[VPN] A problem in a Cisco VPN client connection to a Cisco Pixusing X509 certificates
Benkirane Youssef
youssef.benkirane at mystream.fr
Wed Feb 25 05:31:03 EST 2004
Yes, i think so.
i installed the pix own certificate using the following steps.
ca identity devernoisca 192.168.20.1:/certsrv/mscep/mscep.dll
ca configure devernoisca ra 20 5 crloptional
ca authenticate devernoisca (to authenticate the authority)
ca enroll devernoisca (to get the pix own certificate)
did you see the file (sh_ca_certificate)?
-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com]
Envoyé : mercredi 25 février 2004 11:20
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
1) Has the PIX got it's own cert?
2) The PIX needs to authenticate the CA by obtaining the CA's self-signed
certificate which contains the CA's public key. Because the CA signs its own
certificate, the CA's public key should be authenticated .
_____
From: Benkirane Youssef [mailto:youssef.benkirane at mystream.fr]
Sent: 25 February 2004 10:15
To: Andrew.Prince at TrinitySecurity.com
Subject: RE : [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Yes,
In fact, i use a windows 2000 server certificate authority, with mscep
enrollement.
To help you, here are the logs of the pix (Pix_Logs.txt) while a connection
attempt using certificate.
Also a show ca certificate and a screen copy of the cisco client certificate
that Im using to connect to the pix.
Thanks for your help
-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com]
Envoyé : mercredi 25 février 2004 10:29
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Ah - you didn't say that!! Have you configured the PIX to use the same
Certificate Authority that the client certificate came from??
_____
From: Benkirane Youssef [mailto:youssef.benkirane at mystream.fr]
Sent: 25 February 2004 09:12
To: Andrew.Prince at TrinitySecurity.com
Subject: RE : [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Hi,
I dont think that is the problem, because a vpn connection with preshared
keys works!
Youssef
-----Message d'origine-----
De : Andrew Prince [mailto:Andrew.Prince at TrinitySecurity.com]
Envoyé : mardi 24 février 2004 20:18
À : 'Benkirane Youssef'
Objet : RE: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Youssef,
Ignore last mail - did not see the attachement. the reason why it doesn't
work is you have an access-list on the inbound traffic in the outside
interface, you are only alowing www (tcp port 80) into the PIX. You will
have to allow UDP500 (ISAKMP) ipsec (protocol 50)
HTH,
Andy
_____
From: vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com
[mailto:vpn-bounces+andrew.prince=trinitysecurity.com at lists.shmoo.com] On
Behalf Of Benkirane Youssef
Sent: 24 February 2004 14:07
To: vpn at lists.shmoo.com
Subject: [VPN] A problem in a Cisco VPN client connection to a Cisco
Pixusing X509 certificates
Hi,
I have a cisco Pix 515. The wan interface is connected behind an internet
Link.
When I try to connect with a cisco VPN client 3.6.3 to the PIX using
certificate. The ISAKMP authentication blocks.
The IPSEC log viewer shows that the message SENDING >>> ISAKMP OAK MM *(ID,
CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77, has
no response from the PIX.
Does someone have a diagnostic for this problem?
Thank you by advance
Youssef
Those are the whole logs of the VPN client.
1 11:58:33.134 02/24/04 Sev=Info/6 DIALER/0x63300002
Initiating connection.
2 11:58:33.134 02/24/04 Sev=Info/4 CM/0x63100002
Begin connection process
3 11:58:33.144 02/24/04 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
4 11:58:33.144 02/24/04 Sev=Info/4 CM/0x63100026
Attempt connection with server "217.128.150.77"
5 11:58:33.144 02/24/04 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 217.128.150.77.
6 11:58:33.204 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID, VID, VID, VID, VID) to 217.128.150.77
7 11:58:34.035 02/24/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
8 11:58:38.241 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
9 11:58:43.248 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
10 11:58:48.256 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 217.128.150.77
11 11:58:48.306 02/24/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 217.128.150.77
12 11:58:48.306 02/24/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA, VID, VID) from 217.128.150.77
13 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 7D9419A65310CA6F2C179D9215529D56
14 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 90CB80913EBB696E086381B5EC427B1F
15 11:58:48.316 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports NAT-T
16 11:58:48.316 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, NAT-D, NAT-D) to 217.128.150.77
17 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 217.128.150.77
18 11:58:48.416 02/24/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID, VID, VID, VID, NAT-D,
NAT-D) from 217.128.150.77
19 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 09002689DFD6B712
20 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
21 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = AFCAD71368A1F1C96B8696FC77570100
22 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer supports DPD
23 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = 12F5F28C457168A9702D9FE274CC0100
24 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
25 11:58:48.416 02/24/04 Sev=Info/5 IKE/0x63000059
Vendor ID payload = B11B2FEEE3184CADFA563C07828BFA2F
26 11:58:48.506 02/24/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG,
NOTIFY:STATUS_INITIAL_CONTACT) to 217.128.150.77
27 11:58:53.513 02/24/04 Sev=Warning/2 IKE/0xE300007C
Exceeded 3 IKE SA negotiation retransmits... peer is not responding
28 11:58:53.513 02/24/04 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "217.128.150.77" because of
"DEL_REASON_PEER_NOT_RESPONDING"
29 11:58:53.513 02/24/04 Sev=Info/5 CM/0x63100029
Initializing CVPNDrv
30 11:58:53.563 02/24/04 Sev=Warning/3 DIALER/0xE3300008
GI VPNStart callback failed "CM_PEER_NOT_RESPONDING" (16h).
31 11:58:54.575 02/24/04 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.htm
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Pix_Logs.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client_certificate.jpg
Type: image/jpeg
Size: 53737 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment.jpg
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Sh ca certificate.txt
Url: http://lists.shmoo.com/pipermail/vpn/attachments/20040225/61996cd8/attachment-0001.txt
More information about the VPN
mailing list