VPN client & PIX with Windows 2003 CA & RADIUS

Hi all.

I have configured pix with rsa-sig. (isakmp policy 10 authentication rsa-sig) and RADIUS Authentication.

On the computer i have VPN client and certificate from Windows 2003 CA in LAN. All works fine. The computer have access to the network, radius autrentication work, CA recognize computer's certificates. It's works beautifully but only from some Internet Service Provider. Bad providers don't use firewall and other filters. All traffic can go out from them.

On the same PIX I Configured also access without certificate (isakmp policy 20 authentication pre-share). On my laptop I have configured two VPN connections:

-One with authentication by Certificate

-Other with group authentication and pre-share password

From Good ISP works two Connections. >From BAD ISP works only pre-share authentication.

Why second connection doesn't work? ISAKMP with rsa-sig used other protocols? Maybe my configuration is bad? Have you ever had working configuration the same as my on PIX 501?

Here is my confg:

interface ethernet0 10baset interface ethernet1 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname pix02 domain-name abc.com clock timezone WAT 1

fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69

names

access-list 120 permit ip 10.0.0.0 255.255.255.0 10.0.10.0

255.255.255.0

icmp permit any unreachable outside icmp permit any echo outside icmp deny any outside

mtu outside 1500 mtu inside 1500 ip address outside dhcp setroute retry 4 ip address inside 10.0.0.3 255.255.255.0

ip audit info action alarm ip audit attack action alarm

ip local pool vpnpool 10.0.10.10-10.0.10.100

arp timeout 14400 global (outside) 1 interface nat (inside) 0 access-list 120 nat (inside) 1 0.0.0.0 0.0.0.0 0 0 route inside 10.0.1.0 255.255.255.0 10.0.0.1 1

timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225

1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-disconnect 0:02:00 sip-invite 0:03:00 timeout uauth 0:05:00 absolute

ntp server 217.153.69.35 source outside ntp server 150.254.183.15 source outside

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-md5-hmac crypto dynamic-map dynmap 10 set transform-set myset crypto map mymap 10 ipsec-isakmp dynamic dynmap crypto map mymap client authentication RADIUS crypto map mymap interface outside

isakmp enable outside isakmp nat-traversal 20 isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400

isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400

vpngroup vpncert address-pool vpnpool vpngroup vpncert dns-server 10.0.0.5 vpngroup vpncert default-domain abc.local vpngroup vpncert idle-time 1800 vpngroup office address-pool vpnpool vpngroup office dns-server 10.0.0.5 vpngroup office default-domain abc.local vpngroup office idle-time 1800 vpngroup office password ******** ca identity kobe 10.0.0.5:/certsrv/mscep/mscep.dll ca configure kobe ra 1 20 crloptional

Here is debug information from PIX during connection from bad and good ISP (debug crypto isakmp) I can't see any errors. The debag lists are almost the same until point when i wrote "Difference".

Debug when i Connect from bad ISP and i can't connect

OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 ISAKMP (0): processing a CT_X509_SIGNATURE cert CRYPTO_PKI: Certificate verified, chain status= 1 ISAKMP (0): processing CERT_REQ payload. message ID = 0 ISAKMP (0): peer wants a CT_X509_SIGNATURE cert ISAKMP (0): processing SIG payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACT ISAKMP (0): deleting SA: src 217.153.76.73, dst 213.54.22.29 ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISADB: reaper checking SA 0xb337dc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:217.153.76.73/1094 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:217.153.76.73/1094 Total VPN peers:0 ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload next-payload : 6 type : 2 protocol : 17 port : 0 length : 17 ISAKMP (0): Total payload length: 21 return status is IKMP_NO_ERROR ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:217.153.76.73/1094 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:217.153.76.73/1094 Ref cnt incremented to:1 Total VPN Peers:1 ISAKMP: peer is a remote access client ISAKMP/xauth: request attribute XAUTH_TYPE ISAKMP/xauth: request attribute XAUTH_USER_NAME ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD ISAKMP (0:0): initiating peer config to 217.153.76.73. ID = 743827829 (0x2c55e975) crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29 spt:1094 dpt:4500 ISAKMP: phase 1 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting Config Mode Request...

Difference

crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29 spt:1094 dpt:4500 ISAKMP: phase 1 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting Config Mode Request...nod crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29 spt:1094 dpt:4500 ISAKMP: phase 1 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting Config Mode Request.. debug crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29 spt:1094 dpt:4500 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payloadc ISAKMP (0): retransmitting Config Mode Request...rypto isakmp ......... ......... last sentence is repeating

Debug when I Connect from GOOD ISP and VPN work.

ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 2 ISAKMP: auth RSA sig ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 5 ISAKMP: extended auth RSA sig (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 128 crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT match MINE hash ISAKMP (0:0): Detected NAT-D payload ISAKMP (0:0): NAT does not match HIS hash hash received: 2e 1a dd 1c 23 22 ac 8a ca 13 cc 76 3f 82 4c 4a his nat hash : 89 d8 47 19 64 e8 66 7e 83 77 d3 3f a2 b2 c9 21 ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to a Unity client

ISAKMP (0:0): constructed HIS NAT-D ISAKMP (0:0): constructed MINE NAT-D return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 ISAKMP (0): processing a CT_X509_SIGNATURE cert CRYPTO_PKI: Certificate verified, chain status= 1 ISAKMP (0): processing CERT_REQ payload. message ID = 0 ISAKMP (0): peer wants a CT_X509_SIGNATURE cert ISAKMP (0): processing SIG payload. message ID = 0 ISAKMP (0): processing NOTIFY payload 24578 protocol 1 spi 0, message ID = 0 ISAKMP (0): processing notify INITIAL_CONTACT ISAKMP (0): deleting SA: src 83.6.70.175, dst 213.54.22.29 ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISADB: reaper checking SA 0xb337dc, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:83.6.70.175/4500 Ref cnt decremented to:0 Total VPN Peers:2 VPN Peer: ISAKMP: Deleted peer: ip:83.6.70.175/4500 Total VPN peers:1 ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISADB: reaper checking SA 0xb34a1c, conn_id = 0 ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload next-payload : 6 type : 2 protocol : 17 port : 0 length : 17 ISAKMP (0): Total payload length: 21 return status is IKMP_NO_ERROR ISADB: reaper checking SA 0xb1b5c4, conn_id = 0 ISADB: reaper checking SA 0xb34a1c, conn_id = 0 ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify ISAKMP (0): sending NOTIFY message 24576 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:83.6.70.175/4500 Total VPN Peers:2 VPN Peer: ISAKMP: Peer ip:83.6.70.175/4500 Ref cnt incremented to:1 Total VPN Peers:2 ISAKMP: peer is a remote access client ISAKMP/xauth: request attribute XAUTH_TYPE ISAKMP/xauth: request attribute XAUTH_USER_NAME ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD ISAKMP (0:0): initiating peer config to 83.6.70.175. ID = 1361769944 (0x512af5d8) crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 ISAKMP: phase 1 packet is a duplicate of a previous packet ISAKMP: resending last response ISAKMP (0): retransmitting Config Mode Request...

Difference

18: xauth authentication in progress for user: , session id: 761973038 crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 19: Received response: user_test, session id 761973038 ISAKMP_TRANSACTION exchange 20: Making authentication request for host 10.0.0.5, user user_test, session id: 761973038 ISAKMP (0:0): processing transaction payload from 83.6.70.175. message ID = 11351564 21: Processing challenge for user user_test, session id: 761973038, challenge: Password: ISAKMP: Config payload CFG_REPLY 22: Received xauth challenge: Password: , session id: 761973038 return status is IKMP_ERR_NO_RETRANS 23: Received response: , session id 761973038 ISAKMP (0:0): initiating peer config to 83.6.70.175. ID = 316302082 (0x12da6302)24: Making authentication request for host 10.0.0.5, user user_test, session id: 761973038 25: xauth authentication complete for user: user_test, session id: 761973038

crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 83.6.70.175. message ID = 11351564 ISAKMP: Config payload CFG_ACK return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 ISAKMP_TRANSACTION exchange ISAKMP (0:0): processing transaction payload from 83.6.70.175. message ID = 11351564 ISAKMP: Config payload CFG_REQUEST ISAKMP (0:0): checking request: ISAKMP: attribute IP4_ADDRESS (1) ISAKMP: attribute IP4_NETMASK (2) ISAKMP: attribute IP4_DNS (3) ISAKMP: attribute IP4_NBNS (4) ISAKMP: attribute ADDRESS_EXPIRY (5) Unsupported Attr: 5 ISAKMP: attribute UNKNOWN (28672) Unsupported Attr: 28672 ISAKMP: attribute UNKNOWN (28673) Unsupported Attr: 28673 ISAKMP: attribute ALT_DEF_DOMAIN (28674) ISAKMP: attribute ALT_SPLIT_INCLUDE (28676) ISAKMP: attribute ALT_SPLITDNS_NAME (28675) ISAKMP: attribute ALT_PFS (28679) ISAKMP: attribute ALT_BACKUP_SERVERS (28681) ISAKMP: attribute APPLICATION_VERSION (7) ISAKMP: attribute UNKNOWN (28680) Unsupported Attr: 28680 ISAKMP: attribute UNKNOWN (28682) Unsupported Attr: 28682 ISAKMP (0:0): responding to peer config from 83.6.70.175. ID =

2821681736 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500 dpt:4500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 2639747525 .............. .............. Connection successes

In both connections certificate is accepted (debug crypto ca) display CRYPTO_PKI: Certificate verified, chain status= 1

Help me please!

Reply to
achilles_mj
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.