cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2408
Views
0
Helpful
19
Replies

VPN site-to-site between ASA and Router issues (Cert Auth with another Router action as PKI Server)

Hi Guys,

Anybody has been done VPN site-to-site between ASA and Router with certificate authentication by using another router action as PKI Server?

In my case:

|

                          R4(NTP/PKI Servers)

|

|

(dmz)

             |-----R1------- (inside) ASA (outside) --------R3-------R2----|

Tested:

  1. NTP is synchronized all Router and ASA
  2. The authenticate/enroll process has      been done and got the certificate
  3. VPN site-to-site between R2 and R3 worked      fine with certificate authentication
  4. ISAKMP policy and IPSEC transform-set      is the same all Router and ASA
  5. The Routing traffic between Routers      and ASA are OK.

I had some issue for the VPN traffic between ASA and R3 and I didn’t know why?

  1. The certificate was successfully      validated between ASA and R3 but the Phase 1 is not completed ...and      I saw a trackback on ASA:

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =

%ASA-7-711002: Task ran for 18 msec, Process = IKE Daemon, PC = 810ae25, Traceback =   0x0810AE25  0x0814C6E6  0x084F269C  0x08491A32  0x084929FE  0x0925A6DF  0x0849206B  0x084A1879  0x084A2408  0x08062413

Anybody has been done this case before? Please let me know

Regards,

Tran

19 Replies 19

Tran,

Normally we assume DH exchange is done in MM3 and MM4, not sure if that changes when we do cert auth (due to exchange of cert_req).


MM5 - Initiator send it's identity.

MM6 - Responser sends it's identity.

The debug you attached below, what scenario is it for? (looks like still tunnel-group match based on IP ;-))

Marcin

Marcin,

Absolutely , tunnel-group based on IP address and the debug is previous issue (Phase 1 is not completed). I'm just confusing about reporting in the debug Certificate was successfully validated ....I didn't see DH take over and create shared session key ...I think some wrong ...and the result is not completed Phase 1

Regards,

Tran

Tran,

Big question for me is - why was it working with microsoft CA and not with IOS CA :-)

If I'll find a moment today. I'll lab it just to have peace of mind and remember again my CCIE times.

Marcin

Marcin, Thank you for exchanging info to me. And see you another case

Thank you very much.

Marcin,

the info for you:

%ASA-7-713906: IP = 136.1.122.200, Trying to find group via OU...
%ASA-3-713020: IP = 136.1.122.200, No Group found by matching OU(s) from ID payload:   ou=CCIEsec,
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IKE ID...
%ASA-7-713906: IP = 136.1.122.200, Trying to find group via IP ADDR...
%ASA-7-713906: IP = 136.1.122.200, Connection landed on tunnel_group 136.1.122.200
%ASA-7-717025: Validating certificate chain containing 1 certificate(s).
%ASA-7-717029: Identified client certificate within certificate chain. serial number: 03, subject name: serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-7-717030: Found a suitable trustpoint DMZ.ine.com to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 03, subject name:  serialNumber=FHK133870KA+hostname=R3.ine.com,cn=R3.ine.com,o=INE,ou=CCIEsec,l=CaLi,st=USA.
%ASA-6-717028: Certificate chain was successfully validated with revocation status check.
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, peer ID type 2 received (FQDN)
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing ID payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing cert payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing RSA signature
%ASA-7-715076: Group = 136.1.122.200, IP = 136.1.122.200, Computing hash for ISAKMP
%ASA-7-713906: Constructed Signature Len: 256
%ASA-7-713906: Constructed Signature:
0000: 6A49AAB4 CA2006C0 068D840F 3BAEF907     jI... ......;...
0010: 5A47D830 E7EF7594 10FA4F54 ED3A38D7     ZG.0..u...OT.:8.
0020: D1B2D85D 67B65BD1 5C5510BE 038618CB     ...]g.[.\U......
0030: 81F35050 EDF77594 4F06D6B7 FAE036D4     ..PP..u.O.....6.
0040: 93C2A291 345F6575 8BC6C056 54102958     ....4_eu...VT.)X
0050: 3717AE54 43508589 E7B27A3E F3526CDC     7..TCP....z>.Rl.
0060: 6B9C0F44 F1A6BD6F F9203245 C860FCBB     k..D...o. 2E.`..
0070: F5A3DA2C 51A749BF 75C4DC36%ASA-7-715034: IP = 136.1.122.200, Constructing IOS keep alive payload: proposal=32767/32767 sec.
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing dpd vid payload
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 1311
%ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 136.1.122.200
%ASA-5-713119: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 1 COMPLETED
%ASA-7-713121: IP = 136.1.122.200, Keep-alive type for this connection: DPD
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P1 rekey timer: 64800 seconds.
%ASA-7-714003: IP = 136.1.122.200, IKE Responder starting QM: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing SA payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing nonce payload
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--33.33.33.0--255.255.255.0
%ASA-7-713035: Group = 136.1.122.200, IP = 136.1.122.200, Received remote IP Proxy Subnet data in ID Payload:   Address 33.33.33.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing ID payload
%ASA-7-714011: Group = 136.1.122.200, IP = 136.1.122.200, ID_IPV4_ADDR_SUBNET ID received--11.11.11.0--255.255.255.0
%ASA-7-713034: Group = 136.1.122.200, IP = 136.1.122.200, Received local IP Proxy Subnet data in ID Payload:   Address 11.11.11.0, Mask 255.255.255.0, Protocol 0, Port 0
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, QM IsRekeyed old sa not found by addr
%ASA-7-713221: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, checking map = VPN, seq = 10...
%ASA-7-713225: Group = 136.1.122.200, IP = 136.1.122.200, Static Crypto Map check, map VPN, seq = 10 is a successful match
%ASA-7-713066: Group = 136.1.122.200, IP = 136.1.122.200, IKE Remote Peer configured for crypto map: VPN
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing IPSec SA payload
%ASA-7-715027: Group = 136.1.122.200, IP = 136.1.122.200, IPSec SA Proposal # 1, Transform # 1 acceptable  Matches global IPSec SA entry # 10
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, IKE: requesting SPI!
%ASA-7-715006: Group = 136.1.122.200, IP = 136.1.122.200, IKE got SPI from key engine: SPI = 0xd05eafc9
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, oakley constucting quick mode
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing blank hash payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec SA payload
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing IPSec nonce payload
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, constructing proxy ID
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, Transmitting Proxy Id:
  Remote subnet: 33.33.33.0  Mask 255.255.255.0 Protocol 0  Port 0
  Local subnet:  11.11.11.0  mask 255.255.255.0 Protocol 0  Port 0
%ASA-7-715046: Group = 136.1.122.200, IP = 136.1.122.200, constructing qm hash payload
%ASA-7-714005: Group = 136.1.122.200, IP = 136.1.122.200, IKE Responder sending 2nd QM pkt: msg id = 907cc977
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE SENDING Message (msgid=907cc977) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0) total length : 164
%ASA-7-713236: IP = 136.1.122.200, IKE_DECODE RECEIVED Message (msgid=907cc977) with payloads : HDR + HASH (8) + NONE (0) total length : 48
%ASA-7-715047: Group = 136.1.122.200, IP = 136.1.122.200, processing hash payload
%ASA-7-713906: Group = 136.1.122.200, IP = 136.1.122.200, loading all IPSEC SAs
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-7-715001: Group = 136.1.122.200, IP = 136.1.122.200, Generating Quick Mode Key!
%ASA-6-602303: IPSEC: An outbound LAN-to-LAN SA (SPI= 0x3E4CFCCD) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-5-713049: Group = 136.1.122.200, IP = 136.1.122.200, Security negotiation complete for LAN-to-LAN Group (136.1.122.200)  Responder, Inbound SPI = 0xd05eafc9, Outbound SPI = 0x3e4cfccd
%ASA-7-715007: Group = 136.1.122.200, IP = 136.1.122.200, IKE got a KEY_ADD msg for SA: SPI = 0x3e4cfccd
%ASA-6-602303: IPSEC: An inbound LAN-to-LAN SA (SPI= 0xD05EAFC9) between 136.1.122.100 and 136.1.122.200 (user= 136.1.122.200) has been created.
%ASA-7-715077: Group = 136.1.122.200, IP = 136.1.122.200, Pitcher: received KEY_UPDATE, spi 0xd05eafc9
%ASA-7-715080: Group = 136.1.122.200, IP = 136.1.122.200, Starting P2 rekey timer: 3060 seconds.
%ASA-5-713120: Group = 136.1.122.200, IP = 136.1.122.200, PHASE 2 COMPLETED (msgid=907cc977)