Okay, I issued the following

Thomas McClintic · ‎06-15-2016

Forgive me for my ignorance, much of this is new to me.

I am configuring a 819 router for client VPN access. The configuration I created worked fine for PSK, but I need to implement certificates.

I configured the 819 as a CA, exported my root cert and submitted a CSR to issue a cert to myself. I add that cert to my VPN Client profile, but I get the following errors in the log:

36 11:40:25.756 06/15/16 Sev=Warning/2 IKE/0xE300009B
Failed to generate signature: Signature generation failed (SigUtil:97)

37 11:40:25.758 06/15/16 Sev=Warning/2 IKE/0xE300009B
Failed to build Signature payload (MsgHandlerMM:489)

38 11:40:25.758 06/15/16 Sev=Warning/2 IKE/0xE300009B
Failed to build MM msg5 (NavigatorMM:312)

39 11:40:25.758 06/15/16 Sev=Warning/2 IKE/0xE30000A7
Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)

Log on router:

Jun 15 18:32:46.255: %CRYPTO-5-IKMP_SETUP_FAILURE: IKE SETUP FAILED for local:x.x.x.x local_id:x.x.x.x remote:x.x.x.x remote_id:x.x.x.x IKE profile:None fvrf:None fail_reason:Peer lost fail_class_cnt:1

Here is my configuration:

crypto pki server hostname
 database level complete
 no database archive
 issuer-name CN=XXXXXX,OU=myou
!
!
crypto pki trustpoint hostname
 revocation-check crl
 rsakeypair hostname
!

crypto pki certificate chain hostname
 certificate ca 01
 30820223 3.....
...... BC13AD
 quit



crypto logging session
!
crypto isakmp policy 1
 encr 3des
 hash md5
 group 2
crypto isakmp identity dn
crypto isakmp client configuration address-pool local ourpool
!
crypto isakmp client configuration group mygroup
 dns 8.8.8.8
 domain XXXXX
 pool ourpool
crypto isakmp profile vpnprofile
 self-identity fqdn
 ca trust-point hostname
 match identity group mygroup
!
!
crypto ipsec transform-set trans1 esp-des esp-md5-hmac 
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set trans1 
!
!
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap

Hopefully I am missing something simple, I appreciate any help offered.

The goal here is to require VPN clients to have a certificate as well as authenticate using a user/pass.

Thank you!

AllertGen · ‎06-16-2016

Hello.

I didn't look deep at your config, but try to add this:

crypto isakmp policy 1
authentication rsa-sig
end

Best Regards.

Thomas McClintic · ‎06-16-2016

Thank you for the response. I have added that command and I unfortunately get the same result.

Funny thing, that command must be default as once I added it did not show up unless I ran a #show run all

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication rsa-sig
 group 2
 lifetime 86400

Thanks again for any help you can provide!

AllertGen · ‎06-16-2016

Ok. I did try to look for your errors. As client you are using another Cisco devices or software solution?

Best Regards.

Thomas McClintic · ‎06-16-2016

VPN Client Version 5.0

I did a cli output of the signed cert and the root cert, installed the root and imported the signed into the vpn client.

AllertGen · ‎06-16-2016

Hi.

How did you export your certeficate and root CA to your VPN client?

Best Regards.

Thomas McClintic · ‎06-17-2016

I printed the cert to the CLI and then copy/pasted it into a file.

I imported both using cert manager to the PC, then I also imported in the VPN client.

AllertGen · ‎06-30-2016

Hi, Thomas.

Sorry for a long reponce. Could you try to enroll your certificate directly from your root ca device to your VPN client? I want check that there is no error with importing root ca vie CLI.

Best Regards.

Thomas McClintic · ‎06-16-2016

This does not look correct to me:

Certificate Server hostname:
 Status: disabled, HTTP Server is disabled
 State: check failed
 Server's configuration is locked (enter "shut" to unlock it)
 Issuer name: CN=XXXXX,OU=myou
 CA cert fingerprint: XXXX
 Granting mode is: manual
 Last certificate issued serial number (hex): 2
 CA certificate expiration timer: 08:19:26 CDT Jun 15 2019
 CRL NextUpdate timer: 14:18:05 CDT Jun 16 2016
 Current primary storage dir: nvram:
 Database Level: Minimum - no cert data written to storage

Thomas McClintic · ‎06-16-2016

Okay, I issued the following command and it started the server:

crypto pki server hostname start

Certificate Server hostname:
 Status: enabled
 State: enabled
 Server's configuration is locked (enter "shut" to unlock it)
 Issuer name: CN=XXXXX,OU=myou
 CA cert fingerprint: XXXXX
 Granting mode is: manual
 Last certificate issued serial number (hex): 2
 CA certificate expiration timer: 08:19:26 CDT Jun 15 2019
 CRL NextUpdate timer: 14:18:05 CDT Jun 16 2016
 Current primary storage dir: nvram:
 Database Level: Minimum - no cert data written to storage


Still having the same issue.

Thomas McClintic · ‎06-22-2016

I have redone the configuration for the router, here is where I am now. Still having issues with the client, but showing invalid certificate for some reason.

crypto pki server XXX
database level complete
no database archive
issuer-name CN=XXX L=Houston C=US
grant auto
lifetime crl 24
lifetime certificate 7304
lifetime ca-certificate 7305
cdp-url flash:/crl.crl
eku server-auth client-auth
!
crypto pki trustpoint XXX
revocation-check none
rsakeypair XXX
!

!
crypto pki certificate chain XXX
certificate ca 01
308
quit

crypto isakmp policy 1
encr aes
group 2
crypto isakmp identity hostname
!
crypto isakmp client configuration group oomvpn
pool vpnpool
acl 101

crypto ipsec transform-set myset esp-des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map vpnclient 10
set transform-set myset
!
!
crypto map vpn client authentication list ClientAuth
crypto map vpn isakmp authorization list ClientAuth
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic vpnclient

interface
crypto map vpn

Router#show crypto pki certificates

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=XXX L=Houston C=US
Subject:
cn=XXX L=Houston C=US
Validity Date:
start date: 11:41:38 CDT Jun 22 2016
end date: 05:13:22 CDT May 17 1900
Associated Trustpoints: XXX
Storage: nvram:XXX#1CA.cer

----------------
Here is a debug

Jun 22 22:08:24.856: ISAKMP:(2008):Old State = IKE_R_MM4 New State = IKE_R_MM5

Jun 22 22:08:24.856: ISAKMP:(2008): processing ID payload. message ID = 0
Jun 22 22:08:24.856: ISAKMP (2008): ID payload
next-payload : 6
type : 9
Dist. name : cn=Test
protocol : 17
port : 500
length : 25
Jun 22 22:08:24.856: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jun 22 22:08:24.856: ISAKMP:(0):: peer matches *none* of the profiles
Jun 22 22:08:24.856: ISAKMP:(2008): processing CERT payload. message ID = 0
Jun 22 22:08:24.856: ISAKMP:(2008): processing a CT_X509_SIGNATURE cert
Jun 22 22:08:24.856: ISAKMP:(2008): IKE->PKI Add peer's certificate state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: CRYPTO_PKI: Added x509 peer certificate - (702) bytes
Jun 22 22:08:24.856: ISAKMP:(2008): PKI->IKE Added peer's certificate state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: ISAKMP:(2008): IKE->PKI Get PeerCertificateChain state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: ISAKMP:(2008): PKI->IKE Got PeerCertificateChain state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: ISAKMP:(2008): peer's pubkey isn't cached
Jun 22 22:08:24.856: ISAKMP:(0):: UNITY's identity FQDN but no group info
Jun 22 22:08:24.856: ISAKMP:(0):: peer matches *none* of the profiles
Jun 22 22:08:24.856: ISAKMP:(2008): IKE->PKI Validate certificate chain state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: CRYPTO_PKI: create new ca_req_context type PKI_VERIFY_CHAIN_CONTEXT,ident 29
Jun 22 22:08:24.856: CRYPTO_PKI: (80023)validation path has 1 certs

Jun 22 22:08:24.856: CRYPTO_PKI: Found a issuer match
Jun 22 22:08:24.856: ISAKMP:(2008): PKI->IKE Validate certificate chain state (R) MM_KEY_EXCH (peer 139.52.159.234)
Jun 22 22:08:24.856: %CRYPTO-5-IKMP_INVAL_CERT: Certificate received from x.x.x.x is bad: unknown error returned in certificate validation
Jun 22 22:08:24.860: ISAKMP:(2008): Unknown error in cert validation, -1
Jun 22 22:08:24.860: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Jun 22 22:08:24.860: ISAKMP:(2008):Old State = IKE_R_MM5 New State = IKE_R_MM5

Jun 22 22:08:24.860: ISAKMP (2008): incrementing error counter on sa, attempt 1 of 5: reset_retransmission
Jun 22 22:08:24.860: ISAKMP:(2008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jun 22 22:08:24.860: ISAKMP:(2008):Old State = IKE_R_MM5 New State = IKE_R_MM4

Jun 22 22:08:25.860: ISAKMP:(2008): retransmitting phase 1 MM_KEY_EXCH...

Any help would be great!

Issues with VPN Client connecting over IPSEC to 819 Router (CA)