01-16-2008 05:13 AM - edited 03-11-2019 04:49 AM
Hello,
I have a problem with VPN configuration of our PIX Firewall.
We use this configuration:
PIX 515E (3 interfaces) running the latest 8.0(3) firmware.
We are using an L2TP IPSec VPN with certificates from our Microsoft CA and using the native Windows XP client. This setup was running O.K. with the old firmware (6.x), but after upgrading our PIX to 8.0(3) the VPN clients cannot connect anymore. We tried to debug our configuration and found the following errors:
5|Jan 11 2008|09:22:46|713904|||Group = DefaultRAGroup, IP = 85.160.26.229, Peer Certificate authentication failed: General Error
3|Jan 11 2008|09:22:46|717027|||Certificate chain failed validation. Certificate chain is either invalid or not authorized.
3|Jan 11 2008|09:22:46|717009|||Certificate validation failed. Peer certificate key usage is invalid, serial number: 13780BA600000000027B, subject name: ea=ales.hybner@svas.cz,cn=Aleš Hybner,ou=UIT,o=SVAS,l=Kladno,st=Kladno,c=CR.
Can anybody help?
Thanks Jan
01-22-2008 10:25 AM
The cert in your case may not be an acceptable one. You can configure PIX to bypass keyusage verification by configuring:
crypto ca trustpoint
ignore-ipsec-keyusage
The reason is because pre-8.0 code did not enforce the key usages so it worked fine but with 8.0, it is enforced so the ignore-ipsec-keyusage reverts this back to no checking as in the pre-8.0 codebase.
01-23-2008 11:04 PM
Now it works, thank you very much for your help.
03-20-2008 02:20 PM
Would you mind revealing your configuration for L2tp with Microsoft CA certificates and XP clients? I've been trying to do that to no avail.
03-21-2008 01:59 AM
03-21-2008 06:34 AM
Very nice of you thanks! Although it looks like I've done the same things. I can get a W2k client l2TP vpn to work, but not an XP. Dont know why.
03-21-2008 06:37 AM
Although I do see some commands that I'm not sure of. Crypto map? Ipsec transform-set?
I'll have to look these up. Not too familiar with IOS. I thought it was just a metter of letting through 1701, isakmp, esp, 4500.
03-21-2008 02:02 PM
I am a bit confused. Are you trying to make a L2TP connection to the PIX or through the PIX to another server? If you want to connect with L2TP to the PIX, these commands are necessary.
03-24-2008 07:41 AM
Ok sorry about the confusion. I'm trying to permit L2TP THROUGH the PIX to a Windows 2K3 server, which is a CA, using the Microsoft native client on an XP pro SP2 machine and certificate authentication. There is a static NAT entry from the outside IP address on the PIX to the inside address of the server. I wonder if this is not part of the problem. When I run a trace of the connection attempt, the ISAKMP never gets past the negotiation stage, and the request times out. The debug commands dont show anything either.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide