Remote Access VPN with cert

DialerString_2 · ‎02-17-2013

I've installed a cert from Go-Daddy and I have users that cant connect using the new cert. I've applied the cert to the vpn client. when attempting to connect I see the following in my logs:

Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5

Also I noticed that the Trustpoint says not authenticated:

Cisco-VPN# sh crypto ca trustpoints

Trustpoint ASDM_TrustPoint0:
Not authenticated.

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash md5
group 5
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha
group 5
lifetime 86400

Any advice would help and thanks in advance.

Andrew Phirsov · ‎02-17-2013

Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5
Feb 17 20:16:14 [IKEv1]: Phase 1 failure: Mismatched attribute types for class Group Description: Rcv'd: Group 2 Cfg'd: Group 5

It's what should happen and there's nothing unusual about that. Not all isakmp policies match on client and vpn-gateway, and client tries one after another untill it findes one that matches.

Also I noticed that the Trustpoint says not authenticated:

Cisco-VPN# sh crypto ca trustpoints

If you say that trustpoint is not authenticated i don't know how you could install your certificate in the ASA.

To install

cert from Go-Daddy

you should:

1. Authenticate trustpoint, i.e. install certificate of the CA, wich issued certificate to your ASA (client certificate), using:

crypto ca authenticate trustpoint TRUSTPOINT_NAME

2. Enroll for client certificate i.e. generate certificate request (optional), wich i assume you've already done, using:

crypto ca enroll trustpoint TRUSTPOINT_NAME

3. Import client certificate after CA signed it, or import pkcs#12 file (wich is not your case, i assume), using:

crypto ca import TRUSTPOINT_NAME

DialerString_2 · ‎02-18-2013

Andrew thanks for your reply and this makes thing a lot clearer for me. I see were the cert is installed on the ASA. So I don't know how the trustpoint was not installed during this. I will try to authenticate the TrustPoint and also would the enrollment url be listed int the cert below?

Cisco-VPN# sh cry ca certificates

Certificate

Status: Available

Certificate Serial Number: xxxxxxx

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Issuer Name:

serialNumber=xxxxxxxx

cn=Go Daddy Secure Certification Authority

ou=http://certificates.godaddy.com/repository

o=GoDaddy.com\, Inc.

l=Scottsdale

st=Arizona

c=US

Subject Name:

cn=Mc1.data.net

ou=Domain Control Validated

OCSP AIA:

URL:

http://ocsp.godaddy.com/

CRL Distribution Points:

[1]

http://crl.godaddy.com/gds1-85.crl

Validity Date:

start date: 19:36:54 CST Feb 14 2013

end date: 19:36:54 CST Feb 14 2016

Associated Trustpoints: ASDM_TrustPoint0