Microsoft CA with Cisco Pix for ipsec ssl

kjanakiraman · ‎04-01-2004

I wanted to Use the Microsoft Certificate Autority for Issuing Certificate for my mobile vpn clients

My Pix outside ip address is x.x.x.x1 and Certificate authority server is mapped to x.x.x.x2. I configured the Cisco Pix exactly the way the website says like

ca generate rsa 512

ca identity nickname 192.168.20.5:/certsrv/mscep/mscep.dll

ca configure nickname ra 1 20 crloptional

ca authenticate nickname

ca enrol nickname 192.168.20.5(Server ip address)

I mapped 192.168.20.5 for x.x.x.x1 and opened port 80 for the same.

From the client system i gave http://x.x.x.x2/certsrv <javascript:newWin('http://x.x.x.x2/certsrv')>

and in the advanced request i chose "Submit the Certificate request using CA form" and in the next screen the intended purpose was "Client Authentication purpose" and CSP "Microsoft Base Cryptographic Provider v1.0" and i installed the certificate on the local system.

Now in the Cisco VPN client 4.2 Instead of Group authentication i chose Certificate and selected the installed certificate. Now when i try to connect after ipsec initializations it is trying to connect to x.x.x.x1 and could not connect and the vpn client log is below. Can some one advice me how should I proceed?

782 15:56:10.700 03/31/04 Sev=Info/4 IPSEC/0x6370000D

Key(s) deleted by Interface (61.95.202.56)

783 15:56:11.061 03/31/04 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = x.x.x.x1

784 15:56:11.061 03/31/04 Sev=Warning/2 IKE/0xE3000099

Invalid SPI size (PayloadNotify:116)

785 15:56:11.061 03/31/04 Sev=Info/4 IKE/0xE30000A4

Invalid payload: Stated payload length, 1032, is not sufficient for Notification:(PayloadList:148)

786 15:56:11.061 03/31/04 Sev=Warning/3 IKE/0xA3000058

Received malformed message or negotiation no longer active (message id: 0x00000000)

787 15:56:15.968 03/31/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

788 15:56:15.968 03/31/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to x.x.x.x1

789 15:56:20.975 03/31/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

790 15:56:20.975 03/31/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to x.x.x.x1

791 15:56:25.982 03/31/04 Sev=Info/4 IKE/0x63000021

Retransmitting last packet!

792 15:56:25.982 03/31/04 Sev=Info/4 IKE/0x63000013

SENDING >>> ISAKMP OAK MM (Retransmission) to x.x.x.x1

793 15:56:30.989 03/31/04 Sev=Info/4 IKE/0x63000017

Marking IKE SA for deletion (I_Cookie=96A7D7A099A5F939 R_Cookie=3F1FE85186155AA8) reason = DEL_REASON_PEER_NOT_RESPONDING

794 15:56:31.490 03/31/04 Sev=Info/4 IKE/0x6300004A

Discarding IKE SA negotiation (I_Cookie=96A7D7A099A5F939 R_Cookie=3F1FE85186155AA8) reason = DEL_REASON_PEER_NOT_RESPONDING

795 15:56:31.490 03/31/04 Sev=Info/4 CM/0x63100014

Unable to establish Phase 1 SA with server "x.x.x.x1" because of "DEL_REASON_PEER_NOT_RESPONDING"

796 15:56:31.490 03/31/04 Sev=Info/5 CM/0x63100025

Initializing CVPNDrv

797 15:56:31.580 03/31/04 Sev=Info/4 IKE/0x63000001

IKE received signal to terminate VPN connection

798 15:56:31.630 03/31/04 Sev=Info/4 IKE/0x63000085

Microsoft IPSec Policy Agent service started successfully

799 15:56:31.991 03/31/04 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

800 15:56:31.991 03/31/04 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

801 15:56:31.991 03/31/04 Sev=Info/4 IPSEC/0x63700014

Deleted all keys

802 15:56:31.991 03/31/04 Sev=Info/4 IPSEC/0x6370000A

Thanks in Advance

umedryk · ‎04-07-2004

check to see if the personal firewall is disabled, check if net bios over tcp is enabled, check if client for Microsoft Networks to be enabled.