cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2262
Views
0
Helpful
11
Replies

VPN IPSEC client certificate problem

guibarati
Level 4
Level 4

Hi,

I am trying to connect an IPSec VPN client using a certificate.

Im am getting the following errors:

Failed to RSA sign the hash for IKE phase 1 negotiation using my certificate.

Failed to generate signature: Signature generation failed (SigUtil:97)

Failed to build Signature payload (MsgHandlerMM:489)

Failed to build MM msg5 (NavigatorMM:312)

Unexpected SW error occurred while processing Identity Protection (Main Mode) negotiator:(Navigator:2263)

Marking IKE SA for deletion  (I_Cookie=0264360E288A8DE1 R_Cookie=863E6F3B153D2DA8) reason = DEL_REASON_IKE_NEG_FAILED

I've seen this link, but my certificate is lenght 2048, not 4096

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37419

Using windows 7, 64 bits, client version 5.0.07.0440

My computer doesn't even send any traffic to ASA trying to connect.

I only get the error when using a certificate assined by a MS CA, when I use an Certificate from ASA internal CA I can connect just fine.

I have seen also somebody who solved this problem importing the certificate from a pkcs12 file with keys. Didn't work for me either.

11 Replies 11

Did you import the root certificate from the Microsoft CA on the ASA and assign it to the VPN profile?

Hi Marcel,

I imported the root certificate from Microsoft CA to ASA. But I didn't assign it to the vpn profile.

I only assined the "identity certificate" to the profile. Do I need to specify the root certificate too in the profile?

What I ment was:

Did you set up the trustpoint used for the Microsoft CA root certificate on the interface where you are trying to connect to?

You can set this up under Configuration -> Remote Access VPN -> Advanced -> SSL Settings under header certificates.

The certificate is for IPSec Client, so I don't think I need to apply the certificate/trustpoint to the interface ssl usage.

My apologies. I misread that part.

Thanks anyway.

Hi there,

Assuming that you already have the certificate properly installed on the ASA, could you please check the identity certificate and make sure that it includes the private key? If you do not see it, then you should contact your CA admin.

HTH.

Portu.

Hi Javier,

Yes, the certificate sais "There is a private key for this certificate"

My certificate have the "yellow warning" on the key usage.

like mentioned here:

http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/84eaa61f-d13b-4544-9185-078c014ab552/

Could this be the problem?

guibarati
Level 4
Level 4

Working with TAC we found out the "problem"

The certificate needs to be imported via VPN Client. If you import the certificate via Windows it does not work (Via mmc or double clicking the certificate and choosing install).

This problem was happening only on windows 7 - 64bits. Windows XP was working fine.

If you have the same problem and this was heplfull plz rate.

I'm not sure but it looks like the same issue, but I cannot import the certificate manually. The certificate is being distributed using group policy and we are not allowed to export it with the private key.

Anyone got that solved?