Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
793
Views
0
Helpful
2
Replies

IKEv1Remote Access VPN with RSA cannot establish

Go to solution
S-Lemming
Level 1
Level 1

‎08-17-2016 12:37 AM

Hi,

I am testing certificate authentication for IKEv1 RA VPN on two different standalone ASA5505 with certificates issued by an internal CA. Users authenticate with local user database.

On ASA1 everything works fine, both for L2TP/IPsec as well as pure IPsec, the client connects, tunnel is established and I can reach inside resources through the VPN. On ASA2 L2TP/IPsec works fine but pure IPsec won't complete Phase 1. Except for IP-addressing and some additional Connection Profiles and certificates on ASA2 both firewalls are configured identically. I am using the same client (Android phone) in all cases with the same certificate for authentication.

Comparing logs and IKEv1 debug between the ASAs I can see the connection landing on correct Connection Profile based on the certificate but on ASA2 I get "Duplicate Phase 1 packet detected.  Retransmitting last packet." a couple of times. Moments later this appears in the debug: "[IKEv1]Received unexpected event EV_ACTIVATE_NEW_SA in state MM_TM_INIT_XAUTH_H" and then no more output.

Just to make sure there is nothing wrong with the Connection Profile I tried to configure it to use PSK instead of Certificate and this works perfectly. And note that the certificates are working since L2TP/IPsec works with certificate authentication on ASA2.

I have uploaded debug outputs for your reference.

I will appreciate any help here, I'm about to start banging my head against the wall.

Labels:
Preview file
11 KB
Preview file
22 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
S-Lemming
Level 1
Level 1
In response to S-Lemming

‎08-19-2016 02:36 AM

I finally managed to solve this. ASA2 had multiple CA certificates installed and I believe this was the reason for the error. Really strange since I had configured the ASA not to use any of those certificates for validation of client certificates and I could see in the debug that it was using the correct certificate for validation. Removed all certificates not used and voilà - it works!

Hope someone will find this useful.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
S-Lemming
Level 1
Level 1

‎08-18-2016 01:07 AM

Okay so I have been troubleshooting this further, using the Packet Capture on ASA2 I found that there were a lot of Malformed packets going between the ASA and the client in both directions during Phase 1 negotiation. Found out there is a bug which can cause this behavior when capturing ISAKMP packets (CSCuz38703), I upgraded ASA to latest fixed version 9.2(4).13 and tried again. The VPN still stops at MM_TM_INIT_XAUTH_H and a Packet Capture also still show Malformed packets but now they are fewer and only sent from the ASA to the client.

I can't understand why this is happening only for IPsec with RSA, IPsec with PSK as well as L2TP/IPsec with RSA works fine.

0 Helpful

Go to solution
S-Lemming
Level 1
Level 1
In response to S-Lemming

‎08-19-2016 02:36 AM

I finally managed to solve this. ASA2 had multiple CA certificates installed and I believe this was the reason for the error. Really strange since I had configured the ASA not to use any of those certificates for validation of client certificates and I could see in the debug that it was using the correct certificate for validation. Removed all certificates not used and voilà - it works!

Hope someone will find this useful.

0 Helpful
Customers Also Viewed These Support Documents