Re: Remote access VPN using Digital certificates...

arnab77inkol · ‎11-25-2003

Dear Friends,

We are trying to give a solution to csutomer,like certificate based VPN.The cisco router will get a certificate from microsoft ca server and with that it should establish a ipsec tunnel to PIX(5.15).

THe config is below...

Router#sh ru

Building configuration...

Current configuration : 6170 bytes

!

! Last configuration change at 08:06:32 UTC Thu Nov 20 2003

! NVRAM config last updated at 06:14:57 UTC Thu Nov 20 2003

!

version 12.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

logging queue-limit 100

enable secret xxxxx

!

ip subnet-zero

!

no ip domain lookup

ip domain name elgi.co.in

ip host testing 172.18.221.234

ip host testingca 172.17.11.12

!

isdn switch-type basic-net3

!

crypto ca trustpoint caserver

enrollment retry count 1

enrollment mode ra

enrollment url http://testing:80/certsrv/mscep/mscep.dll

serial-number

subject-name OU=branch;CN=Kolkatta_ipsec

crl optional

auto-enroll 100 regenerate

!

crypto ca certificate chain caserver

certificate ca xxxx................

quit

!

crypto isakmp policy 5

encr 3des

group 2

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map vpn 5 ipsec-isakmp

set peer (pix IP outside)

set transform-set myset

match address 101

!

interface BRI0

ip address negotiated

encapsulation ppp

dialer idle-timeout 2147483

dialer string 172223

dialer-group 1

isdn switch-type basic-net3

no cdp enable

ppp authentication pap chap callin

ppp chap hostname xxxxxxxxx

ppp chap password 0 xxxxx

ppp pap sent-username xxxxxxx password 0 xxxxx

!

interface FastEthernet0

ip address 172.19.10.50 255.255.0.0

ip nat inside

speed auto

crypto map vpn

!

ip nat inside source static 172.19.10.0 10.200.8.108

ip classless

ip route 0.0.0.0 0.0.0.0 BRI0

no ip http server

no ip http secure-server

!

access-list 101 permit ip any 172.17.0.0 0.0.255.255

access-list 101 permit ip any 192.168.221.0 0.0.0.255

dialer-list 1 protocol ip permit

!

line con 0

line aux 0

line vty 0

password cisco

login

line vty 1 4

login

!

no scheduler allocate

end

Router#

The problem is :

The tunnel is not getting establised...

THe debug at router is below...

#######################DEBUG ISAKMP##################################

Kolkatta#

Nov 20 08:20:51.606: ISAKMP (0:1): received packet from 203.90.118.34 dport 500 sport 500 Global

(I) QM_IDLE

Nov 20 08:20:51.606: ISAKMP: set new node -1414514894 to QM_IDLE

Nov 20 08:20:51.610: ISAKMP (0:1): processing HASH payload. message ID = -1414514894

Nov 20 08:20:51.610: ISAKMP (0:1): processing NOTIFY INVALID_SPI protocol 3

spi 535162040, message ID = -1414514894, sa = 81DB8B74

Nov 20 08:20:51.610: ISAKMP (0:1): incrementing error counter on sa: some bad notify

Nov 20 08:20:51.610: ISAKMP (0:1): deleting node -1414514894 error FALSE reason "informational (i

n) state 2"

Nov 20 08:20:51.610: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 08:20:51.610: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 08:21:00.590: ISAKMP (0:1): received packet from 203.90.118.34 dport 500 sport 500 Global

(I) QM_IDLE

Nov 20 08:21:00.590: ISAKMP: set new node 869446339 to QM_IDLE

Nov 20 08:21:00.594: ISAKMP (0:1): processing HASH payload. message ID = 869446339

Nov 20 08:21:00.594: ISAKMP (0:1): processing NOTIFY INVALID_SPI protocol 3

spi 535162040, message ID = 869446339, sa = 81DB8B74

Nov 20 08:21:00.594: ISAKMP (0:1): incrementing error counter on sa: some bad notify

Nov 20 08:21:00.594: ISAKMP (0:1): deleting node 869446339 error FALSE reason "informational (in)

state 2"

Nov 20 08:21:00.594: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 08:21:00.594: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 08:21:12.602: ISAKMP (0:1): received packet from 203.90.118.34 dport 500 sport 500 Global

(I) QM_IDLE

Nov 20 08:21:12.606: ISAKMP: set new node -550485968 to QM_IDLE

Nov 20 08:21:12.606: ISAKMP (0:1): processing HASH payload. message ID = -550485968

Nov 20 08:21:12.606: ISAKMP (0:1): processing NOTIFY INVALID_SPI protocol 3

spi 535162040, message ID = -550485968, sa = 81DB8B74

Nov 20 08:21:12.606: ISAKMP (0:1): incrementing error counter on sa: some bad notify

Nov 20 08:21:12.606: ISAKMP (0:1): deleting node -550485968 error FALSE reason "informational (in

) state 2"

Nov 20 08:21:12.610: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 08:21:12.610: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 08:21:19.694: ISAKMP (0:1): purging node 1531759835

Nov 20 08:21:36.642: ISAKMP (0:1): received packet from 203.90.118.34 dport 500 sport 500 Global

(I) QM_IDLE

Nov 20 08:21:36.642: ISAKMP: set new node -1598397694 to QM_IDLE

Nov 20 08:21:36.642: ISAKMP (0:1): processing HASH payload. message ID = -1598397694

Nov 20 08:21:36.642: ISAKMP (0:1): processing NOTIFY INVALID_SPI protocol 3

spi 535162040, message ID = -1598397694, sa = 81DB8B74

Nov 20 08:21:36.642: ISAKMP (0:1): incrementing error counter on sa: some bad notify

Nov 20 08:21:36.646: ISAKMP (0:1): deleting node -1598397694 error FALSE reason "informational (i

n) state 2"

Nov 20 08:21:36.646: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 08:21:36.646: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 08:21:41.610: ISAKMP (0:1): purging node -1414514894

Nov 20 08:21:50.594: ISAKMP (0:1): purging node 869446339

Nov 20 08:22:02.610: ISAKMP (0:1): purging node -550485968

Nov 20 08:22:24.598: ISAKMP (0:1): received packet from 203.90.118.34 dport 500 sport 500 Global

(I) QM_IDLE

Nov 20 08:22:24.598: ISAKMP: set new node 54248257 to QM_IDLE

Nov 20 08:22:24.598: ISAKMP (0:1): processing HASH payload. message ID = 54248257

Nov 20 08:22:24.602: ISAKMP (0:1): processing NOTIFY INVALID_SPI protocol 3

spi 535162040, message ID = 54248257, sa = 81DB8B74

Nov 20 08:22:24.602: ISAKMP (0:1): incrementing error counter on sa: some bad notify

Nov 20 08:22:24.602: ISAKMP (0:1): deleting node 54248257 error FALSE reason "informational (in)

state 2"

Nov 20 08:22:24.602: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY

Nov 20 08:22:24.602: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 20 08:22:26.646: ISAKMP (0:1): purging node -1598397694

####################DEBUG IPSEC#######################3#clear cry sa

Router#

Nov 20 08:24:00.698: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 10.200.8.108, sa_prot= 50,

sa_spi= 0x90767220(2423681568),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000

Nov 20 08:24:00.698: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 203.90.118.34, sa_prot= 50,

sa_spi= 0x1FE5ECB8(535162040),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

Kolkatta#

Nov 20 08:24:22.482: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 10.200.8.108, remote= 203.90.118.34,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xC5FD310D(3321704717), conn_id= 0, keysize= 0, flags= 0x400A

Nov 20 08:24:25.722: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 10.200.8.108, remote= 203.90.118.34,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x2

Nov 20 08:24:25.726: IPSEC(kei_proxy): head = vpn, map->ivrf = , kei->ivrf =

Nov 20 08:24:25.734: IPSEC(key_engine): got a queue event...

Nov 20 08:24:25.734: IPSEC(initialize_sas): ,

(key eng. msg.) INBOUND local= 10.200.8.108, remote= 203.97.11.3,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xC5FD310D(3321704717), conn_id= 2000, keysize= 0, flags= 0x2

Nov 20 08:24:25.734: IPSEC(initialize_sas): ,

(key eng. msg.) OUTBOUND local= 10.200.8.108, remote= 203.90.118.34,

local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),

remote_proxy= 172.17.0.0/255.255.0.0/0/0 (type=4),

protocol= ESP, transform= esp-3des esp-sha-hmac ,

lifedur= 3600s and 4608000kb,

spi= 0xA8EAFC6D(2833972333), conn_id= 2001, keysize= 0, flags= 0xA

Nov 20 08:24:25.734: IPSEC(kei_proxy): head = vpn, map->ivrf = , kei->ivrf =

Nov 20 08:24:25.738: IPSEC(add mtree): src 0.0.0.0, dest 172.17.0.0, dest_port 0

Nov 20 08:24:25.738: IPSEC(create_sa): sa created,

(sa) sa_dest= 10.200.8.108, sa_prot= 50,

sa_spi= 0xC5FD310D(3321704717),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000

Nov 20 08:24:25.738: IPSEC(create_sa): sa created,

(sa) sa_dest= 203.90.118.34, sa_prot= 50,

sa_spi= 0xA8EAFC6D(2833972333),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

Rouiter#

gfullage · ‎11-25-2003

This is all very confusing. First off it looks like you have the crypto map applied to the inside interface. If the PIX is connected to the BRI interface of this router then the crypto map has to be applied to that interface.

Secondly, it looks like the IP address the router gets on its BRI interface is 10.200.8.108, but then you have this in your config:

ip nat inside source static 172.19.10.0 10.200.8.108

Remove this please, not sure what you're trying to do there.

Lastly, these debug messages:

Nov 20 08:24:25.738: IPSEC(create_sa): sa created,

(sa) sa_dest= 10.200.8.108, sa_prot= 50,

sa_spi= 0xC5FD310D(3321704717),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000

Nov 20 08:24:25.738: IPSEC(create_sa): sa created,

(sa) sa_dest= 203.90.118.34, sa_prot= 50,

sa_spi= 0xA8EAFC6D(2833972333),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

show that a tunnel has been built successfully, so I think you might have some other issue. You need to do "sho cry ipsec sa" on both ends and see if you have a tunnel built, then look at the "pkts encrypt" and "pkts decrypt" counters to see if packets are actually crossing back and forth in both directions.

arnab77inkol · ‎11-28-2003

Thanks Dear...

Here are some more inputs...

Kolkatta#sh crypto ipsec sa

interface: BRI0

Crypto map tag: vpn, local addr. 10.200.8.108

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.221.0/255.255.255.0/0/0)

current_peer: 203.90.118.34:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 10.200.8.108, remote crypto endpt.: 203.90.118.34

path mtu 1500, media mtu 1500

current outbound spi: C42E75B7

inbound esp sas:

spi: 0xAF29A8F1(2938743025)

transform: esp-3des esp-sha-hmac ,

******************When shutiing down bri************

Kolkatta(config-if)#

Nov 24 10:40:09.391: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down

Nov 24 10:40:09.391: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0, TEI 64 changed to down

Nov 24 10:40:09.399: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 10.200.8.108, sa_prot= 50,

sa_spi= 0xAF29A8F1(2938743025),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002

Nov 24 10:40:09.403: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 203.90.118.34, sa_prot= 50,

sa_spi= 0xC42E75B7(3291379127),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2003

Nov 24 10:40:09.403: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 10.200.8.108, sa_prot= 50,

sa_spi= 0x353F45A7(893339047),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2000

Nov 24 10:40:09.403: IPSEC(delete_sa): deleting SA,

(sa) sa_dest= 203.90.118.34, sa_prot= 50,

sa_spi= 0x46B358D2(1186158802),

sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001

Nov 24 10:40:09.407: IPSEC(sa_find_addr): null IP address specified on SADB lookup

Nov 24 10:40:09.423: ISAKMP: received ke message (3/1)

Nov 24 10:40:09.427: %LINK-3-UPDOWN: Interface BRI0:1, changed state to down

Nov 24 10:40:09.431: ISAKMP: set new node 865388354 to QM_IDLE

Nov 24 10:40:09.435: ISAKMP (0:1): sending packet to 203.90.118.34 my_port 500 peer_port 500 (I)

QM_IDLE

Nov 24 10:40:09.435: ISAKMP (0:1): purging node 865388354

Nov 24 10:40:09.435: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

Nov 24 10:40:09.435: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 24 10:40:09.435: ISAKMP: received ke message (3/1)

Nov 24 10:40:09.435: ISAKMP: set new node 1097864133 to QM_IDLE

Nov 24 10:40:09.439: ISAKMP (0:1): sending packet to 203.90.118.34 my_port 500 peer_port 500 (I)

QM_IDLE

Nov 24 10:40:09.439: ISAKMP (0:1): purging node 1097864133

Nov 24 10:40:09.439: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL

Nov 24 10:40:09.439: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

Nov 24 10:40:09.439: ISAKMP: received ke message (3/1)

Nov 24 10:40:09.439: ISAKMP (0:1): deleting SA.

Nov 24 10:40:09.443: %LINK-5-CHANGED: Interface BRI0, changed state to administratively down

Nov 24 10:40:09.443: %LINK-3-UPDOWN: Interface BRI0:2, changed state to down

Nov 24 10:40:10.391: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0:1, changed state to dow

n

gfullage · ‎12-02-2003

No problems love.

These lines:

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest 9

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

show that you do indeed have a tunnel formed, the router has sent 9 packets over the tunnel but has received none from the other end. Not sure why you gave me the debug when shutting down the interface. As I said in my original post, do "sho cry ipsec sa" on BOTH sides and see if these 9 packets have been received at the other end.