Using certificate authentication on VPN tunnel instaed of preshared

Discussion in 'Cisco' started by Krzysztof, May 15, 2005.

  1. Krzysztof

    Krzysztof Guest

    Hi!

    I have problem with using certificates to authenticate VPN connection
    between PIX and Cisco VPN client.

    First, I have configure VPN tunnel authenticated with preshared keys and
    everything was working just fine! Then I have configured certificate use.

    ( with commands:
    ca identity jowisz x.x.x.x:/certsrv/mscep/mscep.dll
    ca configure jowisz ra 1 20 crloptional
    ca auth jowisz
    ca enroll serial_number)

    Finaly I have changed isakmp policy from:

    isakmp policy 40 authentication pre-share
    isakmp policy 40 encryption aes-256
    isakmp policy 40 hash sha
    isakmp policy 40 group 5
    isakmp policy 40 lifetime 86400

    to:

    no isakmp policy 40
    isakmp policy 40 authentication rsa-sig
    isakmp policy 40 encryption aes-256
    isakmp policy 40 hash sha
    isakmp policy 40 group 5
    isakmp policy 40 lifetime 86400

    and then connection was always terminated by VPN client with code 401 (an
    unknown reason). After investigating isakmp conversation I have fount than
    PIX can not assign IP address to VPN client (I have no idea why, as I have
    configured appropriate pool and have assigned it to vpngroup) . Then I have
    discovered, that issuing a command:

    # isakmp client configuration address-pool local my_pool_name

    makes things a little better. Now I can establish working VPN tunnel, but:

    1. tunnel spit did not work - it was working on preshared authentication
    2. VPN client receives an IP address via DHCP, but didn't receive an DNS
    server IP address and domain name (defined via vpngroup).


    My PIX is 515E with version 6.3

    Quick network description:

    10.1.0.0/16 ----- pix ----internet ---- VPN clinet with IP 10.1.111.0/24
    |
    ------ other network (192.168.0.0/24)

    and here is my abbreviated config:

    PIX Version 6.3(4)
    interface ethernet0 auto
    interface ethernet1 auto
    ...
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    ....
    enable password xxxxxxxxxxxxxx encrypted
    passwd xxxxxxxxxxxxxxxxx encrypted
    hostname pix
    domain-name mydomain.com
    .....
    access-list inside_outbound_nat0_acl permit ip any 10.1.110.0 255.255.255.0
    access-list inside_outbound_nat0_acl permit ip 10.1.0.0 255.255.0.0
    10.1.111.0 255.255.255.0
    ....
    access-list outside_cryptomap_dyn_20 permit ip any 10.1.110.0 255.255.255.0
    access-list pd_split_cert_splitTunnelAcl permit ip 10.1.0.0 255.255.0.0 any
    access-list pd_split_cert_splitTunnelAcl permit ip 192.168.0.0 255.255.0.0
    any
    access-list outside_cryptomap_dyn_40 permit ip any 10.1.111.0 255.255.255.0
    ......
    ip address outside a.b.c.d 255.255.255.128
    ip address inside 10.1.0.1 255.255.0.0
    .......
    ip verify reverse-path interface outside
    ip verify reverse-path interface inside
    ......
    ip local pool my_pool_1 10.1.110.1-10.1.110.254
    ip local pool my_pool_2 10.1.111.1-10.1.111.254
    .....
    nat (inside) 0 access-list inside_outbound_nat0_acl
    ......
    route outside 0.0.0.0 0.0.0.0 a.b.c.1 1
    ......
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server TACACS+ (inside) host x.y.z.w xxxxxxxxxxx timeout 5
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    .....
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication TACACS+ LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption aes-256
    isakmp policy 20 hash sha
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    isakmp policy 40 authentication rsa-sig
    isakmp policy 40 encryption aes-256
    isakmp policy 40 hash sha
    isakmp policy 40 group 5
    isakmp policy 40 lifetime 86400
    vpngroup my_vpn_group_1 address-pool my_pool_1
    vpngroup my_vpn_group_1 dns-server 10.1.1.16 10.1.1.15
    vpngroup my_vpn_group_1 wins-server 10.1.1.16 10.1.1.15
    vpngroup my_vpn_group_1 default-domain mydomain.com
    vpngroup my_vpn_group_1 pfs
    vpngroup my_vpn_group_1 idle-time 1800
    vpngroup my_vpn_group_1 password ********
    vpngroup my_vpn_group_2 address-pool my_pool_2
    vpngroup my_vpn_group_2 dns-server 10.1.1.16 10.1.1.15
    vpngroup my_vpn_group_2 default-domain mydomain.com
    vpngroup my_vpn_group_2 split-tunnel pd_split_cert_splitTunnelAcl
    vpngroup my_vpn_group_2 idle-time 1800
    vpngroup my_vpn_group_2 password ********
    ca identity jowisz 10.1.0.10:/certsrv/mscep/mscep.dll
    ca configure jowisz ra 1 20 crloptional
    ......
    management-access inside
    .....
    username yyyyyyyyyyyyy password xxxxxxxxxxxxxxxx encrypted privilege 15

    Can anyone help me to solve this?
    (Or at last explain what is going on?)


    Best regards:
    Krzysztof
     
    Krzysztof, May 15, 2005
    #1
    1. Advertisements

  2. Krzysztof

    Krzysztof Guest

    Hi!

    Nobody can (or want) help?

    Krzysztof
     
    Krzysztof, May 16, 2005
    #2
    1. Advertisements

  3. Krzysztof

    Mattias Guest

    The ou in your cert matches the vpngroup my_vpn_group_1?

    //TC
     
    Mattias, May 16, 2005
    #3
  4. Krzysztof

    Krzysztof Guest

    Hi!
    No! Probably this is the case!
    (unfortunatly I can't check this until next week)

    But thank you for your note.

    Best regards:

    Krzysztof
     
    Krzysztof, May 17, 2005
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.