Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > VPN Client to PIX 515 - using certificates doesn't work

Reply
Thread Tools

VPN Client to PIX 515 - using certificates doesn't work

 
 
Peter
Guest
Posts: n/a
 
      08-24-2004
I'm having some issues getting a VPN tunnel established between the
Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
certificates.

The connection works fine when authenticated using a pre-shared key.

I'm using an internal Microsoft CA (Enterprise Root), with the SCEP
dll installed, running on Windows 2000 Server SP4.

I've included portions of the PIX Config and the VPN Client's log file
below. Has anyone encountered these errors before? Or does anyone have
any suggestions as to what I'm doing wrong (apart from using a MS CA
?

Thanks in advance for your help,

Peter

ca identity VPNCA 10.1.1.7:/CERTSRV/mscep/mscep.dll
ca configure VPNCA ra 2 20

isakmp policy 8 authentication rsa-sig
isakmp policy 8 encryption 3des
isakmp policy 8 hash sha
isakmp policy 8 group 1
isakmp policy 8 lifetime 86400

crypto dynamic-map DYNO-RA-VPN 30 set transform-set strong
crypto map VPN 80 ipsec-isakmp dynamic DYNO-RA-VPN

vpngroup RSAVPN address-pool RA-VPN-POOL
vpngroup RSAVPN dns-server 10.1.1.2
vpngroup RSAVPN wins-server 10.1.1.3
vpngroup RSAVPN default-domain dns.name
vpngroup RSAVPN split-tunnel vpn-acl
vpngroup RSAVPN idle-time 1800


Cisco Systems VPN Client Version 4.0.3 (D)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600

1 16:22:08.307 08/24/04 Sev=Warning/2 IKE/0xE3000099
Invalid SPI size (PayloadNotify:116)

2 16:22:08.307 08/24/04 Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message
id: 0x00000000)

3 16:22:13.575 08/24/04 Sev=Warning/2 IKE/0xA3000062
Attempted incoming connection from 212.xxx.xxx.xxx. Inbound
connections are not allowed.

(212.xxx.xxx.xxx is the PIX's outside address).
 
Reply With Quote
 
 
 
 
CISCORUBS
Guest
Posts: n/a
 
      08-25-2004
Pete;

You are in for headache and heartache. MS-SCEP does NOT work well
with PIX. Do a google search and you will see.

You are better off using pre-shared keys.

I would NOT use the PIX for remote access; I MIGHT use it for LAN to
LAN VPN.

For remote access the VPN 3000 series is unsurpassed with much more
options ( IPSec/UDP and IPSec/TCP ).

VPN support on a PIX is a pain in the ass.


http://www.velocityreviews.com/forums/(E-Mail Removed) (Peter) wrote in message news:<(E-Mail Removed) om>...
> I'm having some issues getting a VPN tunnel established between the
> Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
> certificates.
>
> The connection works fine when authenticated using a pre-shared key.
>
> I'm using an internal Microsoft CA (Enterprise Root), with the SCEP
> dll installed, running on Windows 2000 Server SP4.
>
> I've included portions of the PIX Config and the VPN Client's log file
> below. Has anyone encountered these errors before? Or does anyone have
> any suggestions as to what I'm doing wrong (apart from using a MS CA
> ?
>
> Thanks in advance for your help,
>
> Peter
>
> ca identity VPNCA 10.1.1.7:/CERTSRV/mscep/mscep.dll
> ca configure VPNCA ra 2 20
>
> isakmp policy 8 authentication rsa-sig
> isakmp policy 8 encryption 3des
> isakmp policy 8 hash sha
> isakmp policy 8 group 1
> isakmp policy 8 lifetime 86400
>
> crypto dynamic-map DYNO-RA-VPN 30 set transform-set strong
> crypto map VPN 80 ipsec-isakmp dynamic DYNO-RA-VPN
>
> vpngroup RSAVPN address-pool RA-VPN-POOL
> vpngroup RSAVPN dns-server 10.1.1.2
> vpngroup RSAVPN wins-server 10.1.1.3
> vpngroup RSAVPN default-domain dns.name
> vpngroup RSAVPN split-tunnel vpn-acl
> vpngroup RSAVPN idle-time 1800
>
>
> Cisco Systems VPN Client Version 4.0.3 (D)
> Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
> Client Type(s): Windows, WinNT
> Running on: 5.1.2600
>
> 1 16:22:08.307 08/24/04 Sev=Warning/2 IKE/0xE3000099
> Invalid SPI size (PayloadNotify:116)
>
> 2 16:22:08.307 08/24/04 Sev=Warning/3 IKE/0xA3000058
> Received malformed message or negotiation no longer active (message
> id: 0x00000000)
>
> 3 16:22:13.575 08/24/04 Sev=Warning/2 IKE/0xA3000062
> Attempted incoming connection from 212.xxx.xxx.xxx. Inbound
> connections are not allowed.
>
> (212.xxx.xxx.xxx is the PIX's outside address).

 
Reply With Quote
 
 
 
 
Martin Bilgrav
Guest
Posts: n/a
 
      08-25-2004

"CISCORUBS" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) m...
> Pete;
>
> You are in for headache and heartache. MS-SCEP does NOT work well
> with PIX. Do a google search and you will see.
>
> You are better off using pre-shared keys.
>
> I would NOT use the PIX for remote access; I MIGHT use it for LAN to
> LAN VPN.
>
> For remote access the VPN 3000 series is unsurpassed with much more
> options ( IPSec/UDP and IPSec/TCP ).
>
> VPN support on a PIX is a pain in the ass.
>



nonsense.

Looks like your client sw denies the inbound traffic - are the firewall
feature turned on ?
Try disable it.
Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
your device on udp/4500
Allow this port on the headend aswell.

HTH
Martin Bilgrav



 
Reply With Quote
 
Peter
Guest
Posts: n/a
 
      08-25-2004
"Martin Bilgrav" <(E-Mail Removed)> wrote in message news:<LQXWc.40783$(E-Mail Removed) k>...
> "CISCORUBS" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) m...
> > Pete;
> >
> > You are in for headache and heartache. MS-SCEP does NOT work well
> > with PIX. Do a google search and you will see.
> >
> > VPN support on a PIX is a pain in the ass.

>
> nonsense.
>
> Looks like your client sw denies the inbound traffic - are the firewall
> feature turned on ?
> Try disable it.
> Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
> your device on udp/4500
> Allow this port on the headend aswell.


I have done this, and the error messages are the same.

I'm not convinced that the PIX has enrolled correctly with the CA.

Two questions:

1) What are the _exact_ commands needed on the PIX to configure an MS
CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
the manual advises, the PIX will not enroll.

When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
certificate request pending" but thats is the last output generated.

2) What _exactly_ needs to be done on the client. Must you import the
CA's certificate? (If so, how?) What type of certificate should you
request from the CA (Client Auth, IPSec, etc.) ? Must the key length
on client and the PIX match?
 
Reply With Quote
 
CISCORUBS
Guest
Posts: n/a
 
      08-26-2004
VPN support on the PIX IS a pain in the ASS. A PIX is one of the best
out of the box FIREWALLS.

I have done hub and spoke VPN in a multitude of different arrangements
using PIX, IOS and the VPN 3000.

MSCEP works well on all EXCEPT the PIX.

Hint:

Make sure your PIX domain name is correct and that it is pointing to a
DNS server. Make sure the DNS server can resolve the PIX FQDN.

Bigger hint:
Use DMVPN with IOS and let the PIX be a firewall.

It is NOT nonsense. The PIX and MSCEP issue is documented. Go to CCO
and google and search.

(E-Mail Removed) (Peter) wrote in message news:<(E-Mail Removed) om>...
> "Martin Bilgrav" <(E-Mail Removed)> wrote in message news:<LQXWc.40783$(E-Mail Removed) k>...
> > "CISCORUBS" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed) m...
> > > Pete;
> > >
> > > You are in for headache and heartache. MS-SCEP does NOT work well
> > > with PIX. Do a google search and you will see.
> > >
> > > VPN support on a PIX is a pain in the ass.

> >
> > nonsense.
> >
> > Looks like your client sw denies the inbound traffic - are the firewall
> > feature turned on ?
> > Try disable it.
> > Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
> > your device on udp/4500
> > Allow this port on the headend aswell.

>
> I have done this, and the error messages are the same.
>
> I'm not convinced that the PIX has enrolled correctly with the CA.
>
> Two questions:
>
> 1) What are the _exact_ commands needed on the PIX to configure an MS
> CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
> the manual advises, the PIX will not enroll.
>
> When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
> sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
> certificate request pending" but thats is the last output generated.
>
> 2) What _exactly_ needs to be done on the client. Must you import the
> CA's certificate? (If so, how?) What type of certificate should you
> request from the CA (Client Auth, IPSec, etc.) ? Must the key length
> on client and the PIX match?

 
Reply With Quote
 
Martin Bilgrav
Guest
Posts: n/a
 
      08-26-2004

"Peter" <(E-Mail Removed)> wrote in message
>
> 1) What are the _exact_ commands needed on the PIX to configure an MS
> CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
> the manual advises, the PIX will not enroll.
>
> When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
> sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
> certificate request pending" but thats is the last output generated.
>
> 2) What _exactly_ needs to be done on the client. Must you import the
> CA's certificate? (If so, how?) What type of certificate should you
> request from the CA (Client Auth, IPSec, etc.) ? Must the key length
> on client and the PIX match?


http://www.cisco.com/en/US/tech/tk58...80094e69.shtml


HTH
Martin


 
Reply With Quote
 
Martin Bilgrav
Guest
Posts: n/a
 
      08-26-2004

"Martin Bilgrav" <(E-Mail Removed)> wrote in message
news:C%rXc.41125$(E-Mail Removed) ...
>
> "Peter" <(E-Mail Removed)> wrote in message
> >
> > 1) What are the _exact_ commands needed on the PIX to configure an MS
> > CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
> > the manual advises, the PIX will not enroll.
> >
> > When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
> > sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
> > certificate request pending" but thats is the last output generated.
> >
> > 2) What _exactly_ needs to be done on the client. Must you import the
> > CA's certificate? (If so, how?) What type of certificate should you
> > request from the CA (Client Auth, IPSec, etc.) ? Must the key length
> > on client and the PIX match?



http://www.cisco.com/en/US/tech/tk58...80094e69.shtml


and this one:

http://www.mail-archive.com/cisco@gr.../msg81459.html



 
Reply With Quote
 
Tim Levy
Guest
Posts: n/a
 
      08-29-2004
> I'm having some issues getting a VPN tunnel established between the
> Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
> certificates.


> The connection works fine when authenticated using a pre-shared key.


I have previously got this to work against the MS CA.

Search this group for a post entitled 'Re: PIX 506E VPN with certificates'
made on 1 July 2004.

Tim Levy
London


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PIX 515 - can Use VPN300 Client and PIX-to-PIX VPN at the same time? Stephen M Cisco 1 11-14-2006 02:03 PM
PIX 515 to PIX 515 via Internet & IPSec, should I get a VAC? Scott Townsend Cisco 8 02-22-2006 09:59 PM
VPN - Easy VPN Server (PIX 515) and Hardware Client (831 Router) Al Cisco 0 02-16-2005 08:15 PM
VPN Client <> PIX 515 with certificates (long!) Patrick M. Hausen Cisco 0 08-16-2004 12:50 PM
PIX to PIX VPN and VPN Client to PIX Config Example? GVB Cisco 1 02-06-2004 07:44 PM



Advertisments