Solved: Re: Cisco VPN client + Cisco router + MSW CA + certificates - Page 2

Sonenberk · ‎01-20-2010

Dear sirs,
Allow me to approach you about the following problem.

I wanted to use a secure connection between Cisco VPN client
(Windows XP) and Cisco 2821 with certificate authentication.
I used Microsoft certificate authority (Windows 2003 server).
Cisco VPN client used eTokenPRO Aladdin as a certificate store.

Enrollment certificate to MSW CA and its placing into eToken ran O.K.
Cisco VPN client hasn't problem with eToken cooperation.
Enrollment certificate from Cisco2821 to MSW CA ran O.K. too.

Cisco 2821 configuration is standard. IOS version 12.4(6).

Connection attempt from Cisco VPN client to Cisco 2821 was
terminated with error messages:

ISAKMP:(1020):Unable to get router cert or routerdoes not have a cert: needed to find DN!
ISAKMP:(1020):SA is doing RSA signature authentication plus XAUTH using id type ID_FQDN
ISAKMP (1020): ID payload
        next-payload : 6
        type         : 2
        FQDN name    : cisco-ca.firm.com
        protocol     : 17
        port         : 500
        length       : 25
ISAKMP:(1020):Total payload length: 25
ISAKMP (1020): no cert chain to send to peer
ISAKMP (1020): peer did not specify issuer and no suitable profile found
ISAKMP (1020): FSM action returned error: 2
ISAKMP:(1020):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1020):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

Are there some refence where is possible to find some information about
this problem? Exists somebody who knows how figure it out these errors?
Thank you very much for your help.

Best regards
P.Sonenberk

P.S. Some more informations for people who was interested in problem above.

Cisco 2821 IP address is 10.1.1.220, client VPN IP address is 10.1.1.133.
MSW CA has IP 10.1.1.50.
Important parts of the Cisco 2821 configuration:

!
hostname cisco-ca
!
................
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
...............
ip domain name firm.com
ip host firm-cu 10.1.1.50
ip host cisco-vpn1 10.1.1.133
ip name-server 10.1.1.33
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4097309259
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4097309259
revocation-check none
rsakeypair TP-self-signed-4097309259
!
crypto pki trustpoint firm-cu
enrollment mode ra
enrollment url http://10.1.1.50:80/certsrv/mscep/mscep.dll
usage ike
serial-number none
ip-address none
password 7 005C31272503535729701A1B5E40523647
revocation-check none
!
crypto pki certificate chain TP-self-signed-4097309259
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
.............
FEDDCCEA 8FD14836 24CDD736 34
        quit
crypto pki certificate chain firm-cu
certificate 1150A66F000100000013
30820509 308203F1 A0030201 02020A11 50A66F00 01000000 13300D06 092A8648
...............
9E417C44 2062BFD5 F4FB9C0B AA
        quit
certificate ca 51BAC7C822D1F6A3469D1ADC32D0EB8C
30820489 30820371 A0030201 02021051 BAC7C822 D1F6A346 9D1ADC32 D0EB8C30
...............
C379F382 36E0A54E 0A6278A7 46
        quit
!
...................
crypto isakmp policy 30
encr 3des
hash md5
authentication rsa-encr
group 2
crypto isakmp identity hostname
!
crypto isakmp client configuration group Group159
key Key159Key
pool SDM_POOL_1
acl 100
!
crypto isakmp client configuration group it
domain firm.com
pool SDM_POOL_1
acl 100
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set 3DES-MD5
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
................
!
end

cisco-ca#show crypto pki trustpoints firm-cu status
Trustpoint firm-cu:
Issuing CA certificate configured:
    Subject Name:
     cn=firm-cu,dc=firm,dc=local
    Fingerprint MD5: 5026582F 56151047 8CF455F8 2FFAC0D6
    Fingerprint SHA1: 47B74974 7C85EA48 760516DE AAC84C5D 4427E829
Router General Purpose certificate configured:
    Subject Name:
     hostname=cisco-ca.firm.com
    Fingerprint MD5: E78702ED 47D5D36F B732CC4C BA97A4ED
    Fingerprint SHA1: 78DEAE7E ACC12F15 1DFB4EB8 7FC00138 DC6F3B7E
State:
    Keys generated ............. Yes (General Purpose, non-exportable)
    Issuing CA authenticated ....... Yes
    Certificate request(s) ..... Yes

cisco-ca#sh crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate

Code Usage         IP-Address/VRF         Keyring          Name
C    Signing                              default          X.500 DN name:
                              cn=firm-cu
                              dc=firm
                              dc=local

C Signing default cisco-vpn1

IMPORTANT: I hasn't Cisco IOS Software: 12.4(5), 12.3(11)T08, 12.4(4.7)PI03c,
12.4(4.7)T - there is mistake in crypto modul.

Sonenberk · ‎02-07-2010

Hi Ivan,

>Please rate useful posts.

Well, but I don't know how to do it.

I can't find any instructions.

Have a nice day.
P.Sonenberk

Ivan Martinon · ‎02-08-2010

No worries, I believe you need to click on the stars on the page. Anyways I am glad it helped.

Sonenberk · ‎02-10-2010

Hi Ivan,

I wanted to put four stars, but that HTML is out of order.

It seems there is some problem with java, I don't know.

Could you tell it your webmaster?

You've got FOUR YELLOW STARS for your advice and help.

Thank you, have a nice day.
P.Sonenberk

P.S. Why there are green stars there?