in house CA access from remote IPSEC peer problem

Discussion in 'Cisco' started by Bob Smith, Jan 4, 2004.

  1. Bob Smith

    Bob Smith Guest

    I have been playing around with CA server scenarios utilizing Cisco
    doc examples. One that is causing me problems is where the CA server
    is in-house behind a PIX.

    http://www.cisco.com/en/US/products...ducts_user_guide_chapter09186a0080089924.html

    The PIX is IPSEC peered with remote Cisco router. Both will are
    configed to utilize the CA server for isakmp authentication. The
    router is configured to get the CA's public key via unencrypted
    communication. A static translation and conduit ( or access-list ) on
    the PIX allows the router to gain access to the CA. But my router
    fails to acquire the CA server public key ( crypto ca authenticate
    myca ). The PIX is receiving these requests, but from the log it is
    tagging them as non-IPSEC and I believe dropping them ( Windows 2003
    is my CA server on inside segment and Network Monitor does not see any
    packets from router ( HTTP, LDAP etc. )). It appears that the PIX only
    accepts encrypted packets from the IPSEC peers ip address. What am I
    missing? Out of curiosity I took the isakmp/crypto coding off the
    outside interface and disabled sysopt connection permit-ipsec on the
    PIX. This then allowed the router to acquire the CA public key. Can
    someone enlighten me?
    Bob Smith, Jan 4, 2004
    #1
    1. Advertising

  2. Bob Smith

    Masud Reza Guest

    (Bob Smith) wrote in message news:<>...
    > I have been playing around with CA server scenarios utilizing Cisco
    > doc examples. One that is causing me problems is where the CA server
    > is in-house behind a PIX.
    > But my router
    > fails to acquire the CA server public key ( crypto ca authenticate
    > myca ). The PIX is receiving these requests, but from the log it is
    > tagging them as non-IPSEC and I believe dropping them ( Windows 2003
    > is my CA server on inside segment and Network Monitor does not see any
    > packets from router ( HTTP, LDAP etc. )). It appears that the PIX only
    > accepts encrypted packets from the IPSEC peers ip address. What am I
    > missing? Out of curiosity I took the isakmp/crypto coding off the
    > outside interface and disabled sysopt connection permit-ipsec on the
    > PIX. This then allowed the router to acquire the CA public key. Can
    > someone enlighten me?



    Hi Bob:

    The first thing you have to understand if you are using a CA is that
    the certificate distribution itself is an un-encrypted process. Before
    you can talk with a CA server, you need to authenticate it using the
    command that you mentioned (crypto ca authenticate ...). In response,
    the CA server does not send you it's public key. It sends you it's
    fingerprint. The fingerprint of the CA server is an MD5 of it's root
    certificate. When you receive this, you have to get the same
    fingerprint from another source (via telephone or web or whatever) to
    complete the authentication process.

    After you have authenticated the CA Server, you can enroll with the CA
    server for the identity certificates of the VPN Peers (the PIX and
    cisco routers in your case). The enrollment job is a one-time process
    which is carried out WITHOUT encryption. Nowadays, most of the devices
    support the Simple Certificate Enrollment Protocol (SCEP) which is an
    http-based transaction-oriented protocol. You can read more about SCEP
    at http://www.cisco.com/warp/public/cc/pd/sqsw/tech/scep_wp.htm

    In your specific case, the CA server is present on the PIX inside
    interface. You must define a static and have a conduit/access-list
    permitting access from the outside (SCEP is http-based) so that the
    IPSec peers can complete the enrollment process and before that also
    get the fingerprint from the server.

    Also, please do keep in mind that when the IPSec peers have the ROOT
    certificate of the CA *AND* their identity certificates, there is no
    need to involve the CA now (I'm assuming that you are using
    stand-alone CAs) for the purpose of authentication. However, depending
    on your configuration, you might want to check the validity of the
    ceriticate against the CRL, the URL of which is located in the
    certificate of the ROOT CA.

    In your case, your CA server is present on the inside of the PIX. You
    want to create a VPN between *THIS* pix and a router on the outside.
    When you configured your PIX, you gave it the IP address of the router
    as it's peer. You configured a crypto access-list to tell the PIX that
    traffic between the router and the PIX is to be encrypted.

    Now what's happening is that when you configure your router and try to
    authenticate and enroll for the certificates, the crypto access-list
    on the PIX silently drops all packets from the router because it
    thinks that these packets should be encrypted (and they are not).

    To fix the problem, make sure that BEFORE your VPN is initiated and
    IKE Phase I is carried out, the two devices *ARE* able to access the
    CA and get their certificates.

    In production, you might not want to keep your CA online (!) or you
    might want to put it on a DMZ using a layered model.

    Hope this helps.

    Masud
    Masud Reza, Jan 4, 2004
    #2
    1. Advertising

  3. Bob Smith

    Bob Smith Guest

    THanks for the feedback and clarifications.

    > Now what's happening is that when you configure your router and try to
    > authenticate and enroll for the certificates, the crypto access-list
    > on the PIX silently drops all packets from the router because it
    > thinks that these packets should be encrypted (and they are not).


    Which is what I observed. I was confused by the Cisco example.

    > To fix the problem, make sure that BEFORE your VPN is initiated and
    > IKE Phase I is carried out, the two devices *ARE* able to access the
    > CA and get their certificates.


    Now it makes sense. I am just toying with this in a lab trying
    different scenarios. I do not have much experience with CA servers.
    Can you suggest any good reference material for learning about
    cerificate authorities? Now, all I have are Cisco docs and Windows
    2003 help files.
    Bob Smith, Jan 5, 2004
    #3
  4. Bob Smith

    Masud Reza Guest

    (Bob Smith) wrote in message news:<>...

    > Now it makes sense. I am just toying with this in a lab trying
    > different scenarios. I do not have much experience with CA servers.
    > Can you suggest any good reference material for learning about
    > cerificate authorities? Now, all I have are Cisco docs and Windows
    > 2003 help files.


    I've found these two RSA Press titles good.

    PKI: Implementing & Managing E-Security
    Andrew Nash, William Duane, Celia Joseph & Derek Brink

    Digital Signatures
    Mohan Atreya, Benjamin Hammond, Stephen Paine, Paul Starrett, &
    Stephen Wu

    Network Security by Radia Perlman et al. also has good chapters on CA
    Servers and certificates in general.

    Masud
    Masud Reza, Jan 5, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug A Moller

    Need help with peer to peer no hub network

    Doug A Moller, Jun 23, 2004, in forum: Wireless Networking
    Replies:
    3
    Views:
    5,701
  2. Seinman

    Peer to Peer Network Problem

    Seinman, Oct 22, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    583
    ANONYMOUS
    Oct 22, 2005
  3. Replies:
    4
    Views:
    3,291
  4. rifleman

    Strange Peer-to-peer problem (W2K)

    rifleman, Jun 23, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    620
    Brian H¹©
    Jun 23, 2003
  5. =?Utf-8?B?SGlsbGFiYWxvbw==?=

    peer to peer network problem

    =?Utf-8?B?SGlsbGFiYWxvbw==?=, Jul 30, 2006, in forum: Wireless Networking
    Replies:
    1
    Views:
    1,569
    Doug Sherman [MVP]
    Jul 31, 2006
Loading...

Share This Page