09-20-2009 11:26 PM - edited 02-21-2020 04:20 PM
Dear all
I would like to configure remote access vpn authenticate with certificate.
I have configured it base on a cisco configuration example.
http://www.cisco.com/application/pdf/paws/100413/asavpnclient_ca.pdf
but I have changed some settings because I would like to map the ISAKMP session based on the OU in the certificate.
and I got the following problem:
Sep 18 00:47:58 [IKEv1 DEBUG]: IP = 172.23.18.23, processing notify payload
Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Trying to find group via OU...
Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, Connection landed on tunnel_group doi
Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Peer Certificate authentication failed: General Error
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE MM Responder FSM error history (struct &0xd5dc2c50) <state>, <event>: MM_DONE, EV_ERROR-->MM_BLD_MSG6, EV_VALIDATE_CERT-->MM_BLD_MSG6, EV_UPDATE_CERT-->MM_BLD_MSG6, EV_TEST_CERT-->MM_BLD_MSG6, EV_CHECK_NAT_T-->MM_BLD_MSG6, EV_GROUP_LOOKUP-->MM_WAIT_MSG5, EV_PROCESS_MSG-->MM_WAIT_MSG5, EV_VALIDATE_MSG
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, IKE SA MM:883ff569 terminating: flags 0x0105c002, refcnt 0, tuncnt 0
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, sending delete/delete with reason message
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing blank hash payload
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing IKE delete payload
Sep 18 00:47:58 [IKEv1 DEBUG]: Group = doi, IP = 172.23.18.23, constructing qm hash payload
Sep 18 00:47:58 [IKEv1]: IP = 172.23.18.23, IKE_DECODE SENDING Message (msgid=82a7cfe0) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 76
Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!
Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
I would like to know the meaning of the debug log,
Peer Certificate authentication failed: General Error
&
Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Removing peer from peer table failed, no match!
Sep 18 00:47:58 [IKEv1]: Group = doi, IP = 172.23.18.23, Error: Unable to remove PeerTblEntry
Sep 18 00:48:03 [IKEv1]: IP = 172.23.18.23, Header invalid, missing SA payload! (next payload = 132)
Sep 18 00:48:03 [IKEv1]: IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + NOTIFY (11) + NONE (0) total length : 68
I have already deployed a new CA server in VM and got the same result. any suggestions about that??
Thanks a lot
Regards,
Weng Kin
09-21-2009 02:19 PM
enable 'debug crypto ca mess & trans 200' and post that output if possible. how many trustpoints do you have configured on the ASA? do you have subordinate certs on the id cert the pc has installed? do you have crypto isakmp identity hostname configured?
http://www.cisco.com/en/US/partner/docs/security/asa/asa80/command/reference/c5.html#wp2190820 ?
Alex.
09-22-2009 07:39 PM
Hi Alex,
no debug message come out from "debug crypto ca mess & trans 200", two trustpoints i have configured.
This is my basic configuration about the remote access vpn.
ASA Version 8.0(3)
!
hostname CP-SP-VPNASA
domain-name vpn.netcraft.com.mo
names
name 172.23.249.3 netcraftca
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 172.23.249.1 255.255.255.0
!
interface Ethernet0/1
nameif me
security-level 100
ip address 192.168.1.0 255.255.255.0
!
interface Ethernet0/2
nameif ep
security-level 90
ip address 192.168.2.0 255.255.255.0
!
interface Ethernet0/3
nameif af
security-level 80
ip address 192.168.3.0 255.255.255.0
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT 8
dns server-group DefaultDNS
domain-name vpn.netcraft.com.mo
pager lines 24
mtu outside 1500
mtu meid 1500
mtu ep 1500
mtu afis 1500
ip local pool vpnpool 10.1.1.10-10.1.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-613.bin
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set netcraftset esp-3des esp-md5-hmac
crypto dynamic-map netcraftdynmap 10 set transform-set netcraftset
crypto map vpnmap 65535 ipsec-isakmp dynamic netcraftdynmap
crypto map vpnmap interface outside
crypto ca trustpoint ca1
enrollment terminal
crl configure
crypto ca trustpoint ca2
enrollment terminal
subject-name CN=CP-SP-VPNASA
crl configure
crypto ca certificate chain ca1
certificate ca
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash md5
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
tunnel-group doi type remote-access
tunnel-group doi general-attributes
address-pool vpnpool
tunnel-group doi ipsec-attributes
trust-point ca2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
(I deleted the CA & host identity certicate from the configuration)
I have installed the client certificate according to the procedure in document id 100413.
Any ideas??
Thanks for you reply
Regards,
Weng Kin
11-29-2011 06:21 AM
Hi Weng,
Just would like to ask you , have you managed to sucessfully implement the remote access VPN with CA server ?
Actually i am also looking for a working solution.If you have any tutorial or other working solution , kindly let me know.
Best Regards
Shijimon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide