Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
1
Replies

Cisco VPN Client connection to IOS Firewall using certificates

dano2112
Level 1
Level 1

‎11-03-2011 10:58 PM

Hello...

I'm generally pretty good with VPN issues and with SSL certs, but this is my first rodeo with VPN and certificates together.  I've got a Cisco 2811 router running IOS Firewall (12.4(25)) and for a while now, I've had VPN clients connecting using PSK's and XAUTH.  In order to tighten security, we'd like to move away from PSK's with Aggressive Mode and use certificates with Main Mode.

I've been trying to use the Cisco 2811 as the CA, rather than use a Microsoft server or third-party provider.  I think I'm pretty close to getting this to work, but something isn't quite right.  My VPN client software does connect to the 2811, and I get prompted for the XAUTH creds.  If I supply the right creds, I do see in my VPN log window that I've gotten assigned an IP address from the inside VPN pool, my split tunneling rules come through, but the VPN disconnects almost immediately and I never get a chance to try any pings or to send any other types of traffic.

The following lists the various debugs I have running on the 2811:

Cryptographic Subsystem:

  Crypto ISAKMP Error debugging is on

  Crypto IPSEC Error debugging is on

PKI:

  Crypto PKI Msg debugging is on

  Crypto PKI Certificate Server debugging is on

  Crypto PKI Validation Path debugging is on

I have attached a sterilized copy of the 2811's current config (2811_sterile.txt), a copy of the 2811's debug output when the VPN client tries to connect (vpn_client_connect_sterile.txt), and a copy of the VPN client's log with IKE on High and Certificates on High (vpn_log_sterile.txt).

FWIW, the 2811 is NOT behind NAT, but my VPN client IS behind NAT.  However, I have tried using a direct connection with the VPN client and it didn't seem to change much so I'm not convinced this is a NAT issue.

Again, I've never used a Cisco router as a CA and I've been battling this problem for several hours now so the 2811's config may have a lot of unneccessary lines in it at this point.

Hopefully someone can nudge me in the right direction on this one.

Thanks!

Dan

Labels:
116716-2811_sterile.txt.zip
116715-vpn_client_connect_sterile.txt.zip
116714-vpn_log_sterile.txt.zip
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎11-04-2011 12:32 AM

Dan.

The debugs indicate that propsal was not chosen - i.e. IPsec transform set is not acceptable.

So the problem is not WITH certificate authentication, but might related to it. The debugs are all wrong, but I do not see you matching the isakmp profile you created (where you're supposed to match based on certificate map).

Two things for you to check:

- add a few different IPsec transform sets

- investigate why profile is not matching. (not that in case of unity clients you can use "match identity group NAME" where name is your OU value).

Marcin

0 Helpful
Customers Also Viewed These Support Documents