Configuration of digital certificates: xauth error

gregoeva · ‎04-23-2003

Hallo

I configured my Cisco 3000 concentrator and my VPN Client on Windows 2000 to communicate using certificates (as described in document http://www.cisco.com/warp/public/471/installboth.html).

When I try to connect, the client report: "Failed to establish a secure connection to the security gateway.

On the concentrator in the event log I see following:

----cut----

594 04/23/2003 14:05:15.490 SEV=5 IKE/79 RPT=5 210.3.253.77

Group [IPSECCERT]

Validation of certificate successful

(CN=<unavailable>, SN=337082B9)

596 04/23/2003 14:05:15.490 SEV=4 IKE/127 RPT=5 210.3.253.77

Group [IPSECCERT]

Xauth required but selected Proposal does not support xauth,

Check priorities of ike xauth proposals in ike proposal list

599 04/23/2003 14:05:15.490 SEV=4 IKEDBG/65 RPT=20 210.3.253.77

Group [IPSECCERT]

IKE MM Responder FSM error history (struct &0x55d6be0)

<state>, <event>:

MM_DONE, EV_ERROR_CONT

MM_DONE, EV_ERROR

MM_BLD_MSG6, EV_CHK_PROPOSAL

MM_BLD_MSG6, EV_COMPARE_IDS

----cut----

I tried to configure only "RSA Digital Certificate" (whitout xauth) in the IKE Proposal, but the error is the same.

Can somebody help me?

Thank you

Eva

afakhan · ‎04-23-2003

Hi,

you need to have an IKE proposal under IKE active proposals with XAUTH.

vpn3k is asking for it bcoz under ipsec tab ur Auth. is not set to None.

thx

Afaq

gregoeva · ‎04-24-2003

Hi,

thanks for your suggestions.

I configured an IKE proposal with XAUTH. (CiscoVPNClient-3DES-MD5-RSA)

In vpn3k by the group settings is the Auth set to NT Domain, because I'll make authentication also by NT or internal and this doesn't work. When Auth set to None, then works fine, but I have no control about the users. Everyone with a valid siemens certificate can connect to my concentrator. The DN Group Matching for 800 user is to tricky.

Any suggestions ?

thx

Eva