You’re correct Mike. That’s why I asked if R5 is CA or not. If so, then you
must have two trustopoints configurad and I see only one in the command output.
Regards,
Piotr
From: Mike Rojas
Sent: Saturday, June 23, 2012 8:58 PM
To: [email protected] ; [email protected]
Cc: [email protected]
Subject: RE: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates -
YusufLab 1 Q2.3
Souldnt it try to use its available trustpoints? The problem is that it does
not sees it.
Other thing, if we have the CA as a tunnel endpoint, what is the right
procedure? What I normally do is to create a different trustpoint and request a
certificate to itself.-..
Mike.
--------------------------------------------------------------------------------
From: [email protected]
To: [email protected]
Date: Sat, 23 Jun 2012 20:48:37 +0200
CC: [email protected]
Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates -
YusufLab 1 Q2.3
Where’s CA? Is it on the same router?
To force the router to use a particular certificate you must assign ISAKMP
profile to the crypto map.
Regards,
Piotr
From: Ben Shaw
Sent: Saturday, June 23, 2012 4:23 PM
To: Piotr Matusiak
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates -
YusufLab 1 Q2.3
Hi Piotr
thanks for the assistance. Yes, that is what it seems to me also. It says it
can't find a PSK or RSA Cert but the R5 router is enrolled with a CA as shown
below already, it doesn't seem to be using it though.
R5#show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 0x6
Certificate Usage: General Purpose
Issuer:
cn=myCA.cisco.com
Subject:
Name: R5.cisco.com
IP Address: 10.5.5.5
ipaddress=10.5.5.5+hostname=R5.cisco.com
cn=R5
Validity Date:
start date: 17:22:04 UTC Jun 20 2012
end date: 06:46:42 UTC Jun 20 2013
Associated Trustpoints: myCA
Storage: nvram:myCAciscocom#6.cer
CA Certificate
Status: Available
Certificate Serial Number: 0x1
Certificate Usage: Signature
Issuer:
cn=myCA.cisco.com
Subject:
cn=myCA.cisco.com
Validity Date:
start date: 06:46:42 UTC Jun 20 2012
end date: 06:46:42 UTC Jun 20 2013
Associated Trustpoints: myCA
Storage: nvram:myCAciscocom#1CA.cer
I was looking at trying to specify the CA name in the configuration via an
ISAKMP profile but I believe that setting a trustpoint in an ISAKMP profile is
only performed based on the match statements in the profile for IPSec
connections inbound to the router not inbound and outbound.
Is there a way to specify what CA to use for outbound L2L IPsec tunnels that
you are aware of? This may enable me to force the router to use the ID cert it
has under the "myCA" trustpoint.
Thanks
Ben
On Sat, Jun 23, 2012 at 9:37 PM, Piotr Matusiak <[email protected]> wrote:
Hi Ben,
It seems R5 doesn’t use it’s Identity Certificate. Wher’s CA? Did you enroll
a certificate for it? If CA is on R5 you must create a trustpoint and enroll a
certificate from it (even tho the CA is local).
Regards,
Piotr
From: Ben Shaw
Sent: Saturday, June 23, 2012 11:27 AM
To: [email protected]
Subject: [OSL | CCIE_Security] IOS to ASA IPsec with Certificates - YusufLab
1 Q2.3
Hi All
I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in
question 2.3 with certificates. I originally got it to work fine with PSK but
after changing the configuration to RSA I get a failure which to me seems to be
an issue on the router side as I get the following debugs when I initiate the
VPN from the router (R5)
R5#ping 10.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5
Jun 23 09:13:20.092: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10,
local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1),
remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1),
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL)
Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer
port 500
Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle =
0x80000012
Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
isakmp_initiator
Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500
Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE
Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8
Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode.
Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10!
Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key.
Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start
Main mode
Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_unlock_peer_delete_sa(), count 0
Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for
192.168.9.10: 673AFE78
Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8
Jun 23 09:13:20.156: ISAKMP:(0):p.urging node -1032077271
Jun 23 09:13:20.156: ISAKMP: Error while processing SA request: Failed to
initialize SA
Jun 23 09:13:20.160: ISAKMP: Error while processing KMI message 0, error 2.
Jun 23 09:13:20.168: IPSEC(key_engine): got a queue event with 1 KMI
message(s)....
Success rate is 0 percent (0/5)
R5#
When I try to intiate the VPN from the ASA side I get the following debugs on
the router
R5#
Jun 23 09:14:07.167: ISAKMP (0:0): received packet from 192.168.9.10 dport
500 sport 500 Global (N) NEW SA
Jun 23 09:14:07.171: ISAKMP: Created a peer struct for 192.168.9.10, peer
port 500
Jun 23 09:14:07.175: ISAKMP: New peer created peer = 0x673AFE78 peer_handle =
0x80000014
Jun 23 09:14:07.179: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
crypto_isakmp_process_block
Jun 23 09:14:07.179: ISAKMP: local port 500, remote port 500
Jun 23 09:14:07.183: insert sa successfully sa = 67EEFFC8
Jun 23 09:14:07.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 23 09:14:07.191: ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
Jun 23 09:14:07.211: ISAKMP:(0): processing SA payload. message ID = 0
Jun 23 09:14:07.215: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.223: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.231: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.239: ISAKMP : Scanning profiles for xauth ... isakmpprof1
Jun 23 09:14:07.243: ISAKMP:(0):Checking ISAKMP transform 1 against priority
11 policy
Jun 23 09:14:07.243: ISAKMP: default group 5
Jun 23 09:14:07.247: ISAKMP: encryption AES-CBC
Jun 23 09:14:07.247: ISAKMP: keylength of 128
Jun 23 09:14:07.247: ISAKMP: hash SHA
Jun 23 09:14:07.251: ISAKMP: auth RSA sig
Jun 23 09:14:07.251: ISAKMP: life type in seconds
Jun 23 09:14:07.255: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 23 09:14:07.259: ISAKMP:(0):RSA signature authentication offered but does
not match policy!
Jun 23 09:14:07.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.263: ISAKMP:(0):Checking ISAKMP transform 1 against priority
65535 policy
Jun 23 09:14:07.267: ISAKMP: default group 5
Jun 23 09:14:07.267: ISAKMP: encryption AES-CBC
Jun 23 09:14:07.271: ISAKMP: keylength of 128
Jun 23 09:14:07.271: ISAKMP: hash SHA
Jun 23 09:14:07.275: ISAKMP: auth RSA sig
Jun 23 09:14:07.275: ISAKMP: life type in seconds
Jun 23 09:14:07.275: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Jun 23 09:14:07.279: ISAKMP:(0):Encryption algorithm offered does not match
policy!
Jun 23 09:14:07.279: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.279: ISAKMP:(0):no offers accepted!
Jun 23 09:14:07.279: ISAKMP:(0): phase 1 SA policy not acceptable! (local
192.168.55.5 remote 192.168.9.10)
Jun 23 09:14:07.279: ISAKMP (0:0): incrementing error counter on sa, attempt
1 of 5: construct_fail_ag_init
Jun 23 09:14:07.279: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500
peer_port 500 (R) MM_NO_STATE
Jun 23 09:14:07.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 23 09:14:07.283: ISAKMP:(0):peer does not do paranoid keepalives.
Jun 23 09:14:07.287: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal
not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.291: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.291: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.295: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.299: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.303: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.303: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.307: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.311: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.311: ISAKMP (0:0): FSM action returned error: 2
Jun 23 09:14:07.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jun 23 09:14:07.319: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
Jun 23 09:14:07.343: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal
not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.343: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_mark_sa_deleted(), count 0
Jun 23 09:14:07.343: ISAKMP: Deleting peer node by peer_reap for
192.168.9.10: 673AFE78
Jun 23 09:14:07.343: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 23 09:14:07.347: ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_DEST_SA
Jun 23 09:14:07.351: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
Jun 23 09:14:07.359: ISAKMP:(0):deleting SA reason "No reason" state (R)
MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.359: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jun 23 09:14:07.359: ISAKMP:(0):Old State = IKE_DEST_SA New State =
IKE_DEST_SA
Jun 23 09:14:15.092: ISAKMP (0:0): received packet from 192.168.9.10 dport
500 sport 500 Global (R) MM_NO_STATE
R5#
R5#
Now it is obviously a Phase 1 issue as the router complains about policies
not matching and also that there is no PSK or Cert defined. I am not using
ISAKMP profiles yet though I know this needs to be added for the certificate
map requirement in the question, I just want to ge this part working first.
Below is the relevant configuration from each device. Any idea why the router
doesn't seem to be using the locally configured CA and ID Certificate in Phase
1 when negotiating? The ISAKMP policies match.
------------------
ASA2 Config
------------------
ASA Version 8.0(4)23
!
hostname ASA2
domain-name cisco.com
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.10.10 255.255.255.0
authentication key eigrp 10 <removed> key-id 1
authentication mode eigrp 10 md5
!
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif outside
security-level 0
ip address 192.168.9.10 255.255.255.0
ospf authentication-key password
ospf authentication message-digest
!
access-list crypto1 extended permit ip host 10.8.8.8 host 10.5.5.5
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cryptomap1 10 match address crypto1
crypto map cryptomap1 10 set peer 192.168.55.5
crypto map cryptomap1 10 set transform-set aes-sha
crypto map cryptomap1 10 set trustpoint myCA
crypto map cryptomap1 interface outside
!
crypto ca trustpoint myCA
enrollment url http://10.1.1.1:80
fqdn ASA2.cisco.com
subject-name cn=ASA2
ip-address 192.168.9.10
keypair myCA-KEYS
crl configure
!
crypto ca certificate chain myCA
certificate ca 01
3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
quit
certificate 05
30820245 308201ae a0030201 02020105 300d0609 2a864886 f70d0101 05050030
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication rsa-sig
encryption aes
hash sha
group 5
lifetime 86400
!
tunnel-group 192.168.55.5 type ipsec-l2l
tunnel-group 192.168.55.5 ipsec-attributes
trust-point myCA
------------------
R5 Config
------------------
hostname R5
!
crypto pki trustpoint myCA
enrollment url http://10.1.1.1:80
fqdn R5.cisco.com
ip-address 10.5.5.5
subject-name cn=R5
revocation-check none
rsakeypair myCA-KEYS
!
crypto pki certificate map certmap1 10
issuer-name co myca
subject-name co asa2
!
crypto pki certificate chain myCA
certificate 06
3082021F 30820188 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
quit
certificate ca 01
3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
quit
!
crypto isakmp policy 11
encr aes
group 5
crypto isakmp identity dn
crypto isakmp profile isakmpprof1
self-identity fqdn
ca trust-point myCA
match certificate certmap1
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map cryptomap1 local-address Loopback6
crypto map cryptomap1 10 ipsec-isakmp
set peer 192.168.9.10
set transform-set aes-sha
match address crypto1
!
interface Loopback0
ip address 10.5.5.5 255.255.255.0
!
interface Loopback6
ip address 192.168.55.5 255.255.255.0
!
interface Serial0/0
ip address 192.168.35.5 255.255.255.0
ip nat outside
ip virtual-reassembly
zone-member security REMOTE
encapsulation ppp
ip ospf network point-to-point
no fair-queue
clock rate 2000000
crypto map cryptomap1
!
interface Serial0/1
ip address 192.168.65.5 255.255.255.0
zone-member security CENTRAL
encapsulation frame-relay
ip ospf network point-to-point
clock rate 2000000
frame-relay map ip 192.168.65.6 65 broadcast
frame-relay intf-type dce
crypto map cryptomap1
!
ip access-list extended crypto1
permit ip host 10.5.5.5 host 10.8.8.8
------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________ For more information regarding
industry leading CCIE Lab training, please visit www.ipexpert.com Are you a
CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
