cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

982
Views
0
Helpful
11
Replies
Enthusiast

VPN IPSEC client certificate problem

Hi,

I am trying to connect an IPSec VPN client using a certificate.

Im am getting the following errors:

Failed to RSA sign the hash for IKE phase 1 negotiation using my certificate.

Failed to generate signature: Signature generation failed (SigUtil:97)

Failed to build Signature payload (MsgHandlerMM:489)

Failed to build MM msg5 (NavigatorMM:312)

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)

Marking IKE SA for deletion  (I_Cookie=0264360E288A8DE1 R_Cookie=863E6F3B153D2DA8) reason = DEL_REASON_IKE_NEG_FAILED

I've seen this link, but my certificate is lenght 2048, not 4096

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37419

Using windows 7, 64 bits, client version 5.0.07.0440

My computer doesn't even send any traffic to ASA trying to connect.

I only get the error when using a certificate assined by a MS CA, when I use an Certificate from ASA internal CA I can connect just fine.

I have seen also somebody who solved this problem importing the certificate from a pkcs12 file with keys. Didn't work for me either.

11 REPLIES 11
Highlighted

VPN IPSEC client certificate problem

Did you import the root certificate from the Microsoft CA on the ASA and assign it to the VPN profile?

Enthusiast

VPN IPSEC client certificate problem

Hi Marcel,

I imported the root certificate from Microsoft CA to ASA. But I didn't assign it to the vpn profile.

I only assined the "identity certificate" to the profile. Do I need to specify the root certificate too in the profile?

VPN IPSEC client certificate problem

What I ment was:

Did you set up the trustpoint used for the Microsoft CA root certificate on the interface where you are trying to connect to?

You can set this up under Configuration -> Remote Access VPN -> Advanced -> SSL Settings under header certificates.

Enthusiast

VPN IPSEC client certificate problem

The certificate is for IPSec Client, so I don't think I need to apply the certificate/trustpoint to the interface ssl usage.

VPN IPSEC client certificate problem

My apologies. I misread that part.

Enthusiast

VPN IPSEC client certificate problem

Thanks anyway.

VPN IPSEC client certificate problem

Hi there,

Assuming that you already have the certificate properly installed on the ASA, could you please check the identity certificate and make sure that it includes the private key? If you do not see it, then you should contact your CA admin.

HTH.

Portu.

Enthusiast

VPN IPSEC client certificate problem

Hi Javier,

Yes, the certificate sais "There is a private key for this certificate"

Enthusiast

VPN IPSEC client certificate problem

My certificate have the "yellow warning" on the key usage.

like mentioned here:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/84eaa61f-d13b-4544-9185-078c014ab552/

Could this be the problem?

Enthusiast

VPN IPSEC client certificate problem

Working with TAC we found out the "problem"

The certificate needs to be imported via VPN Client. If you import the certificate via Windows it does not work (Via mmc or double clicking the certificate and choosing install).

This problem was happening only on windows 7 - 64bits. Windows XP was working fine.

If you have the same problem and this was heplfull plz rate.

Beginner

VPN IPSEC client certificate problem

I'm not sure but it looks like the same issue, but I cannot import the certificate manually. The certificate is being distributed using group policy and we are not allowed to export it with the private key.

Anyone got that solved?