cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2410
Views
0
Helpful
19
Replies

VPN site-to-site between ASA and Router issues (Cert Auth with another Router action as PKI Server)

Hi Guys,

Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?

In my case:

|

                          R4(NTP/PKI Servers)

|

|

(dmz)

             |-----R1------- (inside) ASA (outside) --------R3-------R2----|

Tested:

  1. NTP is synchronized all Router and ASA
  2. The authenticate/enroll process has      been done and got the certificate
  3. VPN site-to-site between R2 and R3 worked      fine with certificate authentication
  4. ISAKMP policy and IPSEC transform-set      is the same all Router and ASA
  5. The Routing traffic between Routers      and ASA are OK.

I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?

  1. The certificate was successfully      validated between ASA and R3 but the Phase 1 is not completed ...and      I saw a trackback on ASA:

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413

Anybody has been done this case before? Please let me know

Regards,

Tran

19 Replies 19

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Tran,

Yes we've done it more than once.

Pleaseshare config for devices in question + "show crypto ca cert" and "sh clock" .

Useful  debugs:

--------

debu cry isa

deb crypto ipsec

deb cry ca m (pki in case of router)

deb cry ca t

-----------

Marcin

Hello Marcin,

config files in my case below:

ASA Config:--------------------------------------------------------------------------------------------------------------------------------------------------------

:
ASA Version 8.2(1)
!
hostname ASA
domain-name ine.com
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 136.1.122.100 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 136.1.121.100 255.255.255.0
!
interface Ethernet0/2
nameif dmz
security-level 50
ip address 136.1.120.100 255.255.255.0
!
clock timezone GMT 7
!
domain-name ine.com
access-list VLAN121_TO_VLAN124 extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list outside_in extended permit icmp any any
access-list outside_in extended permit udp any host 136.1.120.200 eq ntp
access-list outside_in extended permit tcp any host 136.1.120.200 eq www
access-list NONAT extended permit ip 11.11.11.0 255.255.255.0 33.33.33.0 255.255.255.0
access-list dmz_in extended permit icmp any any
access-list dmz_in extended deny ip any any log
!
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_in in interface outside
access-group dmz_in in interface dmz
!
router eigrp 1234
no auto-summary
network 136.1.120.0 255.255.255.0
network 136.1.121.0 255.255.255.0
network 136.1.122.0 255.255.255.0
!            
crypto ipsec transform-set ASA_R3 esp-3des esp-md5-hmac
!
crypto map VPN 10 match address VLAN121_TO_VLAN124
crypto map VPN 10 set peer 136.1.122.200
crypto map VPN 10 set transform-set ASA_R3
crypto map VPN 10 set trustpoint DMZ.ine.com
crypto map VPN interface outside
crypto ca trustpoint DMZ.ine.com
revocation-check crl
enrollment url http://136.1.120.200:80
fqdn ASA.ine.com
subject-name CN=ASA.ine.com, O=INE, OU=CCIEsec, L=CaLi, ST=USA
serial-number
crl configure
!
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption 3des
hash md5
group 2     
!
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 136.1.120.200
tunnel-group 136.1.122.200 type ipsec-l2l
tunnel-group 136.1.122.200 ipsec-attributes
trust-point DMZ.ine.com
!
fixup protocol icmp

!

end

R3 Config:-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

hostname R3
!
clock timezone GMT 7
!
ip domain name ine.com
no ipv6 cef
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 136.1.120.200
!
crypto pki trustpoint DMZ.ine.com
enrollment url http://136.1.120.200:80
usage ike
serial-number
fqdn R3.ine.com
subject-name CN=R3.ine.com, O=INE, OU=CCIEsec, L=CaLi, ST=USA
revocation-check crl
rsakeypair R3.ine.com
storage flash:
!
crypto isakmp policy 10
encr 3des
hash md5
group 2
!
!
crypto ipsec transform-set ASA_R3 esp-3des esp-md5-hmac
!
crypto map VPN 10 ipsec-isakmp
set peer 136.1.122.100
set transform-set ASA_R3
match address VLAN124_TO_VLAN121
!
crypto map VPN124 10 ipsec-isakmp
set peer 136.1.124.201
set transform-set ASA_R3
match address VLAN33_TO_VLAN22
!
interface Loopback31
ip address 31.31.31.31 255.255.255.0
!
interface Loopback33
ip address 33.33.33.33 255.255.255.0
!
interface FastEthernet0/0
ip address 136.1.122.200 255.255.255.0
crypto map VPN
!
interface FastEthernet0/1
ip address 136.1.124.200 255.255.255.0
  crypto map VPN124
!
router eigrp 1234
network 31.31.31.31 0.0.0.0
network 33.33.33.33 0.0.0.0
network 136.1.122.0 0.0.0.255
network 136.1.124.0 0.0.0.255
no auto-summary
!
ip access-list extended VLAN124_TO_VLAN121
permit ip 33.33.33.0 0.0.0.255 11.11.11.0 0.0.0.255
ip access-list extended VLAN33_TO_VLAN22
permit ip 33.33.33.0 0.0.0.255 22.22.22.0 0.0.0.255
!
end

R3#  -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

R3#sh crypto pki certificates
Certificate
  Status: Available
  Certificate Serial Number (hex): 03
  Certificate Usage: General Purpose
  Issuer:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject:
    Name: R3.ine.com
    Serial Number: FHK133870KA
    serialNumber=FHK133870KA+hostname=R3.ine.com
    cn=R3.ine.com
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:15:53 GMT Sep 29 2010
    end   date: 18:15:53 GMT Sep 29 2011
  Associated Trustpoints: DMZ.ine.com
  Storage: nvram:DMZCertAutho#4.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:02:34 GMT Sep 29 2010
    end   date: 18:02:34 GMT Sep 28 2013
  Associated Trustpoints: DMZ.ine.com
  Storage: nvram:DMZCertAutho#2CA.cer

R3#-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

R3#sh clock

09:48:32.519 GMT Mon Oct 4 2010

R3#

ASA# sh clock

09:48:40.008 GMT Mon Oct 4 2010

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ASA# sh crypto ca cert
Certificate
  Status: Available
  Certificate Serial Number: 02
  Certificate Usage: General Purpose
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject Name:
    serialNumber=JMX1335L1MN
    hostname=ASA.ine.com
    cn=ASA.ine.com
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:15:06 GMT Sep 29 2010
    end   date: 18:15:06 GMT Sep 29 2011
  Associated Trustpoints: DMZ.ine.com

CA Certificate
  Status: Available
  Certificate Serial Number: 01
  Certificate Usage: Signature
  Public Key Type: RSA (2048 bits)
  Issuer Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Subject Name:
    cn=DMZ Cert Authority
    o=INE
    ou=CCIEsec
    l=CaLi
    st=USA
  Validity Date:
    start date: 18:02:34 GMT Sep 29 2010
    end   date: 18:02:34 GMT Sep 28 2013
  Associated Trustpoints: DMZ.ine.com

ASA#

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Thank you

Tran

Tran,

It fails somewhere between MM5 and MM6. (on ASA)

I'd collect PKI debugs (messages and tranasction).

BTW, when using certificates, a typical tunnel-group should be named after OU of certificate, in your case we're falling back to using IP address.

%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload:   ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200

Marcin

Marcin,

You could see Cert validation process in the debug:

%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.

and You could see a Traceback for IKE Service on ASA

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =
%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413

Regards,

Tran

Tran,

I see R3's cert was validated.

Since you're doing INE labs, what is done after initiator's certificate has been validated?

Traceback will be a consequence of failure not to ther way around, at least this is what it looks like. It does not work exactly like with IOS traceback.

Marcin

Marcin,

The INE/ IPExpert Labs just did it to Microsoft CA but not IOS PKI Server between ASA and Router and I'm try using IOS PKI Server in this case.

Marcin, for this case it worked fine to pre-share key and Microsoft CA.

And i didn't know why? it didn't work to IOS PKI Server between ASA and Router, But it worked fine between Router and Router (R2&R3 in this case)

Regards,

Tran

Tran,

Well if you would kindly debug what I ask at least we would move closer, maybe just by eliminating one possibility :-)

Marcin

Marcin,

I have attached the debug on ASA/R3 before. Could you see it ? If you have time, please double-check it in the lab and that the reson why I must ask ... anybody has been done Cert Authen by using another Router action as PKI Server

...maybe ...forget Cert Authen/Router's PKI server between ASA and Router

Thanks,

Tran

Tran,

Did you check with landing on tunnel-group matching OU?

Can you run those for me, even if it mean retrying.

bsns-asa5520-10# deb cry ca messages 100
bsns-asa5520-10# deb cry ca transactions 100
bsns-asa5520-10# deb cry isa 100
bsns-asa5520-10# deb cry ipsec 100

Marcin

Marcin,

By the default, the ASA firewall will search local tunnel-group configuration with three critera: first OU, second IKE-ID and final IP Address (Cert Rule if enable) so OU is not key point to fail Phase 1 (in my view).

BTW, I have just find out the reson why the ASA not completed Phase 1

Regards,

Tran

By all means share it with us

Marcin,

tunnel-group 136.1.122.200 ipsec-attributes
peer-id-validate cert -----------------------------------> lacked this command
trust-point DMZ.ine.com

But I am still not understand why Cert was successfully validated (you could see in the debug before) if I lacked per-id-validate cert in the tunnel-group command and it should be the reporting is FAILED Cert Authentication...

The INE/IPexpert workbook didn't see about this command which the keypoint to failed Cert Authen/Phase 1 ....maybe ...that challenge

Regards,

Tran Thanh

Tran,

Missed that one indeed.

As far as my understanding goes, the validation you were seeing is certificate being valid (not expired, not in CRL) and not identity of other peer ;-)

Can you please check for me if you weel the peer validation from certificate IF:

1) You land on tunnel-group == OU

2) Initiate tunnel

Marcin

Marcin,

Once again, your question is:

what is done after initiator's certificate has been validated?


and


the validation you were seeing is certificate being valid (not expired, not in CRL) and not identity of other peer ;-)

Marcin, I saw in the debug and I have some explain here :

step 1:The ASA and R3 will exchange info to identity each other

           - ASA's Pub key + Digital Signature (ASA's Pub key has been signed by PKI Server before)

           - R3's Pub Key + Digital Signature (R3's Pub key has been signed by PKI Server before)

And in the debug I saw HASH processing here:

%ASA-7-715047: IP = 136.1.122.200, processing cert payload
%ASA-7-715001: IP = 136.1.122.200, processing RSA signature
%ASA-7-715076: IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Dump of received Signature, len 256:
0000: 50312776 B5CBBF80 75510E0E 61D00549     P1'v....uQ..a..I
0010: 8D595605 C7FFC43C 32087541 D5B8BA96     .YV....<2.uA....
0020: 9273DAE3 25171153 4301289B 68556214     .s..%..SC.(.hUb.
0030: DF2F1A8B 489DC9A6 CE2C001A BD087762     ./..H....,....wb
0040: E9096735 743BDFFC E80BF946 0E9E3443     ..g5t;.....F..4C
0050: 8190D996 4C97D751 1D190F36 B07076F5     ....L..Q...6.pv.
0060: 36FEB9D0 248038F2 C4F3B32F CC3F6213     6...$.8..../.?b.

%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial numbe: Group = 136.1.122.200, IP = 136.1.122.200, Error: Unable to remove PeerTblEntry
r: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.

step 2 As my understanding, DH will take over and create shared session key in the Phase 1 after Certificate was successfully validated.


Marcin, How do you think ? I am looking for your reply :).

Regards,

Tran