VPN Client to PIX 515 - using certificates doesn't work

Discussion in 'Cisco' started by Peter, Aug 24, 2004.

  1. Peter

    Peter Guest

    I'm having some issues getting a VPN tunnel established between the
    Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
    certificates.

    The connection works fine when authenticated using a pre-shared key.

    I'm using an internal Microsoft CA (Enterprise Root), with the SCEP
    dll installed, running on Windows 2000 Server SP4.

    I've included portions of the PIX Config and the VPN Client's log file
    below. Has anyone encountered these errors before? Or does anyone have
    any suggestions as to what I'm doing wrong (apart from using a MS CA
    ;-) ?

    Thanks in advance for your help,

    Peter

    ca identity VPNCA 10.1.1.7:/CERTSRV/mscep/mscep.dll
    ca configure VPNCA ra 2 20

    isakmp policy 8 authentication rsa-sig
    isakmp policy 8 encryption 3des
    isakmp policy 8 hash sha
    isakmp policy 8 group 1
    isakmp policy 8 lifetime 86400

    crypto dynamic-map DYNO-RA-VPN 30 set transform-set strong
    crypto map VPN 80 ipsec-isakmp dynamic DYNO-RA-VPN

    vpngroup RSAVPN address-pool RA-VPN-POOL
    vpngroup RSAVPN dns-server 10.1.1.2
    vpngroup RSAVPN wins-server 10.1.1.3
    vpngroup RSAVPN default-domain dns.name
    vpngroup RSAVPN split-tunnel vpn-acl
    vpngroup RSAVPN idle-time 1800


    Cisco Systems VPN Client Version 4.0.3 (D)
    Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600

    1 16:22:08.307 08/24/04 Sev=Warning/2 IKE/0xE3000099
    Invalid SPI size (PayloadNotify:116)

    2 16:22:08.307 08/24/04 Sev=Warning/3 IKE/0xA3000058
    Received malformed message or negotiation no longer active (message
    id: 0x00000000)

    3 16:22:13.575 08/24/04 Sev=Warning/2 IKE/0xA3000062
    Attempted incoming connection from 212.xxx.xxx.xxx. Inbound
    connections are not allowed.

    (212.xxx.xxx.xxx is the PIX's outside address).
    Peter, Aug 24, 2004
    #1
    1. Advertising

  2. Peter

    CISCORUBS Guest

    Pete;

    You are in for headache and heartache. MS-SCEP does NOT work well
    with PIX. Do a google search and you will see.

    You are better off using pre-shared keys.

    I would NOT use the PIX for remote access; I MIGHT use it for LAN to
    LAN VPN.

    For remote access the VPN 3000 series is unsurpassed with much more
    options ( IPSec/UDP and IPSec/TCP ).

    VPN support on a PIX is a pain in the ass.


    (Peter) wrote in message news:<>...
    > I'm having some issues getting a VPN tunnel established between the
    > Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
    > certificates.
    >
    > The connection works fine when authenticated using a pre-shared key.
    >
    > I'm using an internal Microsoft CA (Enterprise Root), with the SCEP
    > dll installed, running on Windows 2000 Server SP4.
    >
    > I've included portions of the PIX Config and the VPN Client's log file
    > below. Has anyone encountered these errors before? Or does anyone have
    > any suggestions as to what I'm doing wrong (apart from using a MS CA
    > ;-) ?
    >
    > Thanks in advance for your help,
    >
    > Peter
    >
    > ca identity VPNCA 10.1.1.7:/CERTSRV/mscep/mscep.dll
    > ca configure VPNCA ra 2 20
    >
    > isakmp policy 8 authentication rsa-sig
    > isakmp policy 8 encryption 3des
    > isakmp policy 8 hash sha
    > isakmp policy 8 group 1
    > isakmp policy 8 lifetime 86400
    >
    > crypto dynamic-map DYNO-RA-VPN 30 set transform-set strong
    > crypto map VPN 80 ipsec-isakmp dynamic DYNO-RA-VPN
    >
    > vpngroup RSAVPN address-pool RA-VPN-POOL
    > vpngroup RSAVPN dns-server 10.1.1.2
    > vpngroup RSAVPN wins-server 10.1.1.3
    > vpngroup RSAVPN default-domain dns.name
    > vpngroup RSAVPN split-tunnel vpn-acl
    > vpngroup RSAVPN idle-time 1800
    >
    >
    > Cisco Systems VPN Client Version 4.0.3 (D)
    > Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
    > Client Type(s): Windows, WinNT
    > Running on: 5.1.2600
    >
    > 1 16:22:08.307 08/24/04 Sev=Warning/2 IKE/0xE3000099
    > Invalid SPI size (PayloadNotify:116)
    >
    > 2 16:22:08.307 08/24/04 Sev=Warning/3 IKE/0xA3000058
    > Received malformed message or negotiation no longer active (message
    > id: 0x00000000)
    >
    > 3 16:22:13.575 08/24/04 Sev=Warning/2 IKE/0xA3000062
    > Attempted incoming connection from 212.xxx.xxx.xxx. Inbound
    > connections are not allowed.
    >
    > (212.xxx.xxx.xxx is the PIX's outside address).
    CISCORUBS, Aug 25, 2004
    #2
    1. Advertising

  3. "CISCORUBS" <> wrote in message
    news:...
    > Pete;
    >
    > You are in for headache and heartache. MS-SCEP does NOT work well
    > with PIX. Do a google search and you will see.
    >
    > You are better off using pre-shared keys.
    >
    > I would NOT use the PIX for remote access; I MIGHT use it for LAN to
    > LAN VPN.
    >
    > For remote access the VPN 3000 series is unsurpassed with much more
    > options ( IPSec/UDP and IPSec/TCP ).
    >
    > VPN support on a PIX is a pain in the ass.
    >



    nonsense.

    Looks like your client sw denies the inbound traffic - are the firewall
    feature turned on ?
    Try disable it.
    Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
    your device on udp/4500
    Allow this port on the headend aswell.

    HTH
    Martin Bilgrav
    Martin Bilgrav, Aug 25, 2004
    #3
  4. Peter

    Peter Guest

    "Martin Bilgrav" <> wrote in message news:<LQXWc.40783$>...
    > "CISCORUBS" <> wrote in message
    > news:...
    > > Pete;
    > >
    > > You are in for headache and heartache. MS-SCEP does NOT work well
    > > with PIX. Do a google search and you will see.
    > >
    > > VPN support on a PIX is a pain in the ass.

    >
    > nonsense.
    >
    > Looks like your client sw denies the inbound traffic - are the firewall
    > feature turned on ?
    > Try disable it.
    > Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
    > your device on udp/4500
    > Allow this port on the headend aswell.


    I have done this, and the error messages are the same.

    I'm not convinced that the PIX has enrolled correctly with the CA.

    Two questions:

    1) What are the _exact_ commands needed on the PIX to configure an MS
    CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
    the manual advises, the PIX will not enroll.

    When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
    sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
    certificate request pending" but thats is the last output generated.

    2) What _exactly_ needs to be done on the client. Must you import the
    CA's certificate? (If so, how?) What type of certificate should you
    request from the CA (Client Auth, IPSec, etc.) ? Must the key length
    on client and the PIX match?
    Peter, Aug 25, 2004
    #4
  5. Peter

    CISCORUBS Guest

    VPN support on the PIX IS a pain in the ASS. A PIX is one of the best
    out of the box FIREWALLS.

    I have done hub and spoke VPN in a multitude of different arrangements
    using PIX, IOS and the VPN 3000.

    MSCEP works well on all EXCEPT the PIX.

    Hint:

    Make sure your PIX domain name is correct and that it is pointing to a
    DNS server. Make sure the DNS server can resolve the PIX FQDN.

    Bigger hint:
    Use DMVPN with IOS and let the PIX be a firewall.

    It is NOT nonsense. The PIX and MSCEP issue is documented. Go to CCO
    and google and search.

    (Peter) wrote in message news:<>...
    > "Martin Bilgrav" <> wrote in message news:<LQXWc.40783$>...
    > > "CISCORUBS" <> wrote in message
    > > news:...
    > > > Pete;
    > > >
    > > > You are in for headache and heartache. MS-SCEP does NOT work well
    > > > with PIX. Do a google search and you will see.
    > > >
    > > > VPN support on a PIX is a pain in the ass.

    > >
    > > nonsense.
    > >
    > > Looks like your client sw denies the inbound traffic - are the firewall
    > > feature turned on ?
    > > Try disable it.
    > > Also try the pix command isakmp nat-t, which will turn on NAT Traversal for
    > > your device on udp/4500
    > > Allow this port on the headend aswell.

    >
    > I have done this, and the error messages are the same.
    >
    > I'm not convinced that the PIX has enrolled correctly with the CA.
    >
    > Two questions:
    >
    > 1) What are the _exact_ commands needed on the PIX to configure an MS
    > CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
    > the manual advises, the PIX will not enroll.
    >
    > When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
    > sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
    > certificate request pending" but thats is the last output generated.
    >
    > 2) What _exactly_ needs to be done on the client. Must you import the
    > CA's certificate? (If so, how?) What type of certificate should you
    > request from the CA (Client Auth, IPSec, etc.) ? Must the key length
    > on client and the PIX match?
    CISCORUBS, Aug 26, 2004
    #5
  6. "Peter" <> wrote in message
    >
    > 1) What are the _exact_ commands needed on the PIX to configure an MS
    > CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
    > the manual advises, the PIX will not enroll.
    >
    > When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
    > sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
    > certificate request pending" but thats is the last output generated.
    >
    > 2) What _exactly_ needs to be done on the client. Must you import the
    > CA's certificate? (If so, how?) What type of certificate should you
    > request from the CA (Client Auth, IPSec, etc.) ? Must the key length
    > on client and the PIX match?


    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml


    HTH
    Martin
    Martin Bilgrav, Aug 26, 2004
    #6
  7. "Martin Bilgrav" <> wrote in message
    news:C%rXc.41125$...
    >
    > "Peter" <> wrote in message
    > >
    > > 1) What are the _exact_ commands needed on the PIX to configure an MS
    > > CA. When I enter the identity as "10.1.1.1:certsrv/mscep/mscep.dll" as
    > > the manual advises, the PIX will not enroll.
    > >
    > > When I enter the ident as "10.1.1.1://certsrv/mscep/mscep.dll" the PIX
    > > sends an enrollment request, and reports "CRYPTO_PKI: status = 102:
    > > certificate request pending" but thats is the last output generated.
    > >
    > > 2) What _exactly_ needs to be done on the client. Must you import the
    > > CA's certificate? (If so, how?) What type of certificate should you
    > > request from the CA (Client Auth, IPSec, etc.) ? Must the key length
    > > on client and the PIX match?



    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094e69.shtml


    and this one:

    http://www.mail-archive.com//msg81459.html
    Martin Bilgrav, Aug 26, 2004
    #7
  8. Peter

    Tim Levy Guest

    > I'm having some issues getting a VPN tunnel established between the
    > Cisco VPN Client (4.0) and a PIX 515E (6.3) using digital
    > certificates.


    > The connection works fine when authenticated using a pre-shared key.


    I have previously got this to work against the MS CA.

    Search this group for a post entitled 'Re: PIX 506E VPN with certificates'
    made on 1 July 2004.

    Tim Levy
    London
    Tim Levy, Aug 29, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GVB
    Replies:
    1
    Views:
    2,759
    Martin Bilgrav
    Feb 6, 2004
  2. Patrick M. Hausen
    Replies:
    0
    Views:
    1,115
    Patrick M. Hausen
    Aug 16, 2004
  3. Al
    Replies:
    0
    Views:
    5,192
  4. Scott Townsend
    Replies:
    8
    Views:
    678
    Roman Nakhmanson
    Feb 22, 2006
  5. Stephen M
    Replies:
    1
    Views:
    630
    mcaissie
    Nov 14, 2006
Loading...

Share This Page