10-02-2010 01:01 AM
Hi Guys,
Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?
In my case:
|
R4(NTP/PKI Servers)
|
|
(dmz)
|-----R1------- (inside) ASA (outside) --------R3-------R2----|
Tested:
I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?
%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =
%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback = 0x0810AE25 0x0814C6E6 0x084F269C 0x08491A32 0x084929FE 0x0925A6DF 0x0849206B 0x084A1879 0x084A2408 0x08062413
Anybody has been done this case before? Please let me know
Regards,
Tran
10-05-2010 01:04 AM
Tran,
Normally we assume DH exchange is done in MM3 and MM4, not sure if that changes when we do cert auth (due to exchange of cert_req).
MM5 - Initiator send it's identity.
MM6 - Responser sends it's identity.
The debug you attached below, what scenario is it for? (looks like still tunnel-group match based on IP ;-))
Marcin
10-05-2010 01:18 AM
Marcin,
Absolutely , tunnel-group based on IP address and the debug is previous issue (Phase 1 is not completed). I'm just confusing about reporting in the debug Certificate was successfully validated ....I didn't see DH take over and create shared session key ...I think some wrong ...and the result is not completed Phase 1
Regards,
Tran
10-05-2010 01:27 AM
Tran,
Big question for me is - why was it working with microsoft CA and not with IOS CA :-)
If I'll find a moment today. I'll lab it just to have peace of mind and remember again my CCIE times.
Marcin
10-05-2010 01:27 AM
Marcin, Thank you for exchanging info to me. And see you another case
Thank you very much.
10-04-2010 05:15 AM
Marcin,
the info for you:
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload: ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, peer ID type 2 received (FQDN)
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing ID payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing cert payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing RSA signature
%ASA-7-715076: Group = 136.1.122.200, IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 256
%ASA-7-713906: Constructed Signature:
0000: 6A49AAB4 CA2006C0 068D840F 3BAEF907 jI... ......;...
0010: 5A47D830 E7EF7594 10FA4F54 ED3A38D7 ZG.0..u...OT.:8.
0020: D1B2D85D 67B65BD1 5C5510BE 038618CB ...]g.[.\U......
0030: 81F35050 EDF77594 4F06D6B7 FAE036D4 ..PP..u.O.....6.
0040: 93C2A291 345F6575 8BC6C056 54102958 ....4_eu...VT.)X
0050: 3717AE54 43508589 E7B27A3E F3526CDC 7..TCP....z>.Rl.
0060: 6B9C0F44 F1A6BD6F F9203245 C860FCBB k..D...o. 2E.`..
0070: F5A3DA2C 51A749BF 75C4DC36%ASA-7-715034: IP = 136.1.122.200, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing dpd vid payload
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1311
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 136.1.122.200
%ASA-5-713119: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 1 COMPLETED
%ASA-7-713121: IP = 136.1.122.200, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P1 rekey timer: 64800 seconds.
%ASA-7-714003: IP = 136.1.122.200, IKE Responder starting QM: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing SA payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing nonce payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--33.33.33.0--255.255.255.0
%ASA-7-713035: Group = 136.1.122.200, IP = 136.1.122.200, Received remote IP Proxy Subnet data in ID Payload: Address 33.33.33.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--11.11.11.0--255.255.255.0
%ASA-7-713034: Group = 136.1.122.200, IP = 136.1.122.200, Received local IP Proxy Subnet data in ID Payload: Address 11.11.11.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, checking map = VPN, seq = 10...
%ASA-7-713225: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, map VPN, seq = 10 is a successful match
%ASA-7-713066: Group = 136.1.122.200, IP = 136.1.122.200, IKE Remote Peer configured for crypto map: VPN
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing IPSec SA payload
%ASA-7-715027: Group = 136.1.122.200, IP = 136.1.122.200, IPSec SA Proposal # 1, Transform # 1 acceptable Matches global IPSec SA entry # 10
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, IKE: requesting SPI!
%ASA-7-715006: Group = 136.1.122.200, IP = 136.1.122.200, IKE got SPI from key engine: SPI = 0xd05eafc9
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, oakley constucting quick mode
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing blank hash payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec SA payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec nonce payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing proxy ID
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, Transmitting Proxy Id:
Remote subnet: 33.33.33.0 Mask 255.255.255.0 Protocol 0 Port 0
Local subnet: 11.11.11.0 mask 255.255.255.0 Protocol 0 Port 0
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing qm hash payload
%ASA-7-714005: Group = 136.1.122.200, IP = 136.1.122.200, IKE Responder sending 2nd QM pkt: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + NONE (0) total length : 48
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, loading all IPSEC SAs
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E4CFCCD) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-5-713049: Group = 136.1.122.200, IP = 136.1.122.200, Security negotiation complete for LAN-to-LAN Group (136.1.122.200) Responder, Inbound SPI = 0xd05eafc9, Outbound SPI = 0x3e4cfccd
%ASA-7-715007: Group = 136.1.122.200, IP = 136.1.122.200, IKE got a KEY_ADD msg for SA: SPI = 0x3e4cfccd
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD05EAFC9) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-7-715077: Group = 136.1.122.200, IP = 136.1.122.200, Pitcher: received KEY_UPDATE, spi 0xd05eafc9
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P2 rekey timer: 3060 seconds.
%ASA-5-713120: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 2 COMPLETED (msgid=907cc977)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide