PIX with Microsoft CA

amjad · ‎09-21-2004

We are trying to setup PIX to use certificates issued by Microsoft CA for our remote VPN clients. But we cannot get the PIX to even ca auth the CA. We are using an enterprise subordinate CA. The root ca has a 4096 key and the subordiante has 2048. Someone told me that PIX will not work with Microsoft Enterprise CA, but it will work with standalone ca. Further, It will not accept a CA key length of 4096; 2048 should be used. Is that correct? We already have our root and subordinate setup as 4096 and 2048 respectively and both are Enterprise. Does that mean we cannot use our own certificates on the PIX for our VPN clients? Any ideas?

Regards,

Amjad.

gfullage · ‎09-21-2004

The PIX currently only supports root CA's, not subordinated, as shown in the config guide here:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/ipsecint.htm#wp1045391

The new version of code, v7, due out later this year or early next, will support subordinated CA's, both standalone and enterprise.

amjad · ‎09-21-2004

Ok, that is for the PIX only I assume. That means that in order to get a certificate for PIX, I must use a stanalone MS CA. What about client certificates who will establish VPN's, can they be from any CA or do those certificates also have to be published from this one CA that gave certificate to PIX?

seekerzero · ‎09-22-2004

My VPN 3000 series Concetrator at DMZ and I have installed Enterprise Root CA & Subordinate CA server behind PIX firewall. The problem I have now is the VPN client v4.x users are able to logon fine if using the certificate issued by the Enterprise Root CA but failed to logon if using the certificated issued by the Subordinate CA server.So do you think VPN concentrator not supporting subordinate CA too?

amjad · ‎09-22-2004

I would expect the concentrator to accept client certificates issued from *ANY* entity. Otherwise the whole purpose of PKI is defeated.

About the concentrator certificate, did you get the concentrator installed using your own Enterprise CA or a stanalone one?

--Amjad.

seekerzero · ‎09-22-2004

I have installed identity certificates on concentrator using "Enroll via SCEP at.." method from both Enterprise CA & Subordinate CA servers.I have also created new IKE & SA that matches the identity certificate accordingly. I have run out of ideas what to do next. This is Windows 2000 Server CA servers. What is IKE Peer? Do I need to configure this for remote access VPN users? Thanks heaps.

seekerzero · ‎09-22-2004

By the way, the valid error message that I have capture from VPN client is as follow. Help.....

30 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x6300002F

Received ISAKMP packet: peer = 203.0.237.12

31 15:51:57.287 09/16/04 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, CERT_REQ, VID(Unity), VID(Xauth), VID(?), VID(?)) from 203.0.237.12

32 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001

Peer is a Cisco-Unity compliant peer

33 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001

Peer supports XAUTH

34 15:51:57.287 09/16/04 Sev=Info/5 IKE/0x63000001

Peer supports DWR Code and DWR Text

35 15:51:59.811 09/16/04 Sev=Warning/2 IKE/0xE3000099

Invalid packet data state (Sender:192)

amjad · ‎09-22-2004

Try authenticating without a certificate first, with preshared keys. If that works, next step would be certificates.

seekerzero · ‎09-22-2004

Just tested & in fact has tested many times. If with no certificate & if with using enterpriser root CA certificates, the logon works all the time.

amjad · ‎09-23-2004

Problem was solved by using a standaone CA.

seekerzero · ‎09-27-2004

Apparently it turned out that it was the workstation, not the backcend issue. By reinstalling VPN program did not fix the problem, I have to rebuilt XP OS from scratch. Thanks for your contribution, much appreciated.