OKAY, to finish the discussion here goes the debug from the L2L IPSec
IOS<-->ASA with PKI; the debug was taken on ASA.
The first one is with default identity setting on IOS, i.e. "cry isak
identity address" and with "peer-id-validate required" (default) on
ASA.
In this case the Phase 1 fails on identity check fail:
---------------------------
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713236: IP = 5.5.5.5, IKE_DECODE
RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) +
SIG (9) + NONE (0) total length : 757
Oct 07 2009 17:42:08 ASA1 : %ASA-7-715047: IP = 5.5.5.5, processing ID payload
Oct 07 2009 17:42:08 ASA1 : %ASA-7-714011: IP = 5.5.5.5, ID_IPV4_ADDR
ID received
5.5.5.5
Oct 07 2009 17:42:08 ASA1 : %ASA-7-715047: IP = 5.5.5.5, processing cert payload
Oct 07 2009 17:42:08 ASA1 : %ASA-7-715001: IP = 5.5.5.5, processing
RSA signature
Oct 07 2009 17:42:08 ASA1 : %ASA-7-715076: IP = 5.5.5.5, Computing
hash for ISAKMP
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: Dump of received Signature, len 128:
0000: C316CE28 511E0057 3EA400E4 A4E07DC5 ...(Q..W>.....}.
0010: 4741613A B9191ED7 9155C2D7 44EE2ABA GAa:.....U..D.*.
0020: CE6F8D33 EA37A52D CDE54E96 80DF922A .o.3.7.-..N....*
0030: 315F4A20 BBB535B7 7951D3C9 B8391561 1_J ..5.yQ...9.a
0040: ED507AF8 EDDDF7A2 5EF618A9 59FA57BD .Pz.....^...Y.W.
0050: 0407A248 68D13902 54878AB1 89206697 ...Hh.9.T.... f.
0060: A2FE0B08 D03ED5CE 0A247CE8 E15879C0 .....>.Oct 07 2009
17:42:08 ASA1 : %ASA-7-713906: IP = 5.5.5.5, Trying to find group via
OU...
Oct 07 2009 17:42:08 ASA1 : %ASA-3-713020: IP = 5.5.5.5, No Group
found by matching OU(s) from ID payload: Unknown
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: IP = 5.5.5.5, Trying to
find group via IKE ID...
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: IP = 5.5.5.5, Connection
landed on tunnel_group 5.5.5.5
Oct 07 2009 17:42:08 ASA1 : %ASA-7-717025: Validating certificate
chain containing 1 certificate(s).
Oct 07 2009 17:42:08 ASA1 : %ASA-7-717029: Identified client
certificate within certificate chain. serial number: 02, subject name:
ipaddress=5.5.5.5+hostname=R5_alexLAB.seclab.ig,cn=R5 ou\=ALEXSECLAB
o\=IG.
Oct 07 2009 17:42:08 ASA1 : %ASA-7-717030: Found a suitable trustpoint
CA to validate certificate.
Oct 07 2009 17:42:08 ASA1 : %ASA-6-717022: Certificate was
successfully validated. serial number: 02, subject name:
ipaddress=5.5.5.5+hostname=R5_alexLAB.seclab.ig,cn=R5 ou\=ALEXSECLAB
o\=IG.
Oct 07 2009 17:42:08 ASA1 : %ASA-6-717028: Certificate chain was
successfully validated with warning, revocation status was not
checked.
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: Group = 5.5.5.5, IP =
5.5.5.5, peer ID type 1 received (IPV4_ADDR)
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: Group = 5.5.5.5, IP =
5.5.5.5, Unable to compare IKE ID against peer cert Subject Alt Name
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Oct 07 2009 17:42:08 ASA1 : %ASA-7-715065: Group = 5.5.5.5, IP =
5.5.5.5, IKE MM Initiator FSM error history (struct &0xd7043188)
<state>, <event>: MM_DONE, EV_ERROR-->MM_I_DONE_H,
EV_COMPARE_IDS-->MM_I_DONE_H, EV_CERT_OK-->MM_I_DONE_H,
NullEvent-->MM_I_DONE_H, EV_VALIDATE_CERT-->MM_I_DONE_H,
EV_TEST_CERT-->MM_I_DONE_H, EV_CHECK_NAT_T-->MM_I_DONE_H,
EV_GROUP_LOOKUP
Oct 07 2009 17:42:08 ASA1 : %ASA-7-713906: Group = 5.5.5.5, IP =
5.5.5.5, IKE SA MM:be6e43b3 terminating: flags 0x0100c022, refcnt 0,
tuncnt 0
-------------------------------
To work around that the identity on IOS has been set to:
cry isak identity DN
Now the MM succeeds:
-------------------------
<snip>
Oct 07 2009 18:31:37 ASA1 : %ASA-6-717022: Certificate was
successfully validated. serial number: 02, subject name:
ipaddress=5.5.5.5+hostname=R5_alexLAB.seclab.ig,cn=R5 ou\=ALEXSECLAB
o\=IG.
Oct 07 2009 18:31:37 ASA1 : %ASA-6-717028: Certificate chain was
successfully validated with warning, revocation status was not
checked.
<<<<<<<<<<<<<<<<<<<<<<<<<<
Oct 07 2009 18:31:37 ASA1 : %ASA-7-713906: Group = 5.5.5.5, IP =
5.5.5.5, peer ID type 9 received (DER_ASN1_DN)
<<<<<<<<<<<<<<<<<<<<<<<<<<
Oct 07 2009 18:31:37 ASA1 : %ASA-6-113009: AAA retrieved default group
policy (DfltGrpPolicy) for user = 5.5.5.5
Oct 07 2009 18:31:37 ASA1 : %ASA-7-713906: Group = 5.5.5.5, IP =
5.5.5.5, Oakley begin quick mode
Oct 07 2009 18:31:37 ASA1 : %ASA-7-714002: Group = 5.5.5.5, IP =
5.5.5.5, IKE Initiator starting QM: msg id = f06b90d2
Oct 07 2009 18:31:37 ASA1 : %ASA-5-713119: Group = 5.5.5.5, IP =
5.5.5.5, PHASE 1 COMPLETED
----------------------------------------------
I plan to test setting peer-id-validate on ASA to cert or to nocheck
to see the difference; I'll report the findings to the group.
thank you all for your input.
=======================================
2009/10/7 Tyson Scott <[email protected]>:
> I am sorry I guess I misunderstood the question.
>
> The "cert" option or "req" options are almost synonymous.
>
> The difference is the flexibility of cert. "req" means it has to match a
> certificate during the Phase 1 negotiation in the X.509 Certificate
> Exchange.
>
> The cert option will use certificates if the X.509 exchange occurs during
> phase 1 negotiation but if it doesn't occur it will revert back to using
> pre-shared keys.
>
> Here is the best two lines that I could find on it.
>
> http://books.google.com/books?id=wn51t2Jv24wC&pg=PT430&lpg=PT430&dq=%22peer-
> id-validate%22&source=bl&ots=I3-TtCsX4G&sig=QA-zoB6z_QHJW5m--DwUndq0Mxg&hl=e
> n&ei=gL7MSo6wGoOmsgPq4O2XAQ&sa=X&oi=book_result&ct=result&resnum=8#v=onepage
> &q=%22peer-id-validate%22&f=false
>
>
> Regards,
>
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto: [email protected]
>
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities
>
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
> Lab Certifications.
>
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> Sent: Wednesday, October 07, 2009 11:28 AM
> To: [email protected]; Tyson Scott
> Subject: Re: [OSL | CCIE_Security] peer-id-validate
>
> Thank you, Tyson; but this is not what I was asking about.
> The algo of MM with certs on ASA is:
> - try to match the OU field to a tunnel-group name;
> - if such TG is not found - try to find TG which name matches
> the peer address;
> - if again not found - ASA gives up.
>
> The check I was asking about is done after the TG is found.
> And the question was - what does "cert" option mean?
> ---------------------------------
>
> 2009/10/7 Tyson Scott <[email protected]>:
>> When you configure certificates for an IPSec tunnel you will find that by
>> default it also send the OU. If this is the same OU as the ASA no
>> additional configuration is required. If the OU is different then you
> need
>> to specify the OU's that you will accept.
>>
>> Regards,
>>
>> Tyson Scott - CCIE #13513 R&S and Security
>> Technical Instructor - IPexpert, Inc.
>>
>> Telephone: +1.810.326.1444
>> Cell: +1.248.504.7309
>> Fax: +1.810.454.0130
>> Mailto: [email protected]
>>
>> Join our free online support and peer group communities:
>> http://www.IPexpert.com/communities
>>
>> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On
> Demand
>> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
>> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
>> Lab Certifications.
>>
>> -----Original Message-----
>> From: [email protected]
>> [mailto:[email protected]] On Behalf Of
>> [email protected]
>> Sent: Wednesday, October 07, 2009 5:33 AM
>> To: [email protected]
>> Subject: [OSL | CCIE_Security] peer-id-validate
>>
>> Hello group,
>>
>> when doing ipsec with pki to asa, there's an option on asa to check
>> whether the peer-id sent in the identity payload of the 5th packet of the
> MM
>> exchange is identical to the DN (subject) of the peer cert:
>> tunnel-group <name> ipsec-attributes
>> peer-id-validate req|nocheck|cert
>>
>> while the first two options are clear (just -- check or do not check),
>> the "cert" option is somewhat obscure.
>> the command lookup at cisco says: "cert - if supported by cert".
>> what does that mean?
>> I believe each cert must have an DN field (cn, ou, etc)...
>> Or no?
>> Understanding that is important because ASA is set to require
>> the check by default, and, on the other hand, IOS sends IP address
>> as its id by default, so the MM will not succeed without tweaking with
> that.
>>
>> thank you.
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>>
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
