Hi Ben,
It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you enroll a
certificate for it? If CA is on R5 you must create a trustpoint and enroll a
certificate from it (even tho the CA is local).
Regards,
Piotr
From: Ben Shaw
Sent: Saturday, June 23, 2012 11:27 AM
To: [email protected]
Subject: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1
Q2.3
Hi All
I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in
question 2.3 with certificates. I originally got it to work fine with PSK but
after changing the configuration to RSA I get a failure which to me seems to be
an issue on the router side as I get the following debugs when I initiate the
VPN from the router (R5)
R5#ping 10.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5
Jun 23 09:13:20.092: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10,
local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1),
remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL)
Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer port
500
Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle =
0x80000012
Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
isakmp_initiator
Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500
Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE
Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8
Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10!
Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key.
Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start Main
mode
Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_unlock_peer_delete_sa(), count 0
Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10:
673AFE78
Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8
Jun 23 09:13:20.156: ISAKMP:(0):p.urging node -1032077271
Jun 23 09:13:20.156: ISAKMP: Error while processing SA request: Failed to
initialize SA
Jun 23 09:13:20.160: ISAKMP: Error while processing KMI message 0, error 2.
Jun 23 09:13:20.168: IPSEC(key_engine): got a queue event with 1 KMI
message(s)....
Success rate is 0 percent (0/5)
R5#
When I try to intiate the VPN from the ASA side I get the following debugs on
the router
R5#
Jun 23 09:14:07.167: ISAKMP (0:0): received packet from 192.168.9.10 dport 500
sport 500 Global (N) NEW SA
Jun 23 09:14:07.171: ISAKMP: Created a peer struct for 192.168.9.10, peer port
500
Jun 23 09:14:07.175: ISAKMP: New peer created peer = 0x673AFE78 peer_handle =
0x80000014
Jun 23 09:14:07.179: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
crypto_isakmp_process_block
Jun 23 09:14:07.179: ISAKMP: local port 500, remote port 500
Jun 23 09:14:07.183: insert sa successfully sa = 67EEFFC8
Jun 23 09:14:07.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 23 09:14:07.191: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jun 23 09:14:07.211: ISAKMP:(0): processing SA payload. message ID = 0
Jun 23 09:14:07.215: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.223: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.231: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.239: ISAKMP : Scanning profiles for xauth ... isakmpprof1
Jun 23 09:14:07.243: ISAKMP:(0):Checking ISAKMP transform 1 against priority 11
policy
Jun 23 09:14:07.243: ISAKMP: default group 5
Jun 23 09:14:07.247: ISAKMP: encryption AES-CBC
Jun 23 09:14:07.247: ISAKMP: keylength of 128
Jun 23 09:14:07.247: ISAKMP: hash SHA
Jun 23 09:14:07.251: ISAKMP: auth RSA sig
Jun 23 09:14:07.251: ISAKMP: life type in seconds
Jun 23 09:14:07.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 23 09:14:07.259: ISAKMP:(0):RSA signature authentication offered but does
not match policy!
Jun 23 09:14:07.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.263: ISAKMP:(0):Checking ISAKMP transform 1 against priority
65535 policy
Jun 23 09:14:07.267: ISAKMP: default group 5
Jun 23 09:14:07.267: ISAKMP: encryption AES-CBC
Jun 23 09:14:07.271: ISAKMP: keylength of 128
Jun 23 09:14:07.271: ISAKMP: hash SHA
Jun 23 09:14:07.275: ISAKMP: auth RSA sig
Jun 23 09:14:07.275: ISAKMP: life type in seconds
Jun 23 09:14:07.275: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 23 09:14:07.279: ISAKMP:(0):Encryption algorithm offered does not match
policy!
Jun 23 09:14:07.279: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.279: ISAKMP:(0):no offers accepted!
Jun 23 09:14:07.279: ISAKMP:(0): phase 1 SA policy not acceptable! (local
192.168.55.5 remote 192.168.9.10)
Jun 23 09:14:07.279: ISAKMP (0:0): incrementing error counter on sa, attempt 1
of 5: construct_fail_ag_init
Jun 23 09:14:07.279: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500
peer_port 500 (R) MM_NO_STATE
Jun 23 09:14:07.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 23 09:14:07.283: ISAKMP:(0):peer does not do paranoid keepalives.
Jun 23 09:14:07.287: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal
not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.291: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.291: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.295: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.299: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.303: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.303: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.307: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.311: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.311: ISAKMP (0:0): FSM action returned error: 2
Jun 23 09:14:07.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 23 09:14:07.319: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jun 23 09:14:07.343: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal
not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.343: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_mark_sa_deleted(), count 0
Jun 23 09:14:07.343: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10:
673AFE78
Jun 23 09:14:07.343: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 23 09:14:07.347: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Jun 23 09:14:07.351: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Jun 23 09:14:07.359: ISAKMP:(0):deleting SA reason "No reason" state (R)
MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.359: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jun 23 09:14:07.359: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jun 23 09:14:15.092: ISAKMP (0:0): received packet from 192.168.9.10 dport 500
sport 500 Global (R) MM_NO_STATE
R5#
R5#
Now it is obviously a Phase 1 issue as the router complains about policies not
matching and also that there is no PSK or Cert defined. I am not using ISAKMP
profiles yet though I know this needs to be added for the certificate map
requirement in the question, I just want to ge this part working first. Below
is the relevant configuration from each device. Any idea why the router doesn't
seem to be using the locally configured CA and ID Certificate in Phase 1 when
negotiating? The ISAKMP policies match.
------------------
ASA2 Config
------------------
ASA Version 8.0(4)23
!
hostname ASA2
domain-name cisco.com
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.10 255.255.255.0
authentication key eigrp 10 <removed> key-id 1
authentication mode eigrp 10 md5
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.9.10 255.255.255.0
ospf authentication-key password
ospf authentication message-digest
!
access-list crypto1 extended permit ip host 10.8.8.8 host 10.5.5.5
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cryptomap1 10 match address crypto1
crypto map cryptomap1 10 set peer 192.168.55.5
crypto map cryptomap1 10 set transform-set aes-sha
crypto map cryptomap1 10 set trustpoint myCA
crypto map cryptomap1 interface outside
!
crypto ca trustpoint myCA
enrollment url http://10.1.1.1:80
fqdn ASA2.cisco.com
subject-name cn=ASA2
ip-address 192.168.9.10
keypair myCA-KEYS
crl configure
!
crypto ca certificate chain myCA
certificate ca 01
3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
quit
certificate 05
30820245 308201ae a0030201 02020105 300d0609 2a864886 f70d0101 05050030
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
!
tunnel-group 192.168.55.5 type ipsec-l2l
tunnel-group 192.168.55.5 ipsec-attributes
trust-point myCA
------------------
R5 Config
------------------
hostname R5
!
crypto pki trustpoint myCA
enrollment url http://10.1.1.1:80
fqdn R5.cisco.com
ip-address 10.5.5.5
subject-name cn=R5
revocation-check none
rsakeypair myCA-KEYS
!
crypto pki certificate map certmap1 10
issuer-name co myca
subject-name co asa2
!
crypto pki certificate chain myCA
certificate 06
3082021F 30820188 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
quit
certificate ca 01
3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
!
crypto isakmp policy 11
encr aes
group 5
crypto isakmp identity dn
crypto isakmp profile isakmpprof1
self-identity fqdn
ca trust-point myCA
match certificate certmap1
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map cryptomap1 local-address Loopback6
crypto map cryptomap1 10 ipsec-isakmp
set peer 192.168.9.10
set transform-set aes-sha
match address crypto1
!
interface Loopback0
ip address 10.5.5.5 255.255.255.0
!
interface Loopback6
ip address 192.168.55.5 255.255.255.0
!
interface Serial0/0
ip address 192.168.35.5 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security REMOTE
encapsulation ppp
ip ospf network point-to-point
no fair-queue
clock rate 2000000
crypto map cryptomap1
!
interface Serial0/1
ip address 192.168.65.5 255.255.255.0
zone-member security CENTRAL
encapsulation frame-relay
ip ospf network point-to-point
clock rate 2000000
frame-relay map ip 192.168.65.6 65 broadcast
frame-relay intf-type dce
crypto map cryptomap1
!
ip access-list extended crypto1
permit ip host 10.5.5.5 host 10.8.8.8
--------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
