Souldnt it try to use its available trustpoints? The problem is that it does not sees it.
Other thing, if we have the CA as a tunnel endpoint, what is the right procedure? What I normally do is to create a different trustpoint and request a certificate to itself.-.. Mike. From: [email protected] To: [email protected] Date: Sat, 23 Jun 2012 20:48:37 +0200 CC: [email protected] Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Where’s CA? Is it on the same router? To force the router to use a particular certificate you must assign ISAKMP profile to the crypto map. Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 4:23 PM To: Piotr Matusiak Cc: [email protected] Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi Piotr thanks for the assistance. Yes, that is what it seems to me also. It says it can't find a PSK or RSA Cert but the R5 router is enrolled with a CA as shown below already, it doesn't seem to be using it though. R5#show crypto ca certificates Certificate Status: Available Certificate Serial Number: 0x6 Certificate Usage: General Purpose Issuer: cn=myCA.cisco.com Subject: Name: R5.cisco.com IP Address: 10.5.5.5 ipaddress=10.5.5.5+hostname=R5.cisco.com cn=R5 Validity Date: start date: 17:22:04 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#6.cer CA Certificate Status: Available Certificate Serial Number: 0x1 Certificate Usage: Signature Issuer: cn=myCA.cisco.com Subject: cn=myCA.cisco.com Validity Date: start date: 06:46:42 UTC Jun 20 2012 end date: 06:46:42 UTC Jun 20 2013 Associated Trustpoints: myCA Storage: nvram:myCAciscocom#1CA.cer I was looking at trying to specify the CA name in the configuration via an ISAKMP profile but I believe that setting a trustpoint in an ISAKMP profile is only performed based on the match statements in the profile for IPSec connections inbound to the router not inbound and outbound. Is there a way to specify what CA to use for outbound L2L IPsec tunnels that you are aware of? This may enable me to force the router to use the ID cert it has under the "myCA" trustpoint. Thanks Ben On Sat, Jun 23, 2012 at 9:37 PM, Piotr Matusiak <[email protected]> wrote: Hi Ben, It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you enroll a certificate for it? If CA is on R5 you must create a trustpoint and enroll a certificate from it (even tho the CA is local). Regards, Piotr From: Ben Shaw Sent: Saturday, June 23, 2012 11:27 AM To: [email protected] Subject: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab 1 Q2.3 Hi All I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in question 2.3 with certificates. I originally got it to work fine with PSK but after changing the configuration to RSA I get a failure which to me seems to be an issue on the router side as I get the following debugs when I initiate the VPN from the router (R5) R5#ping 10.8.8.8 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds: Packet sent with a source address of 10.5.5.5 Jun 23 09:13:20.092: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10, local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1), remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL) Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle = 0x80000012 Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for isakmp_initiator Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500 Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8 Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10! Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key. Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start Main mode Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for isadb_unlock_peer_delete_sa(), count 0 Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 673AFE78 Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8 Jun 23 09:13:20.156: ISAKMP:(0):p.urging node -1032077271 Jun 23 09:13:20.156: ISAKMP: Error while processing SA request: Failed to initialize SA Jun 23 09:13:20.160: ISAKMP: Error while processing KMI message 0, error 2. Jun 23 09:13:20.168: IPSEC(key_engine): got a queue event with 1 KMI message(s).... Success rate is 0 percent (0/5) R5# When I try to intiate the VPN from the ASA side I get the following debugs on the router R5# Jun 23 09:14:07.167: ISAKMP (0:0): received packet from 192.168.9.10 dport 500 sport 500 Global (N) NEW SA Jun 23 09:14:07.171: ISAKMP: Created a peer struct for 192.168.9.10, peer port 500 Jun 23 09:14:07.175: ISAKMP: New peer created peer = 0x673AFE78 peer_handle = 0x80000014 Jun 23 09:14:07.179: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for crypto_isakmp_process_block Jun 23 09:14:07.179: ISAKMP: local port 500, remote port 500 Jun 23 09:14:07.183: insert sa successfully sa = 67EEFFC8 Jun 23 09:14:07.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH Jun 23 09:14:07.191: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1 Jun 23 09:14:07.211: ISAKMP:(0): processing SA payload. message ID = 0 Jun 23 09:14:07.215: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.219: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jun 23 09:14:07.219: ISAKMP:(0): vendor ID is NAT-T v2 Jun 23 09:14:07.223: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.227: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jun 23 09:14:07.227: ISAKMP:(0): vendor ID is NAT-T v3 Jun 23 09:14:07.231: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.235: ISAKMP:(0): processing IKE frag vendor id payload Jun 23 09:14:07.235: ISAKMP:(0):Support for IKE Fragmentation not enabled Jun 23 09:14:07.239: ISAKMP : Scanning profiles for xauth ... isakmpprof1 Jun 23 09:14:07.243: ISAKMP:(0):Checking ISAKMP transform 1 against priority 11 policy Jun 23 09:14:07.243: ISAKMP: default group 5 Jun 23 09:14:07.247: ISAKMP: encryption AES-CBC Jun 23 09:14:07.247: ISAKMP: keylength of 128 Jun 23 09:14:07.247: ISAKMP: hash SHA Jun 23 09:14:07.251: ISAKMP: auth RSA sig Jun 23 09:14:07.251: ISAKMP: life type in seconds Jun 23 09:14:07.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jun 23 09:14:07.259: ISAKMP:(0):RSA signature authentication offered but does not match policy! Jun 23 09:14:07.263: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jun 23 09:14:07.263: ISAKMP:(0):Checking ISAKMP transform 1 against priority 65535 policy Jun 23 09:14:07.267: ISAKMP: default group 5 Jun 23 09:14:07.267: ISAKMP: encryption AES-CBC Jun 23 09:14:07.271: ISAKMP: keylength of 128 Jun 23 09:14:07.271: ISAKMP: hash SHA Jun 23 09:14:07.275: ISAKMP: auth RSA sig Jun 23 09:14:07.275: ISAKMP: life type in seconds Jun 23 09:14:07.275: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 Jun 23 09:14:07.279: ISAKMP:(0):Encryption algorithm offered does not match policy! Jun 23 09:14:07.279: ISAKMP:(0):atts are not acceptable. Next payload is 0 Jun 23 09:14:07.279: ISAKMP:(0):no offers accepted! Jun 23 09:14:07.279: ISAKMP:(0): phase 1 SA policy not acceptable! (local 192.168.55.5 remote 192.168.9.10) Jun 23 09:14:07.279: ISAKMP (0:0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init Jun 23 09:14:07.279: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500 peer_port 500 (R) MM_NO_STATE Jun 23 09:14:07.279: ISAKMP:(0):Sending an IKE IPv4 Packet. Jun 23 09:14:07.283: ISAKMP:(0):peer does not do paranoid keepalives. Jun 23 09:14:07.287: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) Jun 23 09:14:07.291: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.291: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch Jun 23 09:14:07.295: ISAKMP:(0): vendor ID is NAT-T v2 Jun 23 09:14:07.299: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch Jun 23 09:14:07.303: ISAKMP:(0): vendor ID is NAT-T v3 Jun 23 09:14:07.303: ISAKMP:(0): processing vendor id payload Jun 23 09:14:07.307: ISAKMP:(0): processing IKE frag vendor id payload Jun 23 09:14:07.311: ISAKMP:(0):Support for IKE Fragmentation not enabled Jun 23 09:14:07.311: ISAKMP (0:0): FSM action returned error: 2 Jun 23 09:14:07.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE Jun 23 09:14:07.319: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1 Jun 23 09:14:07.343: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10) Jun 23 09:14:07.343: ISAKMP: Unlocking peer struct 0x673AFE78 for isadb_mark_sa_deleted(), count 0 Jun 23 09:14:07.343: ISAKMP: Deleting peer node by peer_reap for 192.168.9.10: 673AFE78 Jun 23 09:14:07.343: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL Jun 23 09:14:07.347: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA Jun 23 09:14:07.351: IPSEC(key_engine): got a queue event with 1 KMI message(s) Jun 23 09:14:07.359: ISAKMP:(0):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 192.168.9.10) Jun 23 09:14:07.359: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR Jun 23 09:14:07.359: ISAKMP:(0):Old State = IKE_DEST_SA New State = IKE_DEST_SA Jun 23 09:14:15.092: ISAKMP (0:0): received packet from 192.168.9.10 dport 500 sport 500 Global (R) MM_NO_STATE R5# R5# Now it is obviously a Phase 1 issue as the router complains about policies not matching and also that there is no PSK or Cert defined. I am not using ISAKMP profiles yet though I know this needs to be added for the certificate map requirement in the question, I just want to ge this part working first. Below is the relevant configuration from each device. Any idea why the router doesn't seem to be using the locally configured CA and ID Certificate in Phase 1 when negotiating? The ISAKMP policies match. ------------------ ASA2 Config ------------------ ASA Version 8.0(4)23 ! hostname ASA2 domain-name cisco.com ! interface Ethernet0/1 nameif inside security-level 100 ip address 192.168.10.10 255.255.255.0 authentication key eigrp 10 <removed> key-id 1 authentication mode eigrp 10 md5 ! interface Redundant1 member-interface Ethernet0/0 member-interface Ethernet0/2 nameif outside security-level 0 ip address 192.168.9.10 255.255.255.0 ospf authentication-key password ospf authentication message-digest ! access-list crypto1 extended permit ip host 10.8.8.8 host 10.5.5.5 ! crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto map cryptomap1 10 match address crypto1 crypto map cryptomap1 10 set peer 192.168.55.5 crypto map cryptomap1 10 set transform-set aes-sha crypto map cryptomap1 10 set trustpoint myCA crypto map cryptomap1 interface outside ! crypto ca trustpoint myCA enrollment url http://10.1.1.1:80 fqdn ASA2.cisco.com subject-name cn=ASA2 ip-address 192.168.9.10 keypair myCA-KEYS crl configure ! crypto ca certificate chain myCA certificate ca 01 3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 05050030 quit certificate 05 30820245 308201ae a0030201 02020105 300d0609 2a864886 f70d0101 05050030 quit crypto isakmp enable outside crypto isakmp policy 5 authentication rsa-sig encryption aes hash sha group 5 lifetime 86400 ! tunnel-group 192.168.55.5 type ipsec-l2l tunnel-group 192.168.55.5 ipsec-attributes trust-point myCA ------------------ R5 Config ------------------ hostname R5 ! crypto pki trustpoint myCA enrollment url http://10.1.1.1:80 fqdn R5.cisco.com ip-address 10.5.5.5 subject-name cn=R5 revocation-check none rsakeypair myCA-KEYS ! crypto pki certificate map certmap1 10 issuer-name co myca subject-name co asa2 ! crypto pki certificate chain myCA certificate 06 3082021F 30820188 A0030201 02020106 300D0609 2A864886 F70D0101 05050030 quit certificate ca 01 3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 quit ! crypto isakmp policy 11 encr aes group 5 crypto isakmp identity dn crypto isakmp profile isakmpprof1 self-identity fqdn ca trust-point myCA match certificate certmap1 ! crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac ! crypto map cryptomap1 local-address Loopback6 crypto map cryptomap1 10 ipsec-isakmp set peer 192.168.9.10 set transform-set aes-sha match address crypto1 ! interface Loopback0 ip address 10.5.5.5 255.255.255.0 ! interface Loopback6 ip address 192.168.55.5 255.255.255.0 ! interface Serial0/0 ip address 192.168.35.5 255.255.255.0 ip nat outside ip virtual-reassembly zone-member security REMOTE encapsulation ppp ip ospf network point-to-point no fair-queue clock rate 2000000 crypto map cryptomap1 ! interface Serial0/1 ip address 192.168.65.5 255.255.255.0 zone-member security CENTRAL encapsulation frame-relay ip ospf network point-to-point clock rate 2000000 frame-relay map ip 192.168.65.6 65 broadcast frame-relay intf-type dce crypto map cryptomap1 ! ip access-list extended crypto1 permit ip host 10.5.5.5 host 10.8.8.8 _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
