cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

943
Views
0
Helpful
2
Replies
Highlighted
Beginner

CERTIFICATE AUTHENTICATION WITH ASA5520 USING IPHONE&BLACKBERRY DEVICES

HI.

I HAVE AN ISSUE WHEN I´M TRYING TO AUTHENTICATE MY IPHONE&BLACKBERRY DEVICE WITH ASA 5520 USING CERTIFICATES.

IT SEEMS THAT CERTIFICATES ARE WORKING FINE, PASS THE IKE PHASE 1 BUT NEVER COMPLETE THE PHASE 2.

WHEN I USE PRESHARED KEYS EVERYTHING WORKS FINE WITH BOTH DEVICES.

ANY HELP WILL BE APPRECIATED.

IF YOU CONSIDER NECESSARY, I CAN PROVIDE MY CURRENT CONFIGURATION IN ASA.

THANKS IN ADVANCE.

REGARDS

Everyone's tags (4)
2 REPLIES 2
Hall of Fame Master

CERTIFICATE AUTHENTICATION WITH ASA5520 USING IPHONE&BLACKBERRY

Jorge

I have looked at the debug that you posted and do not see an obvious problem. Perhaps it would help if you would post the config of your ASA.

HTH

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders
Beginner

Re: CERTIFICATE AUTHENTICATION WITH ASA5520 USING IPHONE&BLACKBE

I have a question:

 

Reviewing debug output i noticed this:

 

 

 

 

 

 

 

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via OU...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, No Group found by matching OU(s) from ID payload: ou=ARI,

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via IKE ID...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via IP ADDR...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via default group...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Connection landed on tunnel_group DefaultRAGroup

 

 

 

I guess after this, payload should be constructed according to the correct ou in Certicate (For ASA cn=IT & for user certificate cn=ARI). Could be this an issue to generate the followinf error in payload construction???

 

 

 

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, IKE SA MM:9bd156e4 terminating: flags 0x0301c002, refcnt 0, tuncnt 0

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, sending delete/delete with reason message

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing blank hash payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing IKE delete payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing qm hash payload

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, IKE_DECODE SENDING Message (msgid=a9d5bd52) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, peer ID type 9 received (DER_ASN1_DN)

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing ID payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing cert payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing RSA signature

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, Computing hash for ISAKMP

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing dpd vid payload

 

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + UNKNOWN (239), *** ERROR *** total length : 1365

 

Oct 26 17:28:19 [IKEv1]: Group = DefaultRAGroup, IP = 189.245.35.213, Session is being torn down. Reason: Peer Reconnected

Oct 26 17:28:19 [IKEv1]: Ignoring msg to mark SA with dsID 3481600 dead because SA deleted

 

 

 

 

I´m attaching the ASA´s config. Just for reference take a look at this:

 

 

dynamic-map=MODELOMVS

crypto-map= MODELOCRY 92

 

Group-policy=DfltGrpPolicy

Tunnel-group=DefaultRAGroup

 

 

VPN with dynamic-map&tunnel-group=modelovpn works fine, no issue

 

Regards and thanks for your soon response.

 

 

 

 

 

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here