11-11-2004 05:05 AM
Hi,
I have configured the windows 2000 advanced server ca.
Also, i have configured the pix with 2 isakmp policy.
the first :
Protection suite of priority 10
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
teh second :
Protection suite of priority 20
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Message Digest 5
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #2 (1024 bit)
lifetime: 1000 seconds, no volume limit
--------------------------------------------------
For the first there is no problem. it works correctly.
but when using certificat, i have this log :
ISAKMP: encyption....What?7? in all ISAKMP proposal
I use cisco client 3.x and PIX 515E 6.2
Thanks for help
11-17-2004 02:06 PM
That's a strange debug you are getting. My search with that string did not turn up much. However, one candidate is bug CSCdy76457 - VPN Client 3.6.1 doesnt support DES with certificates. If this indeed turns out to be the defect you are running into, you will need to switch to client version 3.5.4. HTH
11-18-2004 01:43 AM
Hi,
The exact log is :
ISAKMP: encryption... Whats? 7?
ISAKMP: hash SHA
....
I use the vpn client ver 3.6.3
I have upgraded the PIX to 6.3.(4)
is it supporting DES wirth certificate ?
I have searched for 3.5.x in the Internet but i didn't find it ?
If you have this version, can you send it to me please,
my email: networking@nouvelair.com.tn
Thanks for all
11-18-2004 04:10 AM
After installation of the PIX IOS 6.3(4) the log become : (I have used vpn client 4.0, my PIX don't have 3DES licence.
ISAKMP (0): Checking ISAKMP transform 1 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 8 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 128
crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0
ISAKMP: larval sa found
crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500
VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0
ISAKMP: larval sa found
ISAKMP (0): deleting SA: src 193.95.55.108, dst 193.95.116.9
ISADB: reaper checking SA 0x14752fc, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 193.95.55.108/500 not found - peers:0
crypto_isakmp_process_block:src:193.95.55.108, dest:193.95.116.9 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
11-25-2004 02:23 AM
Hi, I've same problem.
Isacco
11-30-2004 11:36 PM
Hello,
I have enabled the 3DES-AES on the pix but the same log appear.
12-01-2004 07:33 AM
Hi,
I opened a TAC case.
The TAC said: "You must use only CA Server Microsoft in STANDALONE MODE to work !!"
Isacco
12-01-2004 11:17 PM
Hello,
Thanks for response.
I already configured a standalone server but ISAKMP fail.
When enrolling the certificate, log is :
"No root CA exist" use ca authenticate"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide