cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
626
Views
0
Helpful
4
Replies

PIX L2TP over IPSec - Error Valid Certificate not found

l.tating
Level 1
Level 1

Hello!

I have been trying to get the L2TP over IPSec using Digital Certificates (PIX -

Win2K Client) working for weeeks now but unfortunately I failed. On the Win2K

client I keep getting the message saying no valid certificate was found. I have

configured the PIX and the client to get their certificates from the Standalone

Root CA (also a Win2K box) that I have set up. I replaced the Win2K box with an

XP, but still get the same error message.

Has anybody encountered this problem before, too? Please, if you have

encountered this, I will greatly appreciate your response.

Lorenz

4 Replies 4

ggilbert
Cisco Employee
Cisco Employee

Lorenz,

I can help you a bit from the PIX firewall side, but the client configuration you have to check the link given below. (The document is for Windows 2000 computers)

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/ispstep.mspx

From the Firewall side, can you send me the output of "sh cry ca cert", " sh cry isakmp". Let me check out the basics to see if everything is configured properly.

Thanks

Gilbert

Hello Gilbert,

Please see below the output of the "show crypto ca cert" and "show crypto isakmp" as well as the running config for the PIX firewall.

==============================================

PIX(config)# show crypto ca cert

Certificate

Status: Available

Certificate Serial Number: 61145dd3000000000010

Key Usage: General Purpose

Subject Name:

CN = PIX.lab5.com

UNSTRUCTURED NAME = PIX.lab5.com

Validity Date:

start date: 08:43:55 MANILA May 23 2007

end date: 08:53:55 MANILA May 23 2008

RA Signature Certificate

Status: Available

Certificate Serial Number: 61140109000000000002

Key Usage: Signature

CN = Name For SCEP RA Setup Wizard

OU = SSG1

O = FUJITSU

L = Makati

ST = StateofMetroManila

C = PH

EA = email@scepracertificateenrollment.com

Validity Date:

start date: 18:08:26 MANILA May 8 2007

end date: 18:18:26 MANILA May 8 2008

CA Certificate

Status: Available

Certificate Serial Number: 1d3251704c7c9fb645b6555305b3576e

Key Usage: Signature

CN = CCIELABCA2

OU = SSG1

O = FUJITSU

L = Makati

ST = MetroManila

C = PH

EA = ccie@ccielab.com

Validity Date:

start date: 18:00:34 MANILA May 8 2007

end date: 18:07:44 MANILA May 8 2009

RA KeyEncipher Certificate

Status: Available

Certificate Serial Number: 611402f3000000000003

Key Usage: Encryption

CN = Name For SCEP RA Setup Wizard

OU = SSG1

O = FUJITSU

L = Makati

ST = StateofMetroManila

C = PH

EA = email@scepracertificateenrollment.com

Validity Date:

start date: 18:08:26 MANILA May 8 2007

end date: 18:18:26 MANILA May 8 2008

PIX(config)#

PIX(config)#

PIX(config)#

PIX(config)#

PIX(config)# show crypto isakmp

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

PIX(config)#

PIX(config)# show crypto isakmp

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

PIX(config)#

PIX(config)#

PIX(config)# sh run

domain-name lab5.com

name 172.16.1.5 ccielab2

access-list l2tp permit udp host 173.5.1.7 any eq 1701

access-list l2tp permit udp host 173.5.1.4 any eq 1701

access-list nonat permit ip 172.16.1.0 255.255.255.0 70.70.70.0 255.255.255.0

ip local pool l2tpool 70.70.70.0 mask 255.255.255.0

nat (inside) 0 access-list nonat

sysopt connection permit-ipsec

sysopt connection permit-l2tp

crypto ipsec transform-set l2tptrans esp-des esp-md5-hmac

crypto ipsec transform-set l2tptrans mode transport

crypto dynamic-map pixdyna 10 set transform-set l2tptrans

crypto map pixmap 10 ipsec-isakmp dynamic pixdyna

crypto map pixmap client authentication acs

crypto map pixmap interface outside

isakmp enable outside

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption des

isakmp policy 10 hash sha

isakmp policy 10 group 1

isakmp policy 10 lifetime 86400

ca identity ccielab2 ccielab2:/certsrv/mscep/mscep.dll

ca configure ccielab2 ra 1 5

vpdn group lab5 accept dialin l2tp

vpdn group lab5 localname l2tp-user

vpdn group lab5 ppp authentication chap

vpdn group lab5 ppp authentication mschap

vpdn group lab5 client configuration address local l2tpool

vpdn group lab5 client configuration dns 70.70.70.1

vpdn group lab5 client configuration wins 70.70.70.1

vpdn group lab5 client authentication local

vpdn group lab5 l2tp tunnel hello 60

vpdn username l2tp-user password ********* store-local

vpdn enable outside

username test password xxx

PIX(config)#

Hi Gilbert,

From the link that you gave me. I read it and applied the step by step procedures from it. Now I understand more in the implementation of Certificate Authorities interoperability with Cisco devices. Now my L2TP over IPSec using Digital Certificates is working! Im so glad you came to my rescue. =)

May God bless you!

Regards,

Lorenz

Lorenz,

I am glad to know that you got it to work.

Please rate this post, if it helped.

Cheers,

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: