VPN Client <> PIX 515 with certificates (long!)

Discussion in 'Cisco' started by Patrick M. Hausen, Aug 16, 2004.

  1. Hello!

    I'm fighting with this setup for quite some time now and
    have somewhat exaustively (so it seems) read everything
    I found with Google or on the Cisco website.

    I've setup a Microsoft CA with SCEP for certificate management.
    This wasn't trivial but I finally succeeded, at least the
    PIX output looks OK. I manually created a cert for the client
    using an email address for the identity (the general case in this
    installation will be mobile users, so email addresses are the only
    thing known to be unique, hostnames are probably not).
    I used the same CA, of course. I imported this cert, the CA cert
    and the firewall's certificate into the VPN client.

    When trying to connect, the client eventually times out,
    while the PIX complains about an unknown error. I've left
    the entire IPSec and IKE configuration on the PIX intact,
    including an additional gateway-gateway link with a preshared
    secret. Since the security should not depend on this, I didn't
    delete the certificate contents or anything else besides keys,
    the preshared secret and the external IP addresses involved.
    (Though they are trivial to find out for a determined attacker
    given the hostname and the other information - again, security
    of a firewall must not depend on the address being secret ;-)


    Any hints on what's going wrong here?

    TIA,
    Patrick

    PIX Config
    ----------

    PIX Version 6.3(4)

    hostname eokfw01
    domain-name ekiba.org

    access-list outside_cryptomap_dyn_10 permit ip any 172.20.150.0 255.255.255.0
    access-list outside_cryptomap_20 permit ip 172.20.0.0 255.255.0.0 1.2.3.56 255.255.255.0

    ip address outside 1.2.3.50 255.255.255.248
    ip address inside 172.20.0.90 255.255.0.0

    ip verify reverse-path interface outside
    ip verify reverse-path interface inside

    ip local pool VPN-Clients 172.20.150.0-172.20.150.255

    sysopt connection permit-ipsec

    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

    crypto dynamic-map outside_dyn_map_1 10 match address outside_cryptomap_dyn_10
    crypto dynamic-map outside_dyn_map_1 10 set pfs group5
    crypto dynamic-map outside_dyn_map_1 10 set transform-set ESP-AES-256-MD5

    crypto map outside_map 20 ipsec-isakmp
    crypto map outside_map 20 match address outside_cryptomap_20
    crypto map outside_map 20 set pfs group2
    crypto map outside_map 20 set peer 1.2.3.56
    crypto map outside_map 20 set transform-set ESP-3DES-MD5

    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1

    crypto map outside_map client configuration address initiate
    crypto map outside_map client configuration address respond
    crypto map outside_map interface outside

    isakmp enable outside

    isakmp key ********** address 1.2.3.56 netmask 255.255.255.255 no-xauth no-config-mode

    isakmp identity address

    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption aes-256
    isakmp policy 10 hash md5
    isakmp policy 10 group 5
    isakmp policy 10 lifetime 86400

    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    vpngroup VPN-Clients address-pool VPN-Clients
    vpngroup VPN-Clients dns-server 172.20.0.26 172.20.0.27
    vpngroup VPN-Clients default-domain ekiba.org
    vpngroup VPN-Clients idle-time 1800

    ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll
    ca configure eok ra 1 3
    ca subject-name eok ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE


    CA Config
    ---------

    eokfw01# show ca ident
    ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll

    eokfw01# show ca conf
    ca configure eok ra 1 3

    eokfw01# show ca subject
    Organization Unit(ou): Evangelischer Oberkirchenrat IT
    Organiztion(o): Evangelische Landeskirche in Baden
    Country(c): DE

    eokfw01# show ca cert
    RA Signature Certificate
    Status: Available
    Certificate Serial Number: 612a1dfb000000000002
    Key Usage: Signature
    CN = EOK RA
    OU = Evangelischer Oberkirchenrat IT
    O = Evangelische Landeskirche in Baden
    L = Karlsruhe
    C = DE
    EA =<16>
    Validity Date:
    start date: 10:00:23 CEDT Aug 3 2004
    end date: 10:10:23 CEDT Aug 3 2005

    CA Certificate
    Status: Available
    Certificate Serial Number: 5e4b7696fe66d980466cf9bf9c8e4288
    Key Usage: General Purpose
    CN = EOK
    OU = Evangelischer Oberkirchenrat IT
    O = Evangelische Landeskirche in Baden
    L = Karlsruhe
    C = DE
    EA =<16>
    Validity Date:
    start date: 09:54:25 CEDT Aug 3 2004
    end date: 10:01:16 CEDT Aug 3 2009

    RA KeyEncipher Certificate
    Status: Available
    Certificate Serial Number: 612a1f82000000000003
    Key Usage: Encryption
    CN = EOK RA
    OU = Evangelischer Oberkirchenrat IT
    O = Evangelische Landeskirche in Baden
    L = Karlsruhe
    C = DE
    EA =<16>
    Validity Date:
    start date: 10:00:24 CEDT Aug 3 2004
    end date: 10:10:24 CEDT Aug 3 2005

    Certificate
    Status: Available
    Certificate Serial Number: 6164a3fa000000000005
    Key Usage: General Purpose
    Subject Name:
    CN = eokfw01.ekiba.org
    OU = Evangelischer Oberkirchenrat IT
    O = Evangelische Landeskirche in Baden
    C = DE
    UNSTRUCTURED NAME = eokfw01.ekiba.org
    UNSTRUCTURED IP = 1.2.3.50
    Validity Date:
    start date: 11:04:19 CEDT Aug 3 2004
    end date: 11:14:19 CEDT Aug 3 2005

    eokfw01# show ca crl
    CRL:
    CRL Issuer Name:
    CN = EOK, OU = Evangelischer Oberkirchenrat IT, O = Evangelische Landeskirche in Baden, L = Karlsruhe, C = DE, EA =<16>
    LastUpdate: 09:54:30 CEDT Aug 10 2004
    NextUpdate: 22:14:30 CEDT Aug 17 2004

    eokfw01# show ca subject
    Organization Unit(ou): Evangelischer Oberkirchenrat IT
    Organiztion(o): Evangelische Landeskirche in Baden
    Country(c): DE

    eokfw01# show ca mypubkey rsa
    % Key pair was generated at: 14:35:59 CEDT Jul 28 2004
    Key name: eokfw01.ekiba.org
    Usage: General Purpose Key
    Key Data:
    ...


    PIX debug
    ---------

    eokfw01# debug crypto ca
    eokfw01# debug crypto isakmp
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing SA payload. message ID = 0

    ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 5
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are acceptable. Next payload is 3
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): received xauth v6 vendor id

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): remote peer supports dead peer detection

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    CRYPTO_PKI: Error: Invalid format for BER encoding while

    ISAKMP (0): Unknown error in cert validation, 65535
    return status is IKMP_ERR_RETRANS
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    CRYPTO_PKI: Error: Invalid format for BER encoding while

    ISAKMP (0): Unknown error in cert validation, 65535
    return status is IKMP_ERR_RETRANS
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    CRYPTO_PKI: Error: Invalid format for BER encoding while

    ISAKMP (0): Unknown error in cert validation, 65535
    return status is IKMP_ERR_RETRANS
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    CRYPTO_PKI: Error: Invalid format for BER encoding while

    ISAKMP (0): Unknown error in cert validation, 65535
    return status is IKMP_ERR_RETRANS
    crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
    ISAKMP: Created a peer struct for 1.2.3.54, peer port 62465
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payload
    ISAKMP (0): deleting SA: src 1.2.3.54, dst 1.2.3.50
    ISADB: reaper checking SA 0x14faba4, conn_id = 0 DELETE IT!

    VPN Peer:ISAKMP: Peer Info for 1.2.3.54/500 not found - peers:0

    ISAKMP: Deleting peer node for 1.2.3.54


    VPN Client debug
    ----------------

    Cisco Systems VPN Client Version 4.0.5 (Rel)
    Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 1

    1 14:26:57.251 08/16/04 Sev=Info/4 CERT/0x63600014
    Cert (cn=,ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE) verification succeeded.

    2 14:26:58.267 08/16/04 Sev=Info/6 IKE/0x6300003B
    Attempting to establish a connection with 1.2.3.50.

    3 14:26:58.267 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity)) to 1.2.3.50

    4 14:26:58.298 08/16/04 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = 1.2.3.50

    5 14:26:58.298 08/16/04 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (SA) from 1.2.3.50

    6 14:26:58.314 08/16/04 Sev=Info/6 IKE/0x63000001
    IOS Vendor ID Contruction successful

    7 14:26:58.314 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 1.2.3.50

    8 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x6300002F
    Received ISAKMP packet: peer = 1.2.3.50

    9 14:26:58.330 08/16/04 Sev=Info/4 IKE/0x63000014
    RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 1.2.3.50

    10 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
    Peer supports XAUTH

    11 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
    Peer supports DPD

    12 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
    Peer is a Cisco-Unity compliant peer

    13 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000081
    Received IOS Vendor ID with unknown capabilities flag 0x00000025

    14 14:26:58.376 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 1.2.3.50

    15 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    16 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50

    17 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    18 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50

    19 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000021
    Retransmitting last packet!

    20 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50

    21 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000017
    Marking IKE SA for deletion (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason = DEL_REASON_PEER_NOT_RESPONDING

    22 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000013
    SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.2.3.50

    23 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x6300004A
    Discarding IKE SA negotiation (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason = DEL_REASON_PEER_NOT_RESPONDING

    24 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000001
    IKE received signal to terminate VPN connection

    25 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000085
    Microsoft IPSec Policy Agent service started successfully

    +-----------------------------------+
    | EuroBSDCon 2004 in Karlsruhe! |
    | 29. - 31. 10. 2004 |
    | http://www.eurobsdcon2004.de/ |
    +-----------------------------------+

    --
    punkt.de GmbH Internet - Dienstleistungen - Beratung
    Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
    76137 Karlsruhe http://punkt.de
     
    Patrick M. Hausen, Aug 16, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,842
    Martin Bilgrav
    Feb 6, 2004
  2. Peter
    Replies:
    7
    Views:
    4,007
    Tim Levy
    Aug 29, 2004
  3. Al
    Replies:
    0
    Views:
    5,223
  4. Scott Townsend
    Replies:
    8
    Views:
    706
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    665
    mcaissie
    Nov 14, 2006
Loading...

Share This Page