cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1122
Views
0
Helpful
2
Replies

CERTIFICATE AUTHENTICATION WITH ASA5520 USING IPHONE&BLACKBERRY DEVICES

jorgesegura
Level 1
Level 1

HI.

I HAVE AN ISSUE WHEN I´M TRYING TO AUTHENTICATE MY IPHONE&BLACKBERRY DEVICE WITH ASA 5520 USING CERTIFICATES.

IT SEEMS THAT CERTIFICATES ARE WORKING FINE, PASS THE IKE PHASE 1 BUT NEVER COMPLETE THE PHASE 2.

WHEN I USE PRESHARED KEYS EVERYTHING WORKS FINE WITH BOTH DEVICES.

ANY HELP WILL BE APPRECIATED.

IF YOU CONSIDER NECESSARY, I CAN PROVIDE MY CURRENT CONFIGURATION IN ASA.

THANKS IN ADVANCE.

REGARDS

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

Jorge

I have looked at the debug that you posted and do not see an obvious problem. Perhaps it would help if you would post the config of your ASA.

HTH

Rick

HTH

Rick

I have a question:

 

Reviewing debug output i noticed this:

 

 

 

 

 

 

 

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via OU...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, No Group found by matching OU(s) from ID payload: ou=ARI,

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via IKE ID...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via IP ADDR...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Trying to find group via default group...

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, Connection landed on tunnel_group DefaultRAGroup

 

 

 

I guess after this, payload should be constructed according to the correct ou in Certicate (For ASA cn=IT & for user certificate cn=ARI). Could be this an issue to generate the followinf error in payload construction???

 

 

 

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, IKE SA MM:9bd156e4 terminating: flags 0x0301c002, refcnt 0, tuncnt 0

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, sending delete/delete with reason message

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing blank hash payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing IKE delete payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing qm hash payload

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, IKE_DECODE SENDING Message (msgid=a9d5bd52) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, peer ID type 9 received (DER_ASN1_DN)

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing ID payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing cert payload

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing RSA signature

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, Computing hash for ISAKMP

Oct 26 17:28:19 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP = 189.245.35.213, constructing dpd vid payload

 

Oct 26 17:28:19 [IKEv1]: IP = 189.245.35.213, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR (13) + UNKNOWN (239), *** ERROR *** total length : 1365

 

Oct 26 17:28:19 [IKEv1]: Group = DefaultRAGroup, IP = 189.245.35.213, Session is being torn down. Reason: Peer Reconnected

Oct 26 17:28:19 [IKEv1]: Ignoring msg to mark SA with dsID 3481600 dead because SA deleted

 

 

 

 

I´m attaching the ASA´s config. Just for reference take a look at this:

 

 

dynamic-map=MODELOMVS

crypto-map= MODELOCRY 92

 

Group-policy=DfltGrpPolicy

Tunnel-group=DefaultRAGroup

 

 

VPN with dynamic-map&tunnel-group=modelovpn works fine, no issue

 

Regards and thanks for your soon response.

 

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: