Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
7
Replies

Certificat problem

e-mourad
Level 1
Level 1

‎11-11-2004 05:05 AM

Hi,

I have configured the windows 2000 advanced server ca.

Also, i have configured the pix with 2 isakmp policy.

the first :

Protection suite of priority 10

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Pre-Shared Key

Diffie-Hellman group: #2 (1024 bit)

lifetime: 86400 seconds, no volume limit

teh second :

Protection suite of priority 20

encryption algorithm: DES - Data Encryption Standard (56 bit keys).

hash algorithm: Message Digest 5

authentication method: Rivest-Shamir-Adleman Signature

Diffie-Hellman group: #2 (1024 bit)

lifetime: 1000 seconds, no volume limit

--------------------------------------------------

For the first there is no problem. it works correctly.

but when using certificat, i have this log :

ISAKMP: encyption....What?7? in all ISAKMP proposal

I use cisco client 3.x and PIX 515E 6.2

Thanks for help

Labels:
0 Helpful
7 Replies 7

drolemc
Level 6
Level 6

‎11-17-2004 02:06 PM

That's a strange debug you are getting. My search with that string did not turn up much. However, one candidate is bug CSCdy76457 - VPN Client 3.6.1 doesnt support DES with certificates. If this indeed turns out to be the defect you are running into, you will need to switch to client version 3.5.4. HTH

0 Helpful

e-mourad
Level 1
Level 1
In response to drolemc

‎11-18-2004 01:43 AM

Hi,

The exact log is :

ISAKMP: encryption... Whats? 7?

ISAKMP: hash SHA

....

I use the vpn client ver 3.6.3

I have upgraded the PIX to 6.3.(4)

is it supporting DES wirth certificate ?

I have searched for 3.5.x in the Internet but i didn't find it ?

If you have this version, can you send it to me please,

my email: networking@nouvelair.com.tn

Thanks for all

0 Helpful

e-mourad
Level 1
Level 1
In response to e-mourad

‎11-18-2004 04:10 AM

After installation of the PIX IOS 6.3(4) the log become : (I have used vpn client 4.0, my PIX don't have 3DES licence.

ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash MD5

ISAKMP: default group 2

ISAKMP: auth RSA sig

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 256

ISAKMP (0): atts are not acceptable. Next payload is 3

ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy

ISAKMP: encryption AES-CBC

ISAKMP: hash SHA

ISAKMP: default group 5

ISAKMP: extended auth RSA sig (init)

ISAKMP: life type in seconds

ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b

ISAKMP: keylength of 128

crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0

ISAKMP: larval sa found

crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500

VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0

ISAKMP: larval sa found

ISAKMP (0): deleting SA: src 193.95.55.108, dst 193.95.116.9

ISADB: reaper checking SA 0x14752fc, conn_id = 0 DELETE IT!

VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0

crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500

OAK_MM exchange

ISAKMP (0): processing SA payload. message ID = 0

0 Helpful

i.fontana
Level 1
Level 1
In response to e-mourad

‎11-25-2004 02:23 AM

Hi, I've same problem.

Isacco

0 Helpful

e-mourad
Level 1
Level 1
In response to i.fontana

‎11-30-2004 11:36 PM

Hello,

I have enabled the 3DES-AES on the pix but the same log appear.

0 Helpful

i.fontana
Level 1
Level 1
In response to e-mourad

‎12-01-2004 07:33 AM

Hi,

I opened a TAC case.

The TAC said: "You must use only CA Server Microsoft in STANDALONE MODE to work !!"

Isacco

0 Helpful

e-mourad
Level 1
Level 1
In response to i.fontana

‎12-01-2004 11:17 PM

Hello,

Thanks for response.

I already configured a standalone server but ISAKMP fail.

When enrolling the certificate, log is :

"No root CA exist" use ca authenticate"

0 Helpful
Customers Also Viewed These Support Documents