VPN client & PIX with Windows 2003 CA & RADIUS

Discussion in 'Cisco' started by achilles_mj, Jun 21, 2006.

  1. achilles_mj

    achilles_mj Guest

    Hi all.

    I have configured pix with rsa-sig. (isakmp policy 10 authentication
    rsa-sig) and RADIUS
    Authentication.

    On the computer i have VPN client and certificate from Windows 2003 CA
    in LAN.
    All works fine. The computer have access to the network, radius
    autrentication work, CA recognize computer's certificates.
    It's works beautifully but only from some Internet Service Provider.
    Bad providers don't use firewall and other filters. All traffic can
    go out from them.

    On the same PIX I Configured also access without certificate (isakmp
    policy 20 authentication pre-share).
    On my laptop I have configured two VPN connections:
    -One with authentication by Certificate
    -Other with group authentication and pre-share password

    >From Good ISP works two Connections.
    >From BAD ISP works only pre-share authentication.


    Why second connection doesn't work? ISAKMP with rsa-sig used other
    protocols?
    Maybe my configuration is bad?
    Have you ever had working configuration the same as my on PIX 501?

    Here is my confg:

    interface ethernet0 10baset
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    hostname pix02
    domain-name abc.com
    clock timezone WAT 1

    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69

    names

    access-list 120 permit ip 10.0.0.0 255.255.255.0 10.0.10.0
    255.255.255.0

    icmp permit any unreachable outside
    icmp permit any echo outside
    icmp deny any outside

    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute retry 4
    ip address inside 10.0.0.3 255.255.255.0

    ip audit info action alarm
    ip audit attack action alarm

    ip local pool vpnpool 10.0.10.10-10.0.10.100

    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list 120
    nat (inside) 1 0.0.0.0 0.0.0.0 0 0
    route inside 10.0.1.0 255.255.255.0 10.0.0.1 1

    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225
    1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute

    ntp server 217.153.69.35 source outside
    ntp server 150.254.183.15 source outside

    floodguard enable

    sysopt connection permit-ipsec

    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto dynamic-map dynmap 10 set transform-set myset
    crypto map mymap 10 ipsec-isakmp dynamic dynmap
    crypto map mymap client authentication RADIUS
    crypto map mymap interface outside

    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 10 authentication rsa-sig
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash md5
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400

    vpngroup vpncert address-pool vpnpool
    vpngroup vpncert dns-server 10.0.0.5
    vpngroup vpncert default-domain abc.local
    vpngroup vpncert idle-time 1800
    vpngroup office address-pool vpnpool
    vpngroup office dns-server 10.0.0.5
    vpngroup office default-domain abc.local
    vpngroup office idle-time 1800
    vpngroup office password ********
    ca identity kobe 10.0.0.5:/certsrv/mscep/mscep.dll
    ca configure kobe ra 1 20 crloptional


    Here is debug information from PIX during connection from bad and good
    ISP (debug crypto isakmp)
    I can't see any errors. The debag lists are almost the same until point
    when i wrote "Difference".

    Debug when i Connect from bad ISP and i can't connect

    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    ISAKMP (0): processing a CT_X509_SIGNATURE cert
    CRYPTO_PKI: Certificate verified, chain status= 1
    ISAKMP (0): processing CERT_REQ payload. message ID = 0
    ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
    ISAKMP (0): processing SIG payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): deleting SA: src 217.153.76.73, dst 213.54.22.29
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISADB: reaper checking SA 0xb337dc, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:217.153.76.73/1094 Ref cnt decremented to:0
    Total VPN Peers:1
    VPN Peer: ISAKMP: Deleted peer: ip:217.153.76.73/1094 Total VPN peers:0
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 6
    type : 2
    protocol : 17
    port : 0
    length : 17
    ISAKMP (0): Total payload length: 21
    return status is IKMP_NO_ERROR
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:217.153.76.73/1094 Total VPN
    Peers:1
    VPN Peer: ISAKMP: Peer ip:217.153.76.73/1094 Ref cnt incremented to:1
    Total VPN Peers:1
    ISAKMP: peer is a remote access client
    ISAKMP/xauth: request attribute XAUTH_TYPE
    ISAKMP/xauth: request attribute XAUTH_USER_NAME
    ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
    ISAKMP (0:0): initiating peer config to 217.153.76.73. ID = 743827829
    (0x2c55e975)
    crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29
    spt:1094 dpt:4500
    ISAKMP: phase 1 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ISAKMP (0): retransmitting Config Mode Request...

    Difference

    crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29
    spt:1094 dpt:4500
    ISAKMP: phase 1 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ISAKMP (0): retransmitting Config Mode Request...nod
    crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29
    spt:1094 dpt:4500
    ISAKMP: phase 1 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ISAKMP (0): retransmitting Config Mode Request.. debug
    crypto_isakmp_process_block:src:217.153.76.73, dest:213.54.22.29
    spt:1094 dpt:4500
    ISAKMP: reserved not zero on payload 8!
    ISAKMP: malformed payloadc
    ISAKMP (0): retransmitting Config Mode Request...rypto isakmp
    ..........
    ..........
    last sentence is repeating



    Debug when I Connect from GOOD ISP and VPN work.

    ISAKMP (0): Checking ISAKMP transform 8 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash MD5
    ISAKMP: default group 2
    ISAKMP: auth RSA sig
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 256
    ISAKMP (0): atts are not acceptable. Next payload is 3
    ISAKMP (0): Checking ISAKMP transform 9 against priority 10 policy
    ISAKMP: encryption AES-CBC
    ISAKMP: hash SHA
    ISAKMP: default group 5
    ISAKMP: extended auth RSA sig (init)
    ISAKMP: life type in seconds
    ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
    ISAKMP: keylength of 128
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:500
    dpt:500
    OAK_MM exchange
    ISAKMP (0): processing KE payload. message ID = 0

    ISAKMP (0): processing NONCE payload. message ID = 0

    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT match MINE hash
    ISAKMP (0:0): Detected NAT-D payload
    ISAKMP (0:0): NAT does not match HIS hash
    hash received: 2e 1a dd 1c 23 22 ac 8a ca 13 cc 76 3f 82 4c 4a
    his nat hash : 89 d8 47 19 64 e8 66 7e 83 77 d3 3f a2 b2 c9 21
    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to another IOS box!

    ISAKMP (0): processing vendor id payload

    ISAKMP (0): speaking to a Unity client

    ISAKMP (0:0): constructed HIS NAT-D
    ISAKMP (0:0): constructed MINE NAT-D
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    OAK_MM exchange
    ISAKMP (0): processing ID payload. message ID = 0
    ISAKMP (0): processing CERT payload. message ID = 0
    ISAKMP (0): processing a CT_X509_SIGNATURE cert
    CRYPTO_PKI: Certificate verified, chain status= 1
    ISAKMP (0): processing CERT_REQ payload. message ID = 0
    ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
    ISAKMP (0): processing SIG payload. message ID = 0
    ISAKMP (0): processing NOTIFY payload 24578 protocol 1
    spi 0, message ID = 0
    ISAKMP (0): processing notify INITIAL_CONTACT
    ISAKMP (0): deleting SA: src 83.6.70.175, dst 213.54.22.29
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISADB: reaper checking SA 0xb337dc, conn_id = 0 DELETE IT!

    VPN Peer: ISAKMP: Peer ip:83.6.70.175/4500 Ref cnt decremented to:0
    Total VPN Peers:2
    VPN Peer: ISAKMP: Deleted peer: ip:83.6.70.175/4500 Total VPN peers:1
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISADB: reaper checking SA 0xb34a1c, conn_id = 0
    ISAKMP (0): SA has been authenticated

    ISAKMP (0): ID payload
    next-payload : 6
    type : 2
    protocol : 17
    port : 0
    length : 17
    ISAKMP (0): Total payload length: 21
    return status is IKMP_NO_ERROR
    ISADB: reaper checking SA 0xb1b5c4, conn_id = 0
    ISADB: reaper checking SA 0xb34a1c, conn_id = 0
    ISAKMP (0): sending phase 1 RESPONDER_LIFETIME notify
    ISAKMP (0): sending NOTIFY message 24576 protocol 1
    VPN Peer: ISAKMP: Added new peer: ip:83.6.70.175/4500 Total VPN Peers:2
    VPN Peer: ISAKMP: Peer ip:83.6.70.175/4500 Ref cnt incremented to:1
    Total VPN Peers:2
    ISAKMP: peer is a remote access client
    ISAKMP/xauth: request attribute XAUTH_TYPE
    ISAKMP/xauth: request attribute XAUTH_USER_NAME
    ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD
    ISAKMP (0:0): initiating peer config to 83.6.70.175. ID = 1361769944
    (0x512af5d8)
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    ISAKMP: phase 1 packet is a duplicate of a previous packet
    ISAKMP: resending last response
    ISAKMP (0): retransmitting Config Mode Request...

    Difference

    18: xauth authentication in progress for user: , session id: 761973038
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    19: Received response: user_test, session id 761973038
    ISAKMP_TRANSACTION exchange
    20: Making authentication request for host 10.0.0.5, user user_test,
    session id: 761973038
    ISAKMP (0:0): processing transaction payload from 83.6.70.175. message
    ID = 11351564
    21: Processing challenge for user user_test, session id: 761973038,
    challenge: Password:
    ISAKMP: Config payload CFG_REPLY
    22: Received xauth challenge: Password: , session id: 761973038
    return status is IKMP_ERR_NO_RETRANS
    23: Received response: , session id 761973038
    ISAKMP (0:0): initiating peer config to 83.6.70.175. ID = 316302082
    (0x12da6302)24: Making authentication request for host 10.0.0.5, user
    user_test, session id: 761973038
    25: xauth authentication complete for user: user_test, session id:
    761973038

    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from 83.6.70.175. message
    ID = 11351564
    ISAKMP: Config payload CFG_ACK
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    ISAKMP_TRANSACTION exchange
    ISAKMP (0:0): processing transaction payload from 83.6.70.175. message
    ID = 11351564
    ISAKMP: Config payload CFG_REQUEST
    ISAKMP (0:0): checking request:
    ISAKMP: attribute IP4_ADDRESS (1)
    ISAKMP: attribute IP4_NETMASK (2)
    ISAKMP: attribute IP4_DNS (3)
    ISAKMP: attribute IP4_NBNS (4)
    ISAKMP: attribute ADDRESS_EXPIRY (5)
    Unsupported Attr: 5
    ISAKMP: attribute UNKNOWN (28672)
    Unsupported Attr: 28672
    ISAKMP: attribute UNKNOWN (28673)
    Unsupported Attr: 28673
    ISAKMP: attribute ALT_DEF_DOMAIN (28674)
    ISAKMP: attribute ALT_SPLIT_INCLUDE (28676)
    ISAKMP: attribute ALT_SPLITDNS_NAME (28675)
    ISAKMP: attribute ALT_PFS (28679)
    ISAKMP: attribute ALT_BACKUP_SERVERS (28681)
    ISAKMP: attribute APPLICATION_VERSION (7)
    ISAKMP: attribute UNKNOWN (28680)
    Unsupported Attr: 28680
    ISAKMP: attribute UNKNOWN (28682)
    Unsupported Attr: 28682
    ISAKMP (0:0): responding to peer config from 83.6.70.175. ID =
    2821681736
    return status is IKMP_NO_ERROR
    crypto_isakmp_process_block:src:83.6.70.175, dest:213.54.22.29 spt:4500
    dpt:4500
    OAK_QM exchange
    oakley_process_quick_mode:
    OAK_QM_IDLE
    ISAKMP (0): processing SA payload. message ID = 2639747525
    ...............
    ...............
    Connection successes

    In both connections certificate is accepted
    (debug crypto ca) display CRYPTO_PKI: Certificate verified, chain
    status= 1

    Help me please!
    achilles_mj, Jun 21, 2006
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. tejlor
    Replies:
    2
    Views:
    2,272
    tejlor
    Nov 25, 2003
  2. GVB
    Replies:
    1
    Views:
    2,791
    Martin Bilgrav
    Feb 6, 2004
  3. Nick
    Replies:
    2
    Views:
    2,387
  4. Svenn
    Replies:
    3
    Views:
    721
    Svenn
    Mar 13, 2006
  5. DCS
    Replies:
    2
    Views:
    5,070
    eshan_amiran
    Mar 26, 2009
Loading...

Share This Page