09-21-2004 01:53 AM
We are trying to setup PIX to use certificates issued by Microsoft CA for our remote VPN clients. But we cannot get the PIX to even ca auth the CA. We are using an enterprise subordinate CA. The root ca has a 4096 key and the subordiante has 2048. Someone told me that PIX will not work with Microsoft Enterprise CA, but it will work with standalone ca. Further, It will not accept a CA key length of 4096; 2048 should be used. Is that correct? We already have our root and subordinate setup as 4096 and 2048 respectively and both are Enterprise. Does that mean we cannot use our own certificates on the PIX for our VPN clients? Any ideas?
Regards,
Amjad.
09-21-2004 05:54 PM
The PIX currently only supports root CA's, not subordinated, as shown in the config guide here:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1045391
The new version of code, v7, due out later this year or early next, will support subordinated CA's, both standalone and enterprise.
09-21-2004 09:20 PM
Ok, that is for the PIX only I assume. That means that in order to get a certificate for PIX, I must use a stanalone MS CA. What about client certificates who will establish VPN's, can they be from any CA or do those certificates also have to be published from this one CA that gave certificate to PIX?
09-22-2004 10:10 PM
My VPN 3000 series Concetrator at DMZ and I have installed Enterprise Root CA & Subordinate CA server behind PIX firewall. The problem I have now is the VPN client v4.x users are able to logon fine if using the certificate issued by the Enterprise Root CA but failed to logon if using the certificated issued by the Subordinate CA server.So do you think VPN concentrator not supporting subordinate CA too?
09-22-2004 10:15 PM
I would expect the concentrator to accept client certificates issued from *ANY* entity. Otherwise the whole purpose of PKI is defeated.
About the concentrator certificate, did you get the concentrator installed using your own Enterprise CA or a stanalone one?
--Amjad.
09-22-2004 10:25 PM
I have installed identity certificates on concentrator using "Enroll via SCEP at.." method from both Enterprise CA & Subordinate CA servers.I have also created new IKE & SA that matches the identity certificate accordingly. I have run out of ideas what to do next. This is Windows 2000 Server CA servers. What is IKE Peer? Do I need to configure this for remote access VPN users? Thanks heaps.
09-22-2004 10:39 PM
By the way, the valid error message that I have capture from VPN client is as follow. Help.....
30 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 203.0.237.12
31 15:51:57.287 09/16/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?)) from 203.0.237.12
32 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
33 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
34 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001
Peer supports DWR Code and DWR Text
35 15:51:59.811 09/16/04 Sev=Warning/2 IKE/0xE3000099
Invalid packet data state (Sender:192)
09-22-2004 10:42 PM
Try authenticating without a certificate first, with preshared keys. If that works, next step would be certificates.
09-22-2004 10:46 PM
Just tested & in fact has tested many times. If with no certificate & if with using enterpriser root CA certificates, the logon works all the time.
09-23-2004 10:37 PM
Problem was solved by using a standaone CA.
09-27-2004 05:24 PM
Apparently it turned out that it was the workstation, not the backcend issue. By reinstalling VPN program did not fix the problem, I have to rebuilt XP OS from scratch. Thanks for your contribution, much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide