[VPN] A problem in a Cisco VPN client connection to a Cisco Pixusing X509 certificates

Benkirane Youssef youssef.benkirane at mystream.fr
Wed Feb 25 05:31:03 EST 2004


Yes, i think so.

i installed the pix own certificate using the following steps.

 

ca identity devernoisca 192.168.20.1:/certsrv/mscep/mscep.dll

ca configure devernoisca ra 20 5 crloptional

ca authenticate devernoisca (to authenticate the authority)

ca enroll devernoisca (to get the pix own certificate)

 

did you see the file (sh_ca_certificate)?

 

-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com] 
Envoyé : mercredi 25 février 2004 11:20
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

 

1) Has the PIX got it's own cert?

 

2) The PIX needs to authenticate the CA by obtaining the CA's self-signed
certificate which contains the CA's public key. Because the CA signs its own
certificate, the CA's public key should be authenticated .

 

  _____  

From: Benkirane Youssef [mailto:youssef.benkirane at mystream.fr] 
Sent: 25 February 2004 10:15
To: Andrew.Prince at TrinitySecurity.com
Subject: RE : [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

Yes,

 

In fact, i use a windows 2000 server certificate authority, with mscep
enrollement.

To help you, here are the logs of the pix (Pix_Logs.txt) while a connection
attempt using certificate.

Also a show ca certificate and a screen copy of the cisco client certificate
that I’m using to connect to the pix.

 

Thanks for your help

 

 

-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com] 
Envoyé : mercredi 25 février 2004 10:29
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

 

Ah - you didn't say that!!  Have you configured the PIX to use the same
Certificate Authority that the client certificate came from??

 

  _____  

From: Benkirane Youssef [mailto:youssef.benkirane at mystream.fr] 
Sent: 25 February 2004 09:12
To: Andrew.Prince at TrinitySecurity.com
Subject: RE : [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

Hi,

 

I don’t think that is the problem, because a vpn connection with preshared
keys works!

 

Youssef

 

-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com] 
Envoyé : mardi 24 février 2004 20:18
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

 

Youssef,

 

Ignore last mail - did not see the attachement.  the reason why it doesn't
work is you have an access-list on the inbound traffic in the outside
interface, you are only alowing www (tcp port 80) into the PIX.  You will
have to allow UDP500 (ISAKMP) ipsec (protocol 50) 

 

HTH,

Andy

 

  _____  

From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of Benkirane Youssef
Sent: 24 February 2004 14:07
To: vpn at lists.shmoo.com
Subject: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates

Hi,

 

I have a cisco Pix 515. The wan interface is connected behind an internet
Link.

When I try to connect with a cisco VPN client 3.6.3 to the PIX using
certificate. The ISAKMP authentication blocks.

The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID,
CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has
no response from the PIX.

Does someone have a diagnostic for this problem? 

 

Thank you by advance

Youssef

 

Those are the whole logs of the VPN client.

 

 

 

1      11:58:33.134  02/24/04  Sev=Info/6           DIALER/0x63300002

Initiating connection.

 

2      11:58:33.134  02/24/04  Sev=Info/4           CM/0x63100002

Begin connection process

 

3      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100004

Establish secure connection using Ethernet

 

4      11:58:33.144  02/24/04  Sev=Info/4           CM/0x63100026

Attempt connection with server "217.128.150.77"

 

5      11:58:33.144  02/24/04  Sev=Info/6           IKE/0x6300003B

Attempting to establish a connection with 217.128.150.77.

 

6      11:58:33.204  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77

 

7      11:58:34.035  02/24/04  Sev=Info/4           IPSEC/0x63700014

Deleted all keys

 

8      11:58:38.241  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

9      11:58:43.248  02/24/04  Sev=Info/4           IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

10     11:58:48.256  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77

 

11     11:58:48.306  02/24/04  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 217.128.150.77

 

12     11:58:48.306  02/24/04  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77

 

13     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56

 

14     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F

 

15     11:58:48.316  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports NAT-T

 

16     11:58:48.316  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77

 

17     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x6300002F

Received ISAKMP packet: peer = 217.128.150.77

 

18     11:58:48.416  02/24/04  Sev=Info/4          IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D,
NAT-D) from 217.128.150.77

 

19     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 09002689DFD6B712

 

20     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports XAUTH

 

21     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100

 

22     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer supports DPD

 

23     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100

 

24     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000001

Peer is a Cisco-Unity compliant peer

 

25     11:58:48.416  02/24/04  Sev=Info/5          IKE/0x63000059

Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F

 

26     11:58:48.506  02/24/04  Sev=Info/4          IKE/0x63000013

SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77

 

27     11:58:53.513  02/24/04  Sev=Warning/2   IKE/0xE300007C

Exceeded 3 IKE SA negotiation retransmits... peer is not responding

 

28     11:58:53.513  02/24/04  Sev=Info/4          CM/0x63100014

Unable to establish Phase 1 SA with server "217.128.150.77" because of
"DEL_REASON_PEER_NOT_RESPONDING"

 

29     11:58:53.513  02/24/04  Sev=Info/5          CM/0x63100029

Initializing CVPNDrv

 

30     11:58:53.563  02/24/04  Sev=Warning/3   DIALER/0xE3300008

GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).

 

31     11:58:54.575  02/24/04  Sev=Info/4          IPSEC/0x63700014

Deleted all keys

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.htm 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Pix_Logs.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client_certificate.jpg
Type: image/jpeg
Size: 53737 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.jpg 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sh ca certificate.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment-0001.txt 


More information about the VPN mailing list