Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN error when using Microsoft digital certificates.

Hi,

I tried implementing site-site VPN between Cisco Router and Cisco ASA using Microsoft digital certificates. After performing the following configurations, I was not able to ping to other site LAN. I enabled debug and got following out put. I sucessfully enrolled digital certificates.

Cisco ASA config:

access-list 100 extended permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 100

static (inside,outside) 1.1.1.10 10.1.1.10 netmask 255.255.255.255

route outside 0.0.0.0 0.0.0.0 1.1.1.2 1

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map mymap 1 match address 100

crypto map mymap 1 set peer 2.2.2.2

crypto map mymap 1 set transform-set myset

crypto map mymap interface outside

crypto ca trustpoint winca

enrollment url http://10.1.1.10:80/certsrv/mscep/mscep.dll

crl configure

crypto isakmp enable outside

crypto isakmp policy 10

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

trust-point winca

On router:

crypto ca trustpoint winca

enrollment mode ra

enrollment url http://1.1.1.10:80/certsrv/mscep/mscep.dll

!

crypto isakmp policy 19

encr 3des

group 2

authentication rsa-sig

crypto isakmp key cisco address 1.1.1.1

crypto map mymap 10 ipsec-isakmp

set peer 1.1.1.1

set transform-set myset

match address 100

access-list 100 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

-----------------------------------

Debug output on ASA

CorpASA# Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Removing peer from peer table failed, no match!

Nov 15 02:12:49 [IKEv1]: Group = 2.2.2.2, IP = 2.2.2.2, Error: Unable to remove PeerTblEntry

CorpASA#

CorpASA#

CorpASA# Nov 15 02:13:06 [IKEv1]: Removing peer from peer table failed, no match!

Nov 15 02:13:06 [IKEv1]: Error: Unable to remove PeerTblEntry

Nov 15 02:13:11 [IKEv1]: Removing peer from peer table failed, no match!

Nov 15 02:13:11 [IKEv1]: Error: Unable to remove PeerTblEntry

Debug out put on router:

R2#ping 10.1.1.10 source 192.168.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.1.10, timeout is 2 seconds:

Packet sent with a source address of 192.168.1.1

Nov 15 02:21:01.067: %SYS-5-CONFIG_I: Configured from console by console

Nov 15 02:21:02.651: ISAKMP: received ke message (1/1)

Nov 15 02:21:02.655: ISAKMP (0:0): SA request profile is (NULL)

Nov 15 02:21:02.655: ISAKMP: local port 500, remote port 500

Nov 15 02:21:02.655: ISAKMP: set new node 0 to QM_IDLE

Nov 15 02:21:02.655: ISAKMP: insert sa successfully sa = 64597C20

Nov 15 02:21:02.655: ISAKMP (0:1): Can not start Aggressive mode, trying Main mode.

Nov 15 02:21:02.659: ISAKMP: Looking for a matching key for 1.1.1.1 in default : success

Nov 15 02:21:02.659: ISAKMP (0:1): found peer pre-shared key matching 1.1.1.1

Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-07 ID

Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-03 ID

Nov 15 02:21:02.659: ISAKMP (0:1): constructed NAT-T vendor-02 ID

Nov 15 02:21:02.659: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM

Nov 15 02:21:02.663: ISAKMP (0:1): Old State = IKE_READY  New State = IKE_I_MM1

Nov 15 02:21:02.663: ISAKMP (0:1): beginning Main Mode exchange

Nov 15 02:21:02.663: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE

Nov 15 02:21:02.703: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_NO_STATE

Nov 15 02:21:02.707: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 15 02:21:02.707: ISAKMP (0:1): Old State = IKE_I_MM1  New State = IKE_I_MM2

Nov 15 02:21:02.707: ISAKMP (0:1): processing SA payload. message ID = 0

Nov 15 02:21:02.707: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:02.707: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch

Nov 15 02:21:02.711: ISAKMP : Scanning profiles for xauth ...

Nov 15 02:21:02.711: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 19 policy

Nov 15 02:21:02.711: ISAKMP:      encryption 3DES-CBC

Nov 15 02:21:02.711: ISAKMP:      hash SHA

Nov 15 02:21:02.711: ISAKMP:      default group 2

Nov 15 02:21:02.711: ISAKMP.:      auth RSA sig

Nov 15 02:21:02.711: ISAKMP:      life type in seconds

Nov 15 02:21:02.711: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

Nov 15 02:21:02.715: ISAKMP (0:1): atts are acceptable. Next payload is 0

Nov 15 02:21:02.771: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:02.771: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch

Nov 15 02:21:02.775: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 15 02:21:02.775: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM2

Nov 15 02:21:02.783: ISAKMP (0:1): constructing CERT_REQ for issuer cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com

Nov 15 02:21:02.783: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP

Nov 15 02:21:02.783: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 15 02:21:02.787: ISAKMP (0:1): Old State = IKE_I_MM2  New State = IKE_I_MM3

Nov 15 02:21:02.903: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP

Nov 15 02:21:02.907: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

Nov 15 02:21:02.907: ISAKMP (0:1): Old State = IKE_I_MM3  New State = IKE_I_MM4

Nov 15 02:21:02.907: ISAKMP (0:1): processing KE payload. message ID = 0

Nov 15 02:21:02.979: ISAKMP (0:1): processing NONCE payload. message ID = 0

Nov 15 02:21:02.987: ISAKMP (0:1): SKEYID state generated

Nov 15 02:21:02.991: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0

Nov 15 02:21:02.991: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert

Nov 15 02:21:02.995: ISAKMP (0:1): peer want cert issued by cn=md902j-n5dros99,dc=md902j,dc=ca,dc=com

Nov 15 02:21:02.995: ISAKMP (0:1): Choosing trustpoint winca as issuer

Nov 15 02:21:02.995: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:02.995: ISAKMP (0:1): vendor ID is Unity

Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID seems Unity/DPD but major 11 mi.smatch

Nov 15 02:21:02.999: ISAKMP (0:1): vendor ID is XAUTH

Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:02.999: ISAKMP (0:1): speaking to another IOS box!

Nov 15 02:21:02.999: ISAKMP (0:1): processing vendor id payload

Nov 15 02:21:03.003: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch

Nov 15 02:21:03.003: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE

Nov 15 02:21:03.003: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM4

Nov 15 02:21:03.007: ISAKMP (0:1): Send initial contact

Nov 15 02:21:03.067: ISAKMP (1): My ID configured as IPv4 Addr,but Addr not in Cert!

Nov 15 02:21:03.067: ISAKMP (1): Using FQDN as My ID

Nov 15 02:21:03.067: ISAKMP (0:1): SA is doing RSA signature authentication using id type ID_FQDN

Nov 15 02:21:03.067: ISAKMP (0:1): ID payload

        next-payload : 6

        type         : 2

        FQDN name    : R2.cisco.com

        protocol     : 17

        port         : 500

        length       : 20

Nov 15 02:21:03.067: ISAKMP (1): Total payload length: 20

Nov 15 02:21:03.095: ISAKMP (0:1): constructing CERT payload for hostname=R2.cisco.com

Nov 15 02:21:03.095: ISKAMP: growing send buffer from 1024 to 3072

Nov 15 02:21:03.095: ISAKMP (0:1): using the winca trustpoint's keypair to sign

Nov 15 02:21:03.215: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

Nov 15 02:21:03.219: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

Nov 15 02:21:03.219: ISAKMP (0:1): Old State = IKE_I_MM4  New State = IKE_I_MM5

Nov 15 02:21:03.375: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Nov 15 02:21:03.375: ISAKMP: set new node -1205710646 to QM_IDLE

Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Nov 15 02:21:03.379: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Nov 15 02:21:03.383: ISAKMP (0:1): received packe.t from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Nov 15 02:21:03.383: ISAKMP (0:1): received packet from 1.1.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH

Nov 15 02:21:03.383: ISAKMP: Info Notify message requeue retry counter exceeded sa request from 1.1.1.1 to 2.2.2.2...

Success rate is 0 percent (0/5)

R2#

Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...

Nov 15 02:21:13.219: ISAKMP (0:1): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1

Nov 15 02:21:13.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH

Nov 15 02:21:13.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

R2#

Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...

Nov 15 02:21:23.219: ISAKMP (0:1): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1

Nov 15 02:21:23.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH

Nov 15 02:21:23.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

R2#

Nov 15 02:21:32.651: ISAKMP: received ke message (1/1)

Nov 15 02:21:32.651: ISAKMP: set new node 0 to QM_IDLE

Nov 15 02:21:32.651: ISAKMP (0:1): SA is still budding. Attached new ipsec request to it. (local 2.2.2.2, remote 1.1.1.1)

Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...

Nov 15 02:21:33.219: ISAKMP (0:1): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1

Nov 15 02:21:33.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH

Nov 15 02:21:33.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

R2#

Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH...

Nov 15 02:21:43.219: ISAKMP (0:1): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1

Nov 15 02:21:43.219: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH

Nov 15 02:21:43.219: ISAKMP (0:1): sending packet to 1.1.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH

PLease assist me in sorting this issue, i need to implement on my live network.

Thanks a lot in advance.

Regards,

Mohan.D

396
Views
0
Helpful
0
Replies
CreatePlease to create content