0:2): Can not start Aggressive mode, trying Main mo
Jun 23 15:06:12.684: ISAKMP: Looking for a matching key for 22.214.171.124 in defau
Jun 23 15:06:12.684: ISAKMP (0:2): No pre-shared key with 126.96.36.199!
Jun 23 15:06:12.684: ISAKMP (0:2): constructed NAT-T vendor-03 ID
Jun 23 15:06:12.684: ISAKMP (0:2): constructed NAT-T vendor-02 ID
Jun 23 15:06:12.684: ISAKMP (0:2): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Jun 23 15:06:12.688: ISAKMP (0:2): Old State = IKE_READY New State = IKE_I_MM1
Jun 23 15:06:12.688: ISAKMP (0:2): beginning Main Mode exchange
Jun 23 15:06:12.688: ISAKMP (0:2): sending packet to 188.8.131.52 my_port 500 pee
r_port 500 (I) MM_NO_STATE
Jun 23 15:06:12.748: ISAKMP (0:2): received packet from 184.108.40.206 dport 500 sp
ort 500 Global (I) MM_NO_STATE
Jun 23 15:06:12.748: ISAKMP (0:2): Notify has no hash. Rejected.
Jun 23 15:06:12.748: ISAKMP (0:2): Unknown Input: state = IKE_I_MM1, major, mino
r = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Jun 23 15:06:12.752: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mo
de failed with peer at 220.127.116.11 ..
Jun 23 15:06:15.320: ISAKMP (0:1): purging node 860992987
Jun 23 15:06:15.320: ISAKMP (0:1): purging node 1111530323...
Success rate is 0 percent (0/5)
Jun 23 15:06:25.320: ISAKMP (0:1): purging SA., sa=820DF1D8, delme=820DF1D8un al
I resolved the problem partially, there is no more enrollment reject from the CA, I had to enroll with different passwords (different accounts on the CA). But the IKE phase 1 still fail and the CA console management does not show any trace of the enrollment!!
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...