Re: [OSL | CCIE_Security] Site to site VPN using CA

Piotr Matusiak Tue, 11 Oct 2011 00:54:54 -0700

That's right. R1 must have the cert signed by R2 CA.

Regards,
Piotr


2011/10/10 waleed ' <[email protected]>

>  Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA
> Server,l=London,st=MI
> Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root.
>
> I think the problem is here , u must authenticate with the CA server R2
> and enroll certificate for ur router too
>
> crypto ca trustpoint R2
>   enroll url http://{R2 IP address}
> crypto ca authenticae R2
> crypto ca enroll R2
>
> Regards
>
> ------------------------------
> Date: Mon, 10 Oct 2011 12:48:16 +0530
> From: [email protected]
> To: [email protected]
> CC: [email protected]
> Subject: Re: [OSL | CCIE_Security] Site to site VPN using CA
>
>
> Hi,
>
> I changed static route as suggested by Piotr. Still packets are  not
> encrypting and decrypting. Below is the output:
>
> R3#ping 1.1.1.1 source lo3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
> Packet sent with a source address of 3.3.3.3
>
> Oct 10 10:20:27.299: IPSEC(sa_request): ,
>   (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1,
>     local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
>     lifedur= 3600s and 4608000kb,
>     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
> Oct 10 10:20:27.307: ISAKMP:(0): SA request profile is (NULL)
> Oct 10 10:20:27.307: ISAKMP: Created a peer struct for 10.1.1.1, peer port
> 500
> Oct 10 10:20:27.307: ISAKMP: New peer created peer = 0x66161B68 peer_handle
> = 0x80000006
> Oct 10 10:20:27.307: ISAKMP: Locking peer struct 0x66161B68, refcount 1 for
> isakmp_initiator
> Oct 10 10:20:27.311: ISAKMP: local port 500, remote port 500
> Oct 10 10:20:27.311: ISAKMP: set new node 0 to QM_IDLE
> Oct 10 10:20:27.311: insert sa successfully sa = 66BDF730
> Oct 10 10:20:27.311: ISAKMP:(0):Can not start Aggressive mode, trying Main
> mode.
> Oct 10 10:20:27.315: ISAKMP:(.0):No pre-shared key with 10.1.1.1!
> Oct 10 10:20:27.315: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
> Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-07 ID
> Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-03 ID
> Oct 10 10:20:27.319: ISAKMP:(0): constructed NAT-T vendor-02 ID
> Oct 10 10:20:27.319: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
> Oct 10 10:20:27.323: ISAKMP:(0):Old State = IKE_READY  New State =
> IKE_I_MM1
>
> Oct 10 10:20:27.323: ISAKMP:(0): beginning Main Mode exchange
> Oct 10 10:20:27.323: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500
> peer_port 500 (I) MM_NO_STATE
> Oct 10 10:20:27.327: ISAKMP:(0):Sending an IKE IPv4 Packet.
> Oct 10 10:20:27.695: ISAKMP (0:0): received packet from 10.1.1.1 dport 500
> sport 500 Global (I) MM_NO_STATE
> Oct 10 10:20:27.699: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Oct 10 10:20:27.699: ISAKMP:(0):Old State = IKE_I_MM1  New State =
> IKE_I_MM2
>
> Oct 10 10:20:27.707: ISAKMP:(0): processing SA payload. message ID = 0
> Oct 10 10:20:27.707: ISAKMP:(0): processing vendor id payload
> Oct 10 10:20:27.707: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
> mismatch
> Oct 10 10:20:27.707: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
> Oct 10 10:20:27.711: ISAKMP : Scanning profiles for xauth ...
> Oct 10 10:20:27.711: ISAKMP:(0):Checking ISAKMP transform 1 against
> priority 10 policy
> Oct 10 10:20:27.711: ISAKMP:      encryption AES-CBC
> Oct 10 10:20:27.711: ISAKMP:      keylength of 128
> Oct 10 10:20:27.711: ISAKMP:      hash SHA
> Oct 10 10:20:27.715: ISAKMP:      default group 2
> Oct 10 10:20:27.715: ISAKMP:      auth RSA sig
> Oct 10 10:20:27.715: ISAKMP:      life type in seconds
> Oct 10 10:20:27.715: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
> Oct 10 10:20:27.719: ISAKMP:(0):atts are acceptable. Next payload is 0
> Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:actual life: 0
> Oct 10 10:20:27.719: ISAKMP:(0):Acceptable atts:life: 0
> Oct 10 10:20:27.719: ISAKMP:(0):Fill atts. in sa vpi_length:4
> Oct 10 10:20:27.723: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
> Oct 10 10:20:27.723: ISAKMP:(0):Returning Actual lifetime: 86400
> Oct 10 10:20:27.723: ISAKMP:(0)::Started lifetime timer: 86400.
>
> Oct 10 10:20:27.723: ISAKMP:(0): processing vendor id payload
> Oct 10 10:20:27.723: ISAKMP:(0): vendor ID seems Unity/DPD but major 69
> mismatch
> Oct 10 10:20:27.727: ISAKMP (0:0): vendor ID is NAT-T RFC 3947
> Oct 10 10:20:27.727: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> Oct 10 10:20:27.727: ISAKMP:(0):Old State = IKE_I_MM2  New State =
> IKE_I_MM2
>
> Oct 10 10:20:27.739: ISAKMP (0:0): constructing CERT_REQ for issuer cn=R2
> CA Server,l=London,st=MI
> Oct 10 10:20:27.743: ISAKMP:(0): sending packet to 10.1.1.1 my_port 500
> peer_port 500 (I) MM_SA_SETUP
> Oct 10 10:20:27.743: ISAKMP:(0):Sending an IKE IPv4 Packet.
> Oct 10 10:20:27.747: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> Oct 10 10:20:27.747: ISAKMP:(0):Old State = IKE_I_MM2  New State =
> IKE_I_MM3
>
> Oct 10 10:20:28.239: ISAKMP (0:0): received packet from 10.1.1.1 dport 500
> sport 500 Global (I) MM_SA_SETUP
> Oct 10 10:20:28.243: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Oct 10 10:20:28.243: ISAKMP:(0):Old State = IKE_I_MM3  New State =
> IKE_I_MM4
>
> Oct 10 10:20:28.247: ISAKMP:(0): processing KE payload. message ID = 0
> Oct 10 10:20:28.335: ISAKMP:(0): processing NONCE payload. message ID = 0
> Oct 10 10:20:28.339: ISAKMP:(1005): processing CERT_REQ payload. message ID
> = 0
> Oct 10 10:20:28.339: ISAKMP:(1005): peer wants a CT_X509_SIGNATURE cert
> Oct 10 10:20:28.343: ISAKMP:(1005): peer wants cert issued by cn=R2 CA
> Server,l=London,st=MI
> Oct 10 10:20:28.343: ISAKMP:(1005): issuer name is not a trusted root.
> Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload
> Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is Unity
> Oct 10 10:20:28.347: ISAKMP:(1005): processing vendor id payload
> Oct 10 10:20:28.347: ISAKMP:(1005): vendor ID is DPD
> Oct. 10 10:20:28.351: ISAKMP:(1005): processing vendor id payload
> Oct 10 10:20:28.351: ISAKMP:(1005): speaking to another IOS box!
> Oct 10 10:20:28.351: ISAKMP:received payload type 20
> Oct 10 10:20:28.351: ISAKMP:received payload type 20
> Oct 10 10:20:28.355: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> Oct 10 10:20:28.355: ISAKMP:(1005):Old State = IKE_I_MM4  New State =
> IKE_I_MM4
>
> Oct 10 10:20:28.415: ISAKMP:(1005):Send initial contact
> Oct 10 10:20:28.415: ISAKMP:(1005):Unable to get router cert or routerdoes
> not have a cert: needed to find DN!
> Oct 10 10:20:28.415: ISAKMP(0:1005): Unable to get our DN from cert, using
> my FQDN as identity
> Oct 10 10:20:28.419: ISAKMP:(1005):SA is doing RSA signature authentication
> using id type ID_FQDN
> Oct 10 10:20:28.419: ISAKMP (0:1005): ID payload
>         next-payload : 6
>         type         : 2
>         FQDN name    : R3
>         protocol     : 17
>         port         : 500
>         length       : 10
> Oct 10 10:20:28.423: ISAKMP:(1005):Total payload length: 10
> Oct 10 10:20:28.423: ISAKMP:(1005): no valid cert found to return
> Oct 10 10:20:28.423: ISAKMP: set new node 645628590 to QM_IDLE
> Oct 10 10:20:28.427: ISAKMP:(1005):Sending NOTIFY CERTIFICATE_UNAVAILABLE
> protocol 1
>         spi 0, message ID = 645628590
> Oct 10 10:20:28.431: ISAKMP:(1005): sending packet to 10.1.1.1 my_port 500
> peer_port 500 (I) MM_KEY_EXCH
> Oct 10 10:20:28.431: ISAKMP:(1005):Sending an IKE IPv4 Packet.
> Oct 10 10:20:28.431: ISAKMP:(1005):purging node 645628590
> Oct 10 10:20:28.435: ISAKMP (0:1005): FSM action returned error: 2
> Oct 10 10:20:28.435: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_COMPLETE
> Oct 10 10:20:28.435: ISAKMP:(1005):Old State = IKE_I_MM4  New State =
> IKE_I_MM5
> ..
> Success rate is 0 percent (0/5)
> R3#
> Oct 10 10:20:37.744: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:20:38.136: ISAKMP (0:1005): received packet from 10.1.1.1 dport
> 500 sport 500 Global (I) MM_KEY_EXCH
> Oct 10 10:20:38.136: ISAKMP:(1005): phase 1 packet is a duplicate of a
> previous packet.
> Oct 10 10:20:38.136: ISAKMP:(1005): retransmitting due to retransmit phase
> 1
> Oct 10 10:20:38.140: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:20:48.148: ISAKMP (0:1005): received packet from 10.1.1.1 dport
> 500 sport 500 Global (I) MM_KEY_EXCH
> Oct 10 10:20:48.148: ISAKMP:(1005): phase 1 packet is a duplicate of a
> previous packet.
> Oct 10 10:20:48.148: ISAKMP:(1005): retransmitting due to retransmit phase
> 1
> Oct 10 10:20:48.152: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:20:57.300: IPSEC(key_engine): request timer fired: count = 1,
>   (identity) local= 20.1.1.1, remote= 10.1.1.1,
>     local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1)
> Oct 10 10:20:57.304: IPSEC(sa_request): ,
>   (key eng. msg.) OUTBOUND local= 20.1.1.1, remote= 10.1.1.1,
>     local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1),
>     protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
>     lifedur= 3600s and 4608000kb,
>     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
> Oct 10 10:20:57.308: ISAKMP: set new node 0 to QM_IDLE
> Oct 10 10:20:57.312: ISAKMP:(1005):SA is still budding. Attached new ipsec
> request to it. (local 20.1.1.1, remote 10.1.1.1)
> Oct 10 10:20:57.312: ISAKMP: Error while processing SA request: Failed to
> initialize SA
> Oct 10 10:20:57.312: ISAKMP: Error while processing KMI message 0, error 2.
> Oct 10 10:20:58.152: ISAKMP (0:1005): received packet from 10.1.1.1 dport
> 500 sport 500 Global (I) MM_KEY_EXCH
> Oct 10 10:20:58.156: ISAKMP:(1005): phase 1 packet is a duplicate of a
> previous packet.
> Oct 10 10:20:58.156: ISAKMP:(1005): retransmitting due to retransmit phase
> 1
> Oct 10 10:20:58.156: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:21:08.153: ISAKMP (0:1005): received packet from 10.1.1.1 dport
> 500 sport 500 Global (I) MM_KEY_EXCH
> Oct 10 10:21:08.157: ISAKMP:(1005): phase 1 packet is a duplicate of a
> previous packet.
> Oct 10 10:21:08.157: ISAKMP:(1005): retransmitting due to retransmit phase
> 1
> Oct 10 10:21:08.157: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:21:18.138: ISAKMP (0:1005): received packet from 10.1.1.1 dport
> 500 sport 500 Global (I) MM_KEY_EXCH
> Oct 10 10:21:18.138: ISAKMP:(1005): phase 1 packet is a duplicate of a
> previous packet.
> Oct 10 10:21:18.138: ISAKMP:(1005): retransmitting due to retransmit phase
> 1
> Oct 10 10:21:18.142: ISAKMP:(1005): no outgoing phase 1 packet to
> retransmit. MM_KEY_EXCH
> Oct 10 10:21:27.302: IPSEC(key_engine): request timer fired: count = 2,
>   (identity) local= 20.1.1.1, remote= 10.1.1.1,
>     local_proxy= 3.3.3.3/255.255.255.255/0/0 (type=1),
>     remote_proxy= 1.1.1.1/255.255.255.255/0/0 (type=1)
> Oct 10 10:21:42.315: ISAKMP: quick mode timer expired.
> Oct 10 10:21:42.315: ISAKMP:(1005):src 20.1.1.1 dst 10.1.1.1, SA is not
> authenticated
> Oct 10 10:21:42.315: ISAKMP:(1005):peer does not do paranoid keepalives.
>
> Oct 10 10:21:42.319: ISAKMP:(1005):deleting SA reason "QM_TIMER expired"
> state (I) MM_KEY_EXCH (peer 10.1.1.1)
> Oct 10 10:21:42.323: ISAKMP:(1005):deleting SA reason "QM_TIMER expired"
> state (I) MM_KEY_EXCH (peer 10.1.1.1)
> Oct 10 10:21:42.323: ISAKMP: Unlocking peer struct 0x66161B68 for
> isadb_mark_sa_deleted(), count 0
> Oct 10 10:21:42.327: ISAKMP: Deleting peer node by peer_reap for 10.1.1.1:
> 66161B68
> Oct 10 10:21:42.327: ISAKMP:(1005):deleting node -723389659 error FALSE
> reason "IKE deleted"
> Oct 10 10:21:42.327: ISAKMP:(1005):deleting node 467977890 error FALSE
> reason "IKE deleted"
> Oct 10 10:21:42.331: ISAKMP:(1005):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> Oct 10 10:21:42.331: ISAKMP:(1005):Old State = IKE_I_MM5  New State =
> IKE_DEST_SA
>
> Oct 10 10:21:42.335: IPSEC(key_engine): got a queue event with 1 KMI
> message(s)^Z
> R3#un all
>
>
> On Mon, Oct 10, 2011 at 1:12 AM, Piotr Matusiak <[email protected]> wrote:
>
> Hi,
>
> You have wrong static routes configured on R1 and R3. IP address 1.1.1.1 is
> local on R1, there should be static configured for 3.3.3.3. same on R3.
>
> Regards,
> Piotr
>
>
>
> 2011/10/9 parvez ahmad <[email protected]>
>
> Hi All,
>
>
>
> Network Diagram,
>
> *
> lo1-----R1(10.1.1.1)--------(10.1.1.2)R2(20.1.1.2)-----------(20.1.1.1)R3---lo3
> *
> *                                  loop2 for NTP Server*
>
>
> I am creating site to site tunnel between R1 and R3 by using CA.but it is
> not working.
>
> where loop1 and loop3 are the intresting traffic with respected routers. R1
> and R3 are authenticated and enrolled with CA server lo2.
>
>
>
>
>
> -----------------------------------------------------------------------------------
> R1 config
>
> ---------------------------------------------------------------------------------------
>
>
> crypto pki trustpoint R3
>  enrollment url http://2.2.2.2:80
>  subject-name CN = R3.cisco.com
>   revocation-check crl
>  rsakeypair R3.cisco.com
>
> crypto pki certificate chain R3
>  certificate ca 01
>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>
>         quit
>
>
> crypto isakmp policy 10
>  encr aes
>  group 2
> crypto isakmp identity dn
> !
> !
> crypto ipsec transform-set TSET esp-aes esp-sha-hmac
> !
> crypto map MAP 10 ipsec-isakmp
>  set peer 20.1.1.1
>  set transform-set TSET
>  match address ACS
> !
> !
> !
> ip ssh version 1
> !
>  !
> !
> !
> interface Loopback1
>  ip address 1.1.1.1 255.255.255.0
> !
> interface FastEthernet0/0
>  ip address 10.1.1.1 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map MAP
>
> router eigrp 1
>  network 10.0.0.0
>  no auto-summary
> !
> ip forward-protocol nd
> ip route 1.1.1.0 255.255.255.0 10.1.1.2
> !
> !
> ip http server
> no ip http secure-server
> !
> ip access-list extended ACS
>  permit ip host 1.1.1.1 host 3.3.3.3
>
>
> ntp authentication-key 1 md5 13061E010803 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179880
> ntp server 2.2.2.2
> -----------------------------------------------------------------------
> R2 Config
> -----------------------------------------------------------------------
>
> crypto pki server R2
>  database level complete
>  database archive pem password 7 060506324F41584B56
>  issuer-name CN = R2 CA Server,L = London,ST = MI
>  cdp-url http://2.2.2.2/cgi-bin/pkiclient.exe?operation=GetCRL
>  database url flash:
> !
> crypto pki trustpoint R2
>  revocation-check crl
>  rsakeypair R2.cisco.com
>
> !
> crypto pki certificate chain R2
>   certificate ca 01
>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>
>         quit
>
>
> interface FastEthernet0/0
>  ip address 10.1.1.2 255.255.255.0
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/1
>  ip address 20.1.1.2 255.255.255.0
>  duplex auto
>  speed auto
> !
> router eigrp 1
>   network 2.0.0.0
>  network 10.0.0.0
>  network 20.0.0.0
>  no auto-summary
> !
> ip forward-protocol nd
> !
> !
> ip http server
> no ip http secure-server
>
>
> ntp authentication-key 1 md5 14141B180F0B 7
> ntp authenticate
> ntp trusted-key 1
> ntp source Loopback0
> ntp master 2
>
> --------------------------------------------------------------------
> R3 Config
> --------------------------------------------------------------------
>
> crypto pki trustpoint R3
>  enrollment url http://2.2.2.2:80
>  subject-name CN = R3.cisco.com
>  revocation-check crl
>  rsakeypair R3.cisco.com
>
> crypto pki certificate chain R3
>  certificate ca 01
>   30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
>
>   4B201CC6 E7
>         quit
>
>
> crypto isakmp policy 10
>  encr aes
>  group 2
> crypto isakmp identity dn
> !
> !
> crypto ipsec transform-set TSET esp-aes esp-sha-hmac
> !
> crypto map MAP 10 ipsec-isakmp
>  set peer 10.1.1.1
>  set transform-set TSET
>  match address ACS
>
> interface Loopback3
>  ip address 3.3.3.3 255.255.255.0
> !
> interface FastEthernet0/0
>  no ip address
>  shutdown
>  duplex auto
>  speed auto
> !
> interface FastEthernet0/1
>  ip address 20.1.1.1 255.255.255.0
>  duplex auto
>  speed auto
>  crypto map MAP
> !
> router eigrp 1
>  network 20.0.0.0
>  no auto-summary
> !
> ip forward-protocol nd
> ip route 3.3.3.0 255.255.255.0 20.1.1.2
> !
> !
> ip http server
> no ip http secure-server
> !
> ip access-list extended ACS
>  permit ip host 3.3.3.3 host 1.1.1.1
>
> ntp authentication-key 1 md5 00071A150754 7
> ntp authenticate
> ntp trusted-key 1
> ntp clock-period 17179821
> ntp server 2.2.2.2
> !
>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
>
>
> _______________________________________________ For more information
> regarding industry leading CCIE Lab training, please visit
> www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Re: [OSL | CCIE_Security] Site to site VPN using CA

Reply via email to