Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
562
Views
0
Helpful
1
Replies

VPN Client w. certs

azlatkin
Level 1
Level 1

‎08-17-2006 06:33 AM - edited ‎02-21-2020 02:34 PM

I have cisco VPN client 4.6 on WinXP and the server is IOS easy vpn server (12.4T). Everything works fine with pre-shared keys, but when I try to use certificates for IKE authentication the VPN client never connects.

In its log I always see the following error (everything before the 5th ISAKMP message snipped):

126 19:17:01.612 08/16/06 Sev=Info/4 IKE/0x63000014

RECEIVING <<< ISAKMP OAK MM *(ID, CERT, SIG) from 192.168.0.11

127 19:17:01.622 08/16/06 Sev=Info/4 CERT/0x63600013

Cert (cn=FA-RIGHT.lab,ou=lab,o=IG,c=ES) verification succeeded.

128 19:17:01.622 08/16/06 Sev=Warning/3 IKE/0xE3000081

Invalid remote certificate id: ID_FQDN: ID = FA-RIGHT.lab, Certificate = [NULL]

129 19:17:01.622 08/16/06 Sev=Warning/3 IKE/0xE3000058

The peer's certificate doesn't match Phase 1 ID

130 19:17:01.622 08/16/06 Sev=Warning/2 IKE/0xE30000A5

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2202)

I cannot understand what's wrong with the cert received from the server. Seems that in message #127 it is successfully verified, but in the #128 the client complains about missing FQDN. How it can be? The cert has commonname set to fqdn.

Anyway, the same thing happens if ip address is used as identity...

Can anybody shed light and help?

alex

==========================

Labels:
0 Helpful
1 Reply 1

b.hsu
Level 5
Level 5

‎08-23-2006 05:45 AM

I think the issue is that the client is strict on checking the ID in the certificate to exactly match what has been offered during IKE.

0 Helpful
Customers Also Viewed These Support Documents