05-20-2007 05:09 PM - edited 02-21-2020 03:03 PM
Hello!
I have been trying to get the L2TP over IPSec using Digital Certificates (PIX -
Win2K Client) working for weeeks now but unfortunately I failed. On the Win2K
client I keep getting the message saying no valid certificate was found. I have
configured the PIX and the client to get their certificates from the Standalone
Root CA (also a Win2K box) that I have set up. I replaced the Win2K box with an
XP, but still get the same error message.
Has anybody encountered this problem before, too? Please, if you have
encountered this, I will greatly appreciate your response.
Lorenz
05-22-2007 12:58 AM
Lorenz,
I can help you a bit from the PIX firewall side, but the client configuration you have to check the link given below. (The document is for Windows 2000 computers)
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx
From the Firewall side, can you send me the output of "sh cry ca cert", " sh cry isakmp". Let me check out the basics to see if everything is configured properly.
Thanks
Gilbert
05-22-2007 05:07 PM
Hello Gilbert,
Please see below the output of the "show crypto ca cert" and "show crypto isakmp" as well as the running config for the PIX firewall.
==============================================
PIX(config)# show crypto ca cert
Certificate
Status: Available
Certificate Serial Number: 61145dd3000000000010
Key Usage: General Purpose
Subject Name:
CN = PIX.lab5.com
UNSTRUCTURED NAME = PIX.lab5.com
Validity Date:
start date: 08:43:55 MANILA May 23 2007
end date: 08:53:55 MANILA May 23 2008
RA Signature Certificate
Status: Available
Certificate Serial Number: 61140109000000000002
Key Usage: Signature
CN = Name For SCEP RA Setup Wizard
OU = SSG1
O = FUJITSU
L = Makati
ST = StateofMetroManila
C = PH
EA = email@scepracertificateenrollment.com
Validity Date:
start date: 18:08:26 MANILA May 8 2007
end date: 18:18:26 MANILA May 8 2008
CA Certificate
Status: Available
Certificate Serial Number: 1d3251704c7c9fb645b6555305b3576e
Key Usage: Signature
CN = CCIELABCA2
OU = SSG1
O = FUJITSU
L = Makati
ST = MetroManila
C = PH
EA = ccie@ccielab.com
Validity Date:
start date: 18:00:34 MANILA May 8 2007
end date: 18:07:44 MANILA May 8 2009
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 611402f3000000000003
Key Usage: Encryption
CN = Name For SCEP RA Setup Wizard
OU = SSG1
O = FUJITSU
L = Makati
ST = StateofMetroManila
C = PH
EA = email@scepracertificateenrollment.com
Validity Date:
start date: 18:08:26 MANILA May 8 2007
end date: 18:18:26 MANILA May 8 2008
PIX(config)#
PIX(config)#
PIX(config)#
PIX(config)#
PIX(config)# show crypto isakmp
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
PIX(config)#
PIX(config)# show crypto isakmp
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
PIX(config)#
PIX(config)#
PIX(config)# sh run
domain-name lab5.com
name 172.16.1.5 ccielab2
access-list l2tp permit udp host 173.5.1.7 any eq 1701
access-list l2tp permit udp host 173.5.1.4 any eq 1701
access-list nonat permit ip 172.16.1.0 255.255.255.0 70.70.70.0 255.255.255.0
ip local pool l2tpool 70.70.70.0 mask 255.255.255.0
nat (inside) 0 access-list nonat
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set l2tptrans esp-des esp-md5-hmac
crypto ipsec transform-set l2tptrans mode transport
crypto dynamic-map pixdyna 10 set transform-set l2tptrans
crypto map pixmap 10 ipsec-isakmp dynamic pixdyna
crypto map pixmap client authentication acs
crypto map pixmap interface outside
isakmp enable outside
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
ca identity ccielab2 ccielab2:/certsrv/mscep/mscep.dll
ca configure ccielab2 ra 1 5
vpdn group lab5 accept dialin l2tp
vpdn group lab5 localname l2tp-user
vpdn group lab5 ppp authentication chap
vpdn group lab5 ppp authentication mschap
vpdn group lab5 client configuration address local l2tpool
vpdn group lab5 client configuration dns 70.70.70.1
vpdn group lab5 client configuration wins 70.70.70.1
vpdn group lab5 client authentication local
vpdn group lab5 l2tp tunnel hello 60
vpdn username l2tp-user password ********* store-local
vpdn enable outside
username test password xxx
PIX(config)#
05-22-2007 06:05 PM
Hi Gilbert,
From the link that you gave me. I read it and applied the step by step procedures from it. Now I understand more in the implementation of Certificate Authorities interoperability with Cisco devices. Now my L2TP over IPSec using Digital Certificates is working! Im so glad you came to my rescue. =)
May God bless you!
Regards,
Lorenz
05-23-2007 01:12 PM
Lorenz,
I am glad to know that you got it to work.
Please rate this post, if it helped.
Cheers,
Gilbert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide