04-23-2003 04:44 AM - edited 03-09-2019 02:59 AM
Hallo
I configured my Cisco 3000 concentrator and my VPN Client on Windows 2000 to communicate using certificates (as described in document http://www.cisco.com/warp/public/471/installboth.html).
When I try to connect, the client report: "Failed to establish a secure connection to the security gateway.
On the concentrator in the event log I see following:
----cut----
594 04/23/2003 14:05:15.490 SEV=5 IKE/79 RPT=5 210.3.253.77
Group [IPSECCERT]
Validation of certificate successful
(CN=<unavailable>, SN=337082B9)
596 04/23/2003 14:05:15.490 SEV=4 IKE/127 RPT=5 210.3.253.77
Group [IPSECCERT]
Xauth required but selected Proposal does not support xauth,
Check priorities of ike xauth proposals in ike proposal list
599 04/23/2003 14:05:15.490 SEV=4 IKEDBG/65 RPT=20 210.3.253.77
Group [IPSECCERT]
IKE MM Responder FSM error history (struct &0x55d6be0)
<state>, <event>:
MM_DONE, EV_ERROR_CONT
MM_DONE, EV_ERROR
MM_BLD_MSG6, EV_CHK_PROPOSAL
MM_BLD_MSG6, EV_COMPARE_IDS
----cut----
I tried to configure only "RSA Digital Certificate" (whitout xauth) in the IKE Proposal, but the error is the same.
Can somebody help me?
Thank you
Eva
04-23-2003 10:16 AM
Hi,
you need to have an IKE proposal under IKE active proposals with XAUTH.
vpn3k is asking for it bcoz under ipsec tab ur Auth. is not set to None.
thx
Afaq
04-24-2003 03:54 AM
Hi,
thanks for your suggestions.
I configured an IKE proposal with XAUTH. (CiscoVPNClient-3DES-MD5-RSA)
In vpn3k by the group settings is the Auth set to NT Domain, because I'll make authentication also by NT or internal and this doesn't work. When Auth set to None, then works fine, but I have no control about the users. Everyone with a valid siemens certificate can connect to my concentrator. The DN Group Matching for 800 user is to tricky.
Any suggestions ?
thx
Eva
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide