Hi Piotr
thanks for the assistance. Yes, that is what it seems to me also. It says
it can't find a PSK or RSA Cert but the R5 router is enrolled with a CA as
shown below already, it doesn't seem to be using it though.
R5#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 0x6
Certificate Usage: General Purpose
Issuer:
cn=myCA.cisco.com
Subject:
Name: R5.cisco.com
IP Address: 10.5.5.5
ipaddress=10.5.5.5+hostname=R5.cisco.com
cn=R5
Validity Date:
start date: 17:22:04 UTC Jun 20 2012
end date: 06:46:42 UTC Jun 20 2013
Associated Trustpoints: myCA
Storage: nvram:myCAciscocom#6.cer
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=myCA.cisco.com
Subject:
cn=myCA.cisco.com
Validity Date:
start date: 06:46:42 UTC Jun 20 2012
end date: 06:46:42 UTC Jun 20 2013
Associated Trustpoints: myCA
Storage: nvram:myCAciscocom#1CA.cer
I was looking at trying to specify the CA name in the configuration via an
ISAKMP profile but I believe that setting a trustpoint in an ISAKMP profile
is only performed based on the match statements in the profile for IPSec
connections inbound to the router not inbound and outbound.
Is there a way to specify what CA to use for outbound L2L IPsec tunnels
that you are aware of? This may enable me to force the router to use the ID
cert it has under the "myCA" trustpoint.
Thanks
Ben
On Sat, Jun 23, 2012 at 9:37 PM, Piotr Matusiak <[email protected]> wrote:
> Hi Ben,
>
> It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you
> enroll a certificate for it? If CA is on R5 you must create a trustpoint
> and enroll a certificate from it (even tho the CA is local).
>
> Regards,
> Piotr
>
> *From:* Ben Shaw <[email protected]>
> *Sent:* Saturday, June 23, 2012 11:27 AM
> *To:* [email protected]
> *Subject:* [OSL | CCIE_Security] IOS to ASA IPsec with Certificates -
> YusufLab 1 Q2.3
>
> Hi All
>
> I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in
> question 2.3 with certificates. I originally got it to work fine with PSK
> but after changing the configuration to RSA I get a failure which to me
> seems to be an issue on the router side as I get the following debugs when
> I initiate the VPN from the router (R5)
>
>
> R5#ping 10.8.8.8 source loopback 0
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds:
> Packet sent with a source address of 10.5.5.5
>
>
> Jun 23 09:13:20.092: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10,
> local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1),
> remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1),
> protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
> lifedur= 3600s and 4608000kb,
> spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
> Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL)
> Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer
> port 500
> Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78
> peer_handle = 0x80000012
> Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1
> for isakmp_initiator
> Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500
> Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE
> Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8
> Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main
> mode.
> Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10!
> Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key.
> Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start
> Main mode
> Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for
> isadb_unlock_peer_delete_sa(), count 0
> Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for
> 192.168.9.10: 673AFE78
> Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8
> Jun 23 09:13:20.156: ISAKMP:(0):p.urging node -1032077271
> Jun 23 09:13:20.156: ISAKMP: Error while processing SA request: Failed to
> initialize SA
> Jun 23 09:13:20.160: ISAKMP: Error while processing KMI message 0, error 2.
> Jun 23 09:13:20.168: IPSEC(key_engine): got a queue event with 1 KMI
> message(s)....
> Success rate is 0 percent (0/5)
> R5#
>
>
> When I try to intiate the VPN from the ASA side I get the following debugs
> on the router
>
>
> R5#
> Jun 23 09:14:07.167: ISAKMP (0:0): received packet from 192.168.9.10 dport
> 500 sport 500 Global (N) NEW SA
> Jun 23 09:14:07.171: ISAKMP: Created a peer struct for 192.168.9.10, peer
> port 500
> Jun 23 09:14:07.175: ISAKMP: New peer created peer = 0x673AFE78
> peer_handle = 0x80000014
> Jun 23 09:14:07.179: ISAKMP: Locking peer struct 0x673AFE78, refcount 1
> for crypto_isakmp_process_block
> Jun 23 09:14:07.179: ISAKMP: local port 500, remote port 500
> Jun 23 09:14:07.183: insert sa successfully sa = 67EEFFC8
> Jun 23 09:14:07.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
> Jun 23 09:14:07.191: ISAKMP:(0):Old State = IKE_READY New State =
> IKE_R_MM1
> Jun 23 09:14:07.211: ISAKMP:(0): processing SA payload. message ID = 0
> Jun 23 09:14:07.215: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.219: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
> mismatch
> Jun 23 09:14:07.219: ISAKMP:(0): vendor ID is NAT-T v2
> Jun 23 09:14:07.223: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.227: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
> mismatch
> Jun 23 09:14:07.227: ISAKMP:(0): vendor ID is NAT-T v3
> Jun 23 09:14:07.231: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.235: ISAKMP:(0): processing IKE frag vendor id payload
> Jun 23 09:14:07.235: ISAKMP:(0):Support for IKE Fragmentation not enabled
> Jun 23 09:14:07.239: ISAKMP : Scanning profiles for xauth ... isakmpprof1
> Jun 23 09:14:07.243: ISAKMP:(0):Checking ISAKMP transform 1 against
> priority 11 policy
> Jun 23 09:14:07.243: ISAKMP: default group 5
> Jun 23 09:14:07.247: ISAKMP: encryption AES-CBC
> Jun 23 09:14:07.247: ISAKMP: keylength of 128
> Jun 23 09:14:07.247: ISAKMP: hash SHA
> Jun 23 09:14:07.251: ISAKMP: auth RSA sig
> Jun 23 09:14:07.251: ISAKMP: life type in seconds
> Jun 23 09:14:07.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
> Jun 23 09:14:07.259: ISAKMP:(0):RSA signature authentication offered but
> does not match policy!
> Jun 23 09:14:07.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
> Jun 23 09:14:07.263: ISAKMP:(0):Checking ISAKMP transform 1 against
> priority 65535 policy
> Jun 23 09:14:07.267: ISAKMP: default group 5
> Jun 23 09:14:07.267: ISAKMP: encryption AES-CBC
> Jun 23 09:14:07.271: ISAKMP: keylength of 128
> Jun 23 09:14:07.271: ISAKMP: hash SHA
> Jun 23 09:14:07.275: ISAKMP: auth RSA sig
> Jun 23 09:14:07.275: ISAKMP: life type in seconds
> Jun 23 09:14:07.275: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
> Jun 23 09:14:07.279: ISAKMP:(0):Encryption algorithm offered does not
> match policy!
> Jun 23 09:14:07.279: ISAKMP:(0):atts are not acceptable. Next payload is 0
> Jun 23 09:14:07.279: ISAKMP:(0):no offers accepted!
> Jun 23 09:14:07.279: ISAKMP:(0): phase 1 SA policy not acceptable! (local
> 192.168.55.5 remote 192.168.9.10)
> Jun 23 09:14:07.279: ISAKMP (0:0): incrementing error counter on sa,
> attempt 1 of 5: construct_fail_ag_init
> Jun 23 09:14:07.279: ISAKMP:(0): sending packet to 192.168.9.10 my_port
> 500 peer_port 500 (R) MM_NO_STATE
> Jun 23 09:14:07.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
> Jun 23 09:14:07.283: ISAKMP:(0):peer does not do paranoid keepalives.
> Jun 23 09:14:07.287: ISAKMP:(0):deleting SA reason "Phase1 SA policy
> proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
> Jun 23 09:14:07.291: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.291: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
> mismatch
> Jun 23 09:14:07.295: ISAKMP:(0): vendor ID is NAT-T v2
> Jun 23 09:14:07.299: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
> mismatch
> Jun 23 09:14:07.303: ISAKMP:(0): vendor ID is NAT-T v3
> Jun 23 09:14:07.303: ISAKMP:(0): processing vendor id payload
> Jun 23 09:14:07.307: ISAKMP:(0): processing IKE frag vendor id payload
> Jun 23 09:14:07.311: ISAKMP:(0):Support for IKE Fragmentation not enabled
> Jun 23 09:14:07.311: ISAKMP (0:0): FSM action returned error: 2
> Jun 23 09:14:07.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_MAIN_MODE
> Jun 23 09:14:07.319: ISAKMP:(0):Old State = IKE_R_MM1 New State =
> IKE_R_MM1
> Jun 23 09:14:07.343: ISAKMP:(0):deleting SA reason "Phase1 SA policy
> proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
> Jun 23 09:14:07.343: ISAKMP: Unlocking peer struct 0x673AFE78 for
> isadb_mark_sa_deleted(), count 0
> Jun 23 09:14:07.343: ISAKMP: Deleting peer node by peer_reap for
> 192.168.9.10: 673AFE78
> Jun 23 09:14:07.343: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
> Jun 23 09:14:07.347: ISAKMP:(0):Old State = IKE_R_MM1 New State =
> IKE_DEST_SA
> Jun 23 09:14:07.351: IPSEC(key_engine): got a queue event with 1 KMI
> message(s)
> Jun 23 09:14:07.359: ISAKMP:(0):deleting SA reason "No reason" state (R)
> MM_NO_STATE (peer 192.168.9.10)
> Jun 23 09:14:07.359: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
> IKE_PROCESS_ERROR
> Jun 23 09:14:07.359: ISAKMP:(0):Old State = IKE_DEST_SA New State =
> IKE_DEST_SA
> Jun 23 09:14:15.092: ISAKMP (0:0): received packet from 192.168.9.10 dport
> 500 sport 500 Global (R) MM_NO_STATE
> R5#
> R5#
>
>
> Now it is obviously a Phase 1 issue as the router complains about policies
> not matching and also that there is no PSK or Cert defined. I am not using
> ISAKMP profiles yet though I know this needs to be added for the
> certificate map requirement in the question, I just want to ge this part
> working first. Below is the relevant configuration from each device. Any
> idea why the router doesn't seem to be using the locally configured CA and
> ID Certificate in Phase 1 when negotiating? The ISAKMP policies match.
>
>
> ------------------
> ASA2 Config
> ------------------
>
> ASA Version 8.0(4)23
> !
> hostname ASA2
> domain-name cisco.com
> !
> interface Ethernet0/1
> nameif inside
> security-level 100
> ip address 192.168.10.10 255.255.255.0
> authentication key eigrp 10 <removed> key-id 1
> authentication mode eigrp 10 md5
> !
> interface Redundant1
> member-interface Ethernet0/0
> member-interface Ethernet0/2
> nameif outside
> security-level 0
> ip address 192.168.9.10 255.255.255.0
> ospf authentication-key password
> ospf authentication message-digest
> !
> access-list crypto1 extended permit ip host 10.8.8.8 host 10.5.5.5
> !
> crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
> crypto ipsec security-association lifetime seconds 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto map cryptomap1 10 match address crypto1
> crypto map cryptomap1 10 set peer 192.168.55.5
> crypto map cryptomap1 10 set transform-set aes-sha
> crypto map cryptomap1 10 set trustpoint myCA
> crypto map cryptomap1 interface outside
> !
> crypto ca trustpoint myCA
> enrollment url http://10.1.1.1:80
> fqdn ASA2.cisco.com
> subject-name cn=ASA2
> ip-address 192.168.9.10
> keypair myCA-KEYS
> crl configure
> !
> crypto ca certificate chain myCA
> certificate ca 01
> 3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
> quit
> certificate 05
> 30820245 308201ae a0030201 02020105 300d0609 2a864886 f70d0101 05050030
> quit
> crypto isakmp enable outside
> crypto isakmp policy 5
> authentication rsa-sig
> encryption aes
> hash sha
> group 5
> lifetime 86400
> !
> tunnel-group 192.168.55.5 type ipsec-l2l
> tunnel-group 192.168.55.5 ipsec-attributes
> trust-point myCA
>
>
>
> ------------------
> R5 Config
> ------------------
>
> hostname R5
> !
> crypto pki trustpoint myCA
> enrollment url http://10.1.1.1:80
> fqdn R5.cisco.com
> ip-address 10.5.5.5
> subject-name cn=R5
> revocation-check none
> rsakeypair myCA-KEYS
> !
> crypto pki certificate map certmap1 10
> issuer-name co myca
> subject-name co asa2
> !
> crypto pki certificate chain myCA
> certificate 06
> 3082021F 30820188 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
> quit
> certificate ca 01
> 3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
> quit
> !
> crypto isakmp policy 11
> encr aes
> group 5
> crypto isakmp identity dn
> crypto isakmp profile isakmpprof1
> self-identity fqdn
> ca trust-point myCA
> match certificate certmap1
> !
> crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
> !
> crypto map cryptomap1 local-address Loopback6
> crypto map cryptomap1 10 ipsec-isakmp
> set peer 192.168.9.10
> set transform-set aes-sha
> match address crypto1
> !
> interface Loopback0
> ip address 10.5.5.5 255.255.255.0
> !
> interface Loopback6
> ip address 192.168.55.5 255.255.255.0
> !
> interface Serial0/0
> ip address 192.168.35.5 255.255.255.0
> ip nat outside
> ip virtual-reassembly
> zone-member security REMOTE
> encapsulation ppp
> ip ospf network point-to-point
> no fair-queue
> clock rate 2000000
> crypto map cryptomap1
> !
> interface Serial0/1
> ip address 192.168.65.5 255.255.255.0
> zone-member security CENTRAL
> encapsulation frame-relay
> ip ospf network point-to-point
> clock rate 2000000
> frame-relay map ip 192.168.65.6 65 broadcast
> frame-relay intf-type dce
> crypto map cryptomap1
> !
> ip access-list extended crypto1
> permit ip host 10.5.5.5 host 10.8.8.8
>
> ------------------------------
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
> Are you a CCNP or CCIE and looking for a job? Check out
> www.PlatinumPlacement.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
