PIX 515E, VPN Client 4.6, Windows 2003 CA

Discussion in 'Cisco' started by sdunn96, Oct 30, 2008.

  1. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    Ok, I have read a few posts in here about how to configure Remote Access using 515E, VPN Client 4.6 and Windows 2003 as a CA.

    I am having a lot of problems, and has been kicking my butt for the past week.
    I was able to get it to work using Pre shared keys.

    Another wierd problem is that when I do the commands to get a certificate from the CA, I lose the ability to open up PDM via a web browser.
    I have a telnet session running at the same time doing a debug of Crypto stuff, and it returns:
    CRYPTO_CA: certificate not found
    Now if I go in and clear out all the CA information, the PIX will build its own certificate and I can access the PIX via PDM, but I have no certificates installed.

    For my PIX Config is the following
    pix(config)# ca generage rsa key 1024 // this one works and returns what I see is correct info.

    pix(config)# ca identity myca 10.10.x.x:/certsrv/mscep/mscep.dll //this one also seems to work properly when executed, no errors.

    pix(config)# ca configure myca ra 1 5 crloptional //again, also seems to work

    pix(config)# ca authenticate myca //well this one executes, but from what I read I should be getting information returned to me (fingerprint), but I get nothing, just goes back to prompt.

    At this point I can issue the "show ca certificate" command and it returns
    CA Certificate
    Status: Available
    Certificate Serial Number: 09a085d2a8d6dea74cde3a94313c3d57
    Key Usage: Signature
    CN = fserver3
    OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2
    OID.0.9.2342.19200300.100.1.25 =<16> com
    Validity Date:
    start date: 14:30:47 EST Oct 29 2008
    end date: 14:39:31 EST Oct 29 2018

    RA Signature Certificate
    Status: Available
    Certificate Serial Number: 300f4c78000000000002
    Key Usage: Signature
    EA =<16> seth@d2ms.com
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    RA KeyEncipher Certificate
    Status: Available
    Certificate Serial Number: 300f4def000000000003
    Key Usage: Encryption
    EA =<16> seth@d2ms.com
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    end date: 15:37:35 EDT Oct 29 2010

    So it would seem I have a Certificate......not sure what to make of it, but ok.

    Then I go and do the enrollment command
    pix(config)# ca enroll my ca "challeng Password obtained from CA"

    Now from that command, I appear to receive correct information.....looking at a document on Cisco's website seems to confirm it.



    Now for the CA Server...I have installed Certificate Authority as well as the SCEP add-on.
    Looking at issued Certificates, it seems that a certificate does get issued to the PIX, and the request came from the pix.....so communication there seems fine.

    On my PC using VPN Client I have done two things
    1) I have used the built-in Enrollment option and using the //website/certsrv/mscep/mscep.dll along with his password.
    That certificate also gets issued, I can look and see it there. It is issued the IPSec (Offline Certificate)

    2) I have also installed a certificate manually by going to my CA and requesting an IPSec (Offline Certificate), receiving it and installing it on my PC.

    So then both certs show up in the VPN Client Certificates list.
    I have made sure to use the "VPN Group Name" as the Department......

    So now for my Certificate Connection I can set it up to use either.
    If I use the one r'cvd by Cisco's enrollment, it asks for a Password, so I go to my CA website and put one in and then send it on. Does not connect.

    If I use the one that I requested from the website, it does not ask for a Password.....but it still does not connect.

    I look at the log window, but nothing shows up...
    I have seen at times
    -- Invalid PKI
    -- Malformed Payload

    Also looking at the debug info on the PIX, I see similar things.
    -- retransmitting phase 1
    -- malformed payload
    sdunn96, Oct 30, 2008
    #1
    1. Advertising

  2. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    Here is a screen capture of the telnet session:::

    sh ca certificate
    Certificate
    Status: Available
    Certificate Serial Number: 128f2fb8000000000008
    Key Usage: General Purpose
    Subject Name:
    CN = mypix.mydomain.com
    UNSTRUCTURED NAME = mypix.mydomain.com
    Validity Date:
    start date: 06:14:01 EST Oct 30 2008
    end date: 07:14:01 EDT Oct 30 2010

    RA Signature Certificate
    Status: Available
    Certificate Serial Number: 300f4c78000000000002
    Key Usage: Signature
    EA =<16> sethemail.com
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    <--- More --->
    CRYPTO_PKI: Name: CN = mypix.mydomain.com, UNSTRUCTURED NAME = mypix.mydomain.com
    CRYPTO_PKI: Name: EA =<16> sethemail.comCN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US

    end date: 15:37:35 EDT Oct 29 2010

    CA Certificate
    Status: Available
    Certificate Serial Number: 09a085d2a8d6dea74cde3a94313c3d57
    Key Usage: Signature
    CN = myca
    OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2
    OID.0.9.2342.19200300.100.1.25 =<16> com
    Validity Date:
    start date: 14:30:47 EST Oct 29 2008
    end date: 14:39:31 EST Oct 29 2018

    RA KeyEncipher Certificate
    Status: Available
    Certificate Serial Number: 300f4def000000000003
    Key Usage: Encryption
    EA =<16> sethemail.com
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    <--- More --->
    CRYPTO_PKI: Name: CN = myca, OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2, OID.0.9.2342.19200300.100.1.25 =<16> com
    CRYPTO_PKI: Name: EA =<16> sethemail.com, CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US

    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    end date: 15:37:35 EDT Oct 29 2010


    gbpix(config)#
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0xe97df4, conn_id = 0

    gbpix#
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: 1a 8d cb 81 70 a5 34 dc df b8 67 0 13 b2 7e 61 c8 35 d5 48
    his nat hash : 99 fb fc 6e f3 aa cd 56 b b 46 e9 7d 45 ab 28 8c 80 d7 32
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    sdunn96, Oct 30, 2008
    #2
    1. Advertising

  3. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    gbpix#
    ISAKMP (0): retransmitting phase 1 (0)...
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:4500 dpt:4500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    ISAKMP (0): retransmitting phase 1 (1)...

    gbpix#
    ISAKMP (0): deleting SA: src 68.230.xx.xx, dst xx.xx.xx.xx
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 5 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 6 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 7 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 2
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: 87 20 a4 77 24 c9 65 f7 95 96 7 e7 d1 b5 3a f3 c2 8 72 36
    his nat hash : d5 54 b5 ab 2d 24 d 46 50 fc 1b 38 23 1d 7a b9 4 84 b3 4f
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client
    sdunn96, Oct 30, 2008
    #3
  4. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0x1290bec, conn_id = 0
    ISADB: reaper checking SA 0x12a2a84, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:68.230.xx.xx/500 Ref cnt decremented to:2 Total VPN Peers:2
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0x1290bec, conn_id = 0
    ISADB: reaper checking SA 0xe97df4, conn_id = 0
    ISAKMP (0): retransmitting phase 1 (0)...
    crypto_isakmp_process_block:src:68.230.xx.xx, dest:xx.xx.xx.xx spt:4500 dpt:4500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    ISAKMP (0): retransmitting phase 1 (1)...

    gbpix#
    ISAKMP (0): deleting SA: src 68.230.xx.xx, dst xx.xx.xx.xx
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0x1290bec, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:68.230.xx.xx/500 Ref cnt decremented to:1 Total VPN
    Peers:2
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0xe97df4, conn_id = 0

    ---------********************---------
    New CA requests
    ---------********************---------

    enable
    Password: ********

    gbpix# conf t

    gbpix(config)# ca generate rsa special                       sh

    my  ca mypubkey rsa
    % Key pair was generated at: 07:05:30 EST Oct 30 2008
    Key name: mypix.mydomain.com
    Usage: General Purpose Key
    Key Data:
    307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00e83a01 f4141e69
    5ff6ff99 d1225453 ec203b30 4fb72f06 d1fff7cc 9c391105 62dcaba0 2d29ea93
    83cee4b8 a6d81e74 abcad160 4abe6130 a387663d 6c7a4a22 8936be35 cac7bd4d
    fd57c780 340af3bd 04ff9d52 3c72f342 64a130a9 1f85e57c 6b020301 0001

    gbpix(config)# ca zeroize rsa

    gbpix(config)# ca zeroize rsash ca mypubkey rsa

    gbpix(config)# ca generate ra sa specialkey 1024
    For <key_modulus_size> >= 1024, key generation could
    take up to several minutes. Please wait.
    Keypair generation process begin.
    .Success.
    Keypair generation process begin.
    Success.


    gbpix(config)#
    Insert Selfsigned Certificate:
    30 82 02 2c 30 82 01 95 02 20 36 35 62 35 34 31 33 33 34 31
    36 37 31 61 66 65 62 32 30 31 66 33 64 39 34 34 32 62 39 32
    61 61 30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00 30 4f 31
    4d 30 0f 06 03 55 04 05 13 08 33 30 32 62 32 35 63 64 30 19
    06 03 55 04 03 13 12 67 62 70 69 78 2e 77 65 62 64 32 6d 73
    32 2e 63 6f 6d 30 1f 06 09 2a 86 48 86 f7 0d 01 09 02 16 12

    gbpix(config)# shca generate rsa specialkey 1024sh ca mypubkey rsa

    
    % Key pair was generated at: 07:26:33 EST Oct 30 2008
    Key name: mypix.mydomain.com
    Usage: Encryption Key
    Key Data:
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00a4f058
    1f1a3281 f5d92d8e 5400cc39 5d69c340 695b1e16 c8c7dfd1 47ce3f1d 14557736
    b89861be 216dc8c6 1075f4ce 7d4c119e eb0f9dad b57edfbe 3212179a 8fb6f5b4
    436a909d 941d6a38 a43d4f58 3e3335a5 125d146d e242ef1d 9ff0557f 30b2af52
    f6ed1da3 0f8a1810 5bac1b61 25f18c7a 3b6b197d 04237969 c5e0ea6a 5f020301 0001
    % Key pair was generated at: 07:26:31 EST Oct 30 2008
    Key name: mypix.mydomain.com
    Usage: Signature Key
    Key Data:
    30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 009be5e0
    6431d2b8 b189ef0b 1a1434de fc6aa563 c3d5739a 727c2f1f 9cf3af7a 5cd995a4
    6ea7f6a2 e3426ab1 9526ad1f ececff80 08f07132 c85b7cfa 6396263d e0385323
    4c345a2e de3a3a83 078e0617 f1025212 6f185181 a7296014 8468d975 4d592111
    b26d86e6 cc2322b1 1efbef9d 90321aec 80dd69d8 a53c8f38 6924f79d 07020301 0001

    gbpix(config)# ca identity myca 10.10.x.x:/certsrv/mscep/mscep.dll

    gbpix(config)# ca configure myca ra 1 5 crloptional

    gbpix(config)# ca authn enticate myca
    sdunn96, Oct 30, 2008
    #4
  5. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    CI thread sleeps!
    Crypto CA thread wakes up!
    CRYPTO_PKI: http connection opened
    CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

    CRYPTO_PKI: WARNING: A certificate chain could not be constructed while selecting certificate status

    gbpix(config)#
    CRYPTO_PKI: Name: EA =<16> , CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US
    CRYPTO_PKI: Name: EA =<16> , CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US
    CRYPTO_PKI: transaction GetCACert completed
    CRYPTO_PKI: Name: EA =<16> CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US
    CRYPTO_PKI: Name: EA =<16> CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US
    Crypto CA thread sleeps!
    CI thread wakes up!
    ISADB: reaper checking SA 0x12a22fc, conn_id = 0
    ISADB: reaper checking SA 0xe97df4, conn_id = 0

    gbpix(config)# sh ca certificate
    CA Certificate
    Status: Available
    Certificate Serial Number: 09a085d2a8d6dea74cde3a94313c3d57
    Key Usage: Signature
    CN = myca
    OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2
    OID.0.9.2342.19200300.100.1.25 =<16> com
    Validity Date:
    start date: 14:30:47 EST Oct 29 2008
    end date: 14:39:31 EST Oct 29 2018

    RA Signature Certificate
    Status: Available
    Certificate Serial Number: 300f4c78000000000002
    Key Usage: Signature
    EA =<16>
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    <--- More --->
    CRYPTO_PKI: Name: CN = myca, OID.0.9.2342.19200300.100.1.25 =<16> webd2ms2, OID.0.9.2342.19200300.100.1.25 =<16> com
    CRYPTO_PKI: Name: EA =<16> CN = Administrator, OU = VPNCERT, O = D2MS, L = Chesapeake, ST = Virginia,

    C = US

    end date: 15:37:35 EDT Oct 29 2010

    RA KeyEncipher Certificate
    Status: Available
    Certificate Serial Number: 300f4def000000000003
    Key Usage: Encryption
    EA =<16>
    CN = Administrator
    OU = VPNCERT
    O = D2MS
    L = Chesapeake
    ST = Virginia
    C = US
    Validity Date:
    start date: 14:37:35 EST Oct 29 2008
    end date: 15:37:35 EDT Oct 29 2010
    sdunn96, Oct 30, 2008
    #5
  6. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    Sorry for all the long posts,
    Just trying to give as much info.....cause this thinking is starting to **** me off.
    sdunn96, Oct 30, 2008
    #6
  7. sdunn96

    sdunn96

    Joined:
    Oct 30, 2008
    Messages:
    34
    Well I think I fixed the problem.
    At least for internal IPSec connection to the PIX.
    Now I need to see if it works for external connection.


    I was using a Windows 2003 Enterprise CA, I saw something last night that said to just use a standard stand-alone CA, so I did one on another Windows 2003 Server I have.

    I enrolled the pix with him, as stated by the typical ca commands

    Then I pullled 3 certs and placed on my test system

    Cert 1) was an IPSec issued cert from stand-alone CA. I included the VPN Group Name, as pointed out by Cisco documentation. He goes in the current user Personal Store. It is placed there when you tell the CA to install him.

    Cert 2) The CA Chain cert. I went to the CA website and pulled down his chain, as BASE 64. This is the certificate chain. I placed him in the Local Computer Trusted Root Cert. Authority store.

    cert 3) I pulled down the SSL Cert that the PIX issues when you start up PDM. I put him in the Current User/Trust Root Cert. Authority Store. This one I am not sure is necessary or not.....but hey I did it.


    Then in the Cisco VPN Client I imported the Chain Cert and the PIX SSL Cert....the IPSec cert should already be listed.
    So when all said is done, you should see 3 certs, a CA Cert, a Microsoft Cert, and an RA Cert.

    For the connection, I tell it to use the IPSec Microsoft Cert.

    Doing that it connected....and encrypted the tunnel using AES 256, as I had set it up on the PIX to do.


    So now I just need to get the outside working.
    Man this thing was kicking my butt.
    sdunn96, Oct 31, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,790
    Martin Bilgrav
    Feb 6, 2004
  2. Spoettel Otmar
    Replies:
    0
    Views:
    555
    Spoettel Otmar
    May 12, 2004
  3. Clemens Schwaighofer
    Replies:
    7
    Views:
    4,419
    Walter Roberson
    Jun 13, 2005
  4. Nick
    Replies:
    2
    Views:
    2,386
  5. Svenn
    Replies:
    3
    Views:
    720
    Svenn
    Mar 13, 2006
Loading...

Share This Page