Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1281
Views
0
Helpful
0
Replies

Different keysize affects establishing IPSec VPN between ASA and IOS?

MaximBudyonny
Level 1
Level 1

‎11-06-2012 10:29 AM - edited ‎02-21-2020 06:28 PM

Hello,

I'm trying to establish LAN-to-LAN IPSec on digital certificates between IOS box and ASA. ASA is managed by other company and I don't have access to it.

While IKE enters cert exchane phase,

Old State = IKE_I_MM4  New State = IKE_I_MM5

I have got the message

Nov  5 17:39:35.806: ISAKMP:(1003): processing CERT payload. message ID = 0

Nov  5 17:39:35.806: ISAKMP:(1003): processing a CT_X509_SIGNATURE cert

Nov  5 17:39:35.806: ISAKMP:(1003): IKE->PKI Add peer's certificate state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35.810: ISAKMP:(1003): PKI->IKE Added peer's certificate state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35.810: ISAKMP:(1003): IKE->PKI Get PeerCertificateChain state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35.810: ISAKMP:(1003): PKI->IKE Got PeerCertificateChain state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35.810: ISAKMP:(1003): peer's pubkey isn't cached

Nov  5 17:39:35.810: ISAKMP:(0): Creating CERT validation list: trpoint,

Nov  5 17:39:35.810: ISAKMP:(1003): IKE->PKI Validate certificate chain state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35.810: ISAKMP:(1003): PKI->IKE Validate certificate chain state (I) MM_KEY_EXCH (peer X.X.X.X)

Nov  5 17:39:35: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from X.X.X.X is bad: unknown error returned in certificate validation

Nov  5 17:39:35.810: ISAKMP:(1003): Unknown error in cert validation, -1

Nov  5 17:39:35.810: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

As I can see:

1) it's not a time/clock issue. At least IOS box uses ntp and has a properly configured timezone. In any case certificate is not expired and certificate issue time is  OK.

2) it's not a crl issue. I have configured trustpoint with "revocation-check none" and "revocation-check crl". CRL file is valid and accessible. CRL host can be reached from the IOS box via telnetting to port 80.

I'm really confused about this issue.

As I know in the messages MM5 my side sends it certificate while in the message MM6 remote side sends to me it certificate.

For some reasons IOS box couldn't work with it.

Can different key size cause this issue? Keys are 2048 on my side and 1024 on remote (ASA) side.

Config from my side

===========================

crypto pki trustpoint trpoint

enrollment url http://ca.domain:80/scep/

fqdn R1

subject-name CN=R1

revocation-check none

source interface GigabitEthernet0/1

auto-enroll

crypto isakmp policy 1

encr aes 256

group 5

crypto isakmp identity dn

crypto pki certificate map CERT-MAP 10

issuer-name co domain

crypto isakmp profile PROFILE

   ca trust-point trpoint

   match certificate CERT-MAP

crypto map CRYPTO-MAP 10 ipsec-isakmp

set peer X.X.X.X

set transform-set TS

set isakmp-profile PROFILE

match address CRYPTO-ACL

crypto ipsec transform-set TS esp-aes 256 esp-sha-hmac

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents