Conifg That isn't going from 8.4(7) to 9.1(1)

Patrick McHenry · ‎03-18-2014

Been pasting config from old 5520 - 8.4(7) to 5545 - 9.1(1) and some commands are not takinf. Could anyone give me some insight as to why? There are more but I thought I would start with these.

Thank you

*****

crypto ca trustpoint ASDM_TrustPoint5
enrollment terminal
subject-name CN=FRD-INT-FW1
keypair ECA
crl configure
(ERROR: Keypair ECA doesn't exist.)

*****

crypto ikev2 enable outside client-services port 443
crypto ikev1 enable outside
crypto ikev1 ipsec-over-tcp port 10000
(ERROR: Unable to configure IKEv1 on interface 'outside' as ipsec-over-tcp is enabled on port 10000, which is currently in use by another service. Please choose a different port for ipsec-over-tcp.
FRD-INT-FW1(config)# crypto ikev1 ipsec-over-tcp port 10000
ERROR: Port 10000 is already in use on the 'outside' interface and will not be added. Please choose a different port for ipsec-over-tcp.)

*****

ssh key-exchange group dh-group1-sha1
(ERROR: % Invalid Hostname)

*****

ssl trust-point ASDM_TrustPoint9 outside
(ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.)

*****

csd image disk0:/csd_3.6.6249-k9.pkg
csd hostscan image disk0:/hostscan_3.1.04075-k9.pkg
csd enable
anyconnect image disk0:/anyconnect-win-3.1.04072-k9.pkg 1
anyconnect profiles skill disk0:/skill.xml
anyconnect profiles skill_nam disk0:/skill_nam.nsp
(Must supply disk locations in flash)

*****

port-forward TCR 3389 10.40.2.17 3389
(INFO: Local TCP Port <3389> is already in use.)

*****

Thanks, Pat

James Leinweber · ‎03-18-2014

The RSA keypairs aren't stored in the main configuration; they are kept in private NVRAM storage. So prior to pasting a chunk of configuration involving a trustpoint, you need to do an export/import operation on it:

E.g. for certificates on the old 5520:

crypto ca export ASDM_TrustPoint5 pkcs12 YourSymmPassword

Copy the block of text.

On the new 5545-x, run

crypto ca import ASDM_TrustPoint5 pkcs12 YourSymmPassword

and paste the block, then enter quit.

I'm not sure what the IKE1 problem is; when I went from 8.2 to 9.0 I mostly switched to IKE2, and didn't get that. Does show run | include 10000 exhibit anything camping out there?

-- Jim Leinweber, WI State Lab of Hygiene

Patrick McHenry · ‎03-19-2014

Thanks Jim

Output:

crypto ikev1 ipsec-over-tcp port 10000

Thanks

James Leinweber · ‎03-19-2014

This one is stumping me; 10000 is the default port, and it's not supposed to be enabled unless you use this command. Was the output from the old 5520 or the new 5545? In this case we're primarily interested in the 5545, I think?

I don't have this in my configuration, which has both IKEv1 and IKEv2 enabled on the outside interface for assorted IPsec tunnels. However, I re-created my 9.0 crypto configuration from scratch using the ASDM wizards, except for imported trustpoints, rather than trying to migrate it. Are you actually using IPsec over TCP (protocol 6), rather than IPsec over ESP (protocol 50)? The former is common with NAT VPN clients, while the latter is more common with lan-to-lan tunnels.

Patrick McHenry · ‎03-19-2014

Also,

Jim - my 5520 doesn't seem to have the command "crypto ca export".

I get:

Firewall# crypto ca ?

server Local Certificate Server commands

Thanks

James Leinweber · ‎03-19-2014

Surprisingly, "export" is a config-mode command. It was introduced around 7.0, so you really should have it.

Marvin Rhoads · ‎03-19-2014

As Jim notes, it's a config mode command. Your output shows you're in enable mode. Type "conf t" then retry. :)