1. Home
  2. Cisco Systems
  3. Problem with IOS VPN using certificates

Problem with IOS VPN using certificates

I'm trying to set up a Client VPN to a Cisco 2611 router (c2600-ik9o3s3-mz.123-1a.bin) using certificates handed out by a Windows 2003 CA and stored on an Aladdin eToken USB security token. Cisco has a example for almost the exact same thing at

formatting link
uses a PIX firewall as opposed to the router, but uses a Windows CA and the same token.

Cisco also has

formatting link
uses an IOS router and non-MS CA. I combined the two examples and configured my router as follows: (non-VPN sections removed)

crypto ca trustpoint certtest enrollment mode ra enrollment url http://:80/certsrv/mscep/mscep.dll usage ike serial-number none ip-address none password 7 crl query ldap:// auto-enroll ! crypto ca certificate chain certtest certificate 14CFD91000000000000A 3082054C 30820434 A0030201 02020A14 CFD91000 00000000 0A300D06

092A8648 2ED2252E CCA9FFB5 0B261C3E 2BD68E26 quit certificate ca 4E0471BDF475BB9E4E685D2354AA8B01 30820482 3082036A A0030201 0202104E 0471BDF4 75BB9E4E 685D2354 AA8B0130 F9F5689D C898 quit ! ! crypto isakmp policy 10 encr 3des group 2 crypto isakmp identity hostname ! crypto isakmp client configuration group ADSvpn dns 192.168.7.1 192.168.7.3 domain domain.com pool vpnpool acl 180 ! ! crypto ipsec transform-set VPNset esp-3des esp-sha-hmac ! crypto dynamic-map vpnclient 10 set transform-set VPNset ! ! ! crypto map vpn client authentication list ClientAuth crypto map vpn isakmp authorization list ClientAuth crypto map vpn client configuration address respond crypto map vpn 10 ipsec-isakmp dynamic vpnclient *snip*

When I try to connect using the client, the connection never completes. I ran a few debugs on the router and got this:

4w3d: ISAKMP (0:0): received packet from dport 500 sport 500 Global (N) NEW SA 4w3d: ISAKMP: Created a peer struct for , peer port 500 4w3d: ISAKMP: Locking peer struct 0x82EE36B0, IKE refcount 1 for crypto_ikmp_config_initialize_sa 4w3d: ISAKMP (0:0): Setting client config settings 826ABBBC 4w3d: ISAKMP (0:0): (Re)Setting client xauth list and state 4w3d: ISAKMP: local port 500, remote port 500 4w3d: ISAKMP: insert sa successfully sa = 826EA44C 4w3d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 4w3d: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM1

4w3d: ISAKMP (0:1): processing SA payload. message ID = 0

4w3d: ISAKMP (0:1): processing vendor id payload 4w3d: ISAKMP (0:1): vendor ID seems Unity/DPD but major 215 mismatch 4w3d: ISAKMP (0:1): vendor ID is XAUTH 4w3d: ISAKMP (0:1): processing vendor id payload 4w3d: ISAKMP (0:1): vendor ID is DPD 4w3d: ISAKMP (0:1): processing vendor id payload 4w3d: ISAKMP (0:1): vendor ID seems Unity/DPD but major 123 mismatch 4w3d: ISAKMP (0:1): vendor ID is NAT-T v2 4w3d: ISAKMP (0:1): processing vendor id payload 4w3d: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch 4w3d: ISAKMP (0:1): processing vendor id payload 4w3d: ISAKMP (0:1): vendor ID is Unity 4w3d: ISAKMP (0:1) Authentication by xauth preshared 4w3d: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy 4w3d: ISAKMP: encryption AES-CBC 4w3d: ISAKMP: hash SHA 4w3d: ISAKMP: default group 5 4w3d: ISAKMP: auth XAUTHInitRSA 4w3d: ISAKMP: life type in seconds 4w3d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4w3d: ISAKMP: keylength of 256 *snip* 4w3d: ISAKMP (0:1): Checking ISAKMP transform 21 against priority 10 policy 4w3d: ISAKMP: encryption 3DES-CBC 4w3d: ISAKMP: hash SHA 4w3d: ISAKMP: default group 2 4w3d: ISAKMP: auth XAUTHInitRSA 4w3d: ISAKMP: life type in seconds 4w3d: ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B 4w3d: ISAKMP (0:1): atts are acceptable. Next payload is 3 4w3d: ISAKMP (0:1): vendor ID is NAT-T v2 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM1

4w3d: ISAKMP (0:1): constructed NAT-T vendor-02 ID

4w3d: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_SA_SETUP 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM2

4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_SA_SETUP

4w3d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 4w3d: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM3

4w3d: ISAKMP (0:1): processing KE payload. message ID = 0

4w3d: ISAKMP (0:1): processing NONCE payload. message ID = 0 4w3d: ISAKMP (0:1): SKEYID state generated 4w3d: ISAKMP:received payload type 17 4w3d: ISAKMP (0:1): Detected NAT-D payload 4w3d: ISAKMP (0:1): NAT match MINE hash 4w3d: ISAKMP:received payload type 17 4w3d: ISAKMP (0:1): Detected NAT-D payload 4w3d: ISAKMP (0:1): NAT match HIS hash 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM3

4w3d: CRYPTO_PKI: GetCertByIssuerSerialDigest: handle=829AA814, digest= 1D 52 E0 89 24 6E 96 53 E3 C9 64 38 2E 1D A7 03

4w3d: ISAKMP (0:1): constructed HIS NAT-D 4w3d: ISAKMP (0:1): constructed MINE NAT-D 4w3d: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM4 4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 4w3d: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM5

4w3d: ISAKMP (0:1): processing ID payload. message ID = 0

4w3d: ISAKMP (0:1): UNITY's identity group: OU = ADSvpn 4w3d: ISAKMP (0:1): peer matches *none* of the profiles 4w3d: ISAKMP (0:1): processing CERT payload. message ID = 0 4w3d: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert 4w3d: ISAKMP (0:1): peer's pubkey is cached 4w3d: ISAKMP (0:1): OU = ADSvpn 4w3d: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0 4w3d: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert 4w3d: ISAKMP (0:1): peer want cert issued by 4w3d: ISAKMP (0:1): issuer name is not a trusted root. 4w3d: ISAKMP (0:1): processing SIG payload. message ID = 0 4w3d: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = 0, sa = 826EA44C 4w3d: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's with local remote remote port 500 4w3d: ISAKMP (0:1): returning IP addr to the address pool 4w3d: ISAKMP (0:1): SA has been authenticated with 4w3d: ISAKMP: Trying to insert a peer //500/, and inserted successfully. 4w3d: ISAKMP (0:1): UNITY's identity group: OU = ADSvpn 4w3d: ISAKMP (0:1): peer matches *none* of the profiles 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM5

4w3d: IPSEC(key_engine): got a queue event...

4w3d: CRYPTO_PKI: GetCertByIssuerSerialDigest: handle=829AA814, digest= 1D 52 E0 89 24 6E 96 53 E3 C9 64 38 2E 1D A7 03

4w3d: ISAKMP (0:1): SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN

4w3d: ISAKMP (1): ID payload next-payload : 6 type : 2 FQDN name : ADS-2611.domain.com protocol : 17 port : 500 length : 25 4w3d: ISAKMP (1): Total payload length: 29 4w3d: ISAKMP (0:1): no valid cert found to return 4w3d: ISAKMP: set new node -1577452429 to CONF_XAUTH 4w3d: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): purging node -1577452429 4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE 4w3d: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH

4w3d: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. 4w3d: ISAKMP (0:1): retransmitting due to retransmit phase 1 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... 4w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH 4w3d: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. 4w3d: ISAKMP (0:1): retransmitting due to retransmit phase 1 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH... 4w3d: ISAKMP (0:1): incrementing error counter on sa: retransmit phase 1 4w3d: ISAKMP (0:1): retransmitting phase 1 MM_KEY_EXCH 4w3d: ISAKMP (0:1): sending packet to my_port 500 peer_port 500 (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH 4w3d: ISAKMP (0:1): phase 1 packet is a duplicate of a previous packet. 4w3d: ISAKMP (0:1): retransmission skipped for phase 1 (time since last transmission 881) 4w3d: ISAKMP (0:1): received packet from dport 500 sport 500 Global (R) MM_KEY_EXCH 4w3d: ISAKMP: set new node 355653219 to CONF_XAUTH 4w3d: ISAKMP (0:1): processing HASH payload. message ID = 355653219 4w3d: ISAKMP:received payload type 15 4w3d: ISAKMP (0:1): processing DELETE_WITH_REASON payload, message ID = 355653219, reason: DELETE_BY_USER_COMMAND 4w3d: ISAKMP (0:1): peer does not do paranoid keepalives.

4w3d: ISAKMP (0:1): deleting SA reason "P1 delete notify (in)" state (R) MM_KEY_EXCH (peer ) input queue 0

4w3d: ISAKMP (0:1): deleting node 355653219 error FALSE reason "informational (in) state 1" 4w3d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_DELETE 4w3d: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

4w3d: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL

4w3d: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

4w3d: ISAKMP (0:1): deleting SA reason "" state (R) MM_KEY_EXCH (peer ) input queue 0

4w3d: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH 4w3d: ISAKMP (0:1): Old State = IKE_DEST_SA New State = IKE_DEST_SA

The interesting part to me is:

4w3d: ISAKMP (0:1): processing ID payload. message ID = 0 4w3d: ISAKMP (0:1): UNITY's identity group: OU = ADSvpn 4w3d: ISAKMP (0:1): peer matches *none* of the profiles 4w3d: ISAKMP (0:1): processing CERT payload. message ID = 0 4w3d: ISAKMP (0:1): processing a CT_X509_SIGNATURE cert 4w3d: ISAKMP (0:1): peer's pubkey is cached 4w3d: ISAKMP (0:1): OU = ADSvpn 4w3d: ISAKMP (0:1): processing CERT_REQ payload. message ID = 0 4w3d: ISAKMP (0:1): peer wants a CT_X509_SIGNATURE cert 4w3d: ISAKMP (0:1): peer want cert issued by 4w3d: ISAKMP (0:1): issuer name is not a trusted root. 4w3d: ISAKMP (0:1): processing SIG payload. message ID = 0

It looks to me like the router is accepting the client's cert, but the client is requesting an invalid one back (4w3d: ISAKMP (0:1): peer want cert issued by ). As far as I know, there's supposed to be a name at the end of this line.

Any ideas?

Any help you could provide would be greatly appreciated.

Thanks, Rich Williams

Reply to
Rich Williams
Loading thread data ...

formatting link
it uses a PIX firewall as opposed to the router, but uses a Windows CA

formatting link
which uses an IOS router and non-MS CA. I combined the two examples and

Rich,

Are you using LDAP ?

Cheers,

Mike

Reply to
Michael Fleming

Michael,

No, I don't. But the behavior was identical even if i set the crl to optional. I just pasted an old config.

Rich

Reply to
Rich Williams

Rich,

try changing the line crypto isakmp client configuration group ADSvpn to crypto isakmp client configuration group certtest

formatting link
Cheers,

Mike

Reply to
Michael Fleming

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.