Firewall Wizards mailing list archives
VPN Client <> PIX 515 with certificates (long!)
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Tue, 17 Aug 2004 09:04:49 +0200 (CEST)
Hello!
sorry about the product specific mail, but maybe someone on this
list has accomplished to get a similar setup up and running ...
I'm fighting with this setup for quite some time now and
have somewhat exaustively (so it seems) read everything
I found with Google or on the Cisco website.
I've setup a Microsoft CA with SCEP for certificate management.
This wasn't trivial but I finally succeeded, at least the
PIX output looks OK. I manually created a cert for the client
using an email address for the identity (the general case in this
installation will be mobile users, so email addresses are the only
thing known to be unique, hostnames are probably not).
I used the same CA, of course. I imported this cert, the CA cert
and the firewall's certificate into the VPN client.
When trying to connect, the client eventually times out,
while the PIX complains about an unknown error. I've left
the entire IPSec and IKE configuration on the PIX intact,
including an additional gateway-gateway link with a preshared
secret. Since the security should not depend on this, I didn't
delete the certificate contents or anything else besides keys,
the preshared secret and the external IP addresses involved.
(Though they are trivial to find out for a determined attacker
given the hostname and the other information - again, security
of a firewall must not depend on the address being secret ;-)
Any hints on what's going wrong here?
TIA,
Patrick
PIX Config
----------
PIX Version 6.3(4)
hostname eokfw01
domain-name ekiba.org
access-list outside_cryptomap_dyn_10 permit ip any 172.20.150.0 255.255.255.0
access-list outside_cryptomap_20 permit ip 172.20.0.0 255.255.0.0 1.2.3.56 255.255.255.0
ip address outside 1.2.3.50 255.255.255.248
ip address inside 172.20.0.90 255.255.0.0
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip local pool VPN-Clients 172.20.150.0-172.20.150.255
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto dynamic-map outside_dyn_map_1 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map_1 10 set pfs group5
crypto dynamic-map outside_dyn_map_1 10 set transform-set ESP-AES-256-MD5
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set pfs group2
crypto map outside_map 20 set peer 1.2.3.56
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map interface outside
isakmp enable outside
isakmp key ********** address 1.2.3.56 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption aes-256
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup VPN-Clients address-pool VPN-Clients
vpngroup VPN-Clients dns-server 172.20.0.26 172.20.0.27
vpngroup VPN-Clients default-domain ekiba.org
vpngroup VPN-Clients idle-time 1800
ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll
ca configure eok ra 1 3
ca subject-name eok ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE
CA Config
---------
eokfw01# show ca ident
ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll
eokfw01# show ca conf
ca configure eok ra 1 3
eokfw01# show ca subject
Organization Unit(ou): Evangelischer Oberkirchenrat IT
Organiztion(o): Evangelische Landeskirche in Baden
Country(c): DE
eokfw01# show ca cert
RA Signature Certificate
Status: Available
Certificate Serial Number: 612a1dfb000000000002
Key Usage: Signature
CN = EOK RA
OU = Evangelischer Oberkirchenrat IT
O = Evangelische Landeskirche in Baden
L = Karlsruhe
C = DE
EA =<16> ra () ekiba de
Validity Date:
start date: 10:00:23 CEDT Aug 3 2004
end date: 10:10:23 CEDT Aug 3 2005
CA Certificate
Status: Available
Certificate Serial Number: 5e4b7696fe66d980466cf9bf9c8e4288
Key Usage: General Purpose
CN = EOK
OU = Evangelischer Oberkirchenrat IT
O = Evangelische Landeskirche in Baden
L = Karlsruhe
C = DE
EA =<16> ca () ekiba de
Validity Date:
start date: 09:54:25 CEDT Aug 3 2004
end date: 10:01:16 CEDT Aug 3 2009
RA KeyEncipher Certificate
Status: Available
Certificate Serial Number: 612a1f82000000000003
Key Usage: Encryption
CN = EOK RA
OU = Evangelischer Oberkirchenrat IT
O = Evangelische Landeskirche in Baden
L = Karlsruhe
C = DE
EA =<16> ra () ekiba de
Validity Date:
start date: 10:00:24 CEDT Aug 3 2004
end date: 10:10:24 CEDT Aug 3 2005
Certificate
Status: Available
Certificate Serial Number: 6164a3fa000000000005
Key Usage: General Purpose
Subject Name:
CN = eokfw01.ekiba.org
OU = Evangelischer Oberkirchenrat IT
O = Evangelische Landeskirche in Baden
C = DE
UNSTRUCTURED NAME = eokfw01.ekiba.org
UNSTRUCTURED IP = 1.2.3.50
Validity Date:
start date: 11:04:19 CEDT Aug 3 2004
end date: 11:14:19 CEDT Aug 3 2005
eokfw01# show ca crl
CRL:
CRL Issuer Name:
CN = EOK, OU = Evangelischer Oberkirchenrat IT, O = Evangelische Landeskirche in Baden, L = Karlsruhe, C = DE,
EA =<16> ca () ekiba de
LastUpdate: 09:54:30 CEDT Aug 10 2004
NextUpdate: 22:14:30 CEDT Aug 17 2004
eokfw01# show ca subject
Organization Unit(ou): Evangelischer Oberkirchenrat IT
Organiztion(o): Evangelische Landeskirche in Baden
Country(c): DE
eokfw01# show ca mypubkey rsa
% Key pair was generated at: 14:35:59 CEDT Jul 28 2004
Key name: eokfw01.ekiba.org
Usage: General Purpose Key
Key Data:
...
PIX debug
---------
eokfw01# debug crypto ca
eokfw01# debug crypto isakmp
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: extended auth RSA sig (init)
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash SHA
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: hash MD5
ISAKMP: default group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: keylength of 256
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): processing vendor id payload
ISAKMP (0): received xauth v6 vendor id
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to another IOS box!
ISAKMP (0): processing vendor id payload
ISAKMP (0): speaking to a Unity client
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
CRYPTO_PKI: Error: Invalid format for BER encoding while
ISAKMP (0): Unknown error in cert validation, 65535
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
CRYPTO_PKI: Error: Invalid format for BER encoding while
ISAKMP (0): Unknown error in cert validation, 65535
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
CRYPTO_PKI: Error: Invalid format for BER encoding while
ISAKMP (0): Unknown error in cert validation, 65535
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
CRYPTO_PKI: Error: Invalid format for BER encoding while
ISAKMP (0): Unknown error in cert validation, 65535
return status is IKMP_ERR_RETRANS
crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500
ISAKMP: Created a peer struct for 1.2.3.54, peer port 62465
ISAKMP: reserved not zero on payload 8!
ISAKMP: malformed payload
ISAKMP (0): deleting SA: src 1.2.3.54, dst 1.2.3.50
ISADB: reaper checking SA 0x14faba4, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 1.2.3.54/500 not found - peers:0
ISAKMP: Deleting peer node for 1.2.3.54
VPN Client debug
----------------
Cisco Systems VPN Client Version 4.0.5 (Rel)
Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 1
1 14:26:57.251 08/16/04 Sev=Info/4 CERT/0x63600014
Cert (cn=hausen () ekiba de,ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE) verification
succeeded.
2 14:26:58.267 08/16/04 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 1.2.3.50.
3 14:26:58.267 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity)) to 1.2.3.50
4 14:26:58.298 08/16/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.50
5 14:26:58.298 08/16/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (SA) from 1.2.3.50
6 14:26:58.314 08/16/04 Sev=Info/6 IKE/0x63000001
IOS Vendor ID Contruction successful
7 14:26:58.314 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 1.2.3.50
8 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x6300002F
Received ISAKMP packet: peer = 1.2.3.50
9 14:26:58.330 08/16/04 Sev=Info/4 IKE/0x63000014
RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 1.2.3.50
10 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
Peer supports XAUTH
11 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
Peer supports DPD
12 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001
Peer is a Cisco-Unity compliant peer
13 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000081
Received IOS Vendor ID with unknown capabilities flag 0x00000025
14 14:26:58.376 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 1.2.3.50
15 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
16 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50
17 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
18 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50
19 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
20 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50
21 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason =
DEL_REASON_PEER_NOT_RESPONDING
22 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.2.3.50
23 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x6300004A
Discarding IKE SA negotiation (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason =
DEL_REASON_PEER_NOT_RESPONDING
24 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
25 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000085
Microsoft IPSec Policy Agent service started successfully
+-----------------------------------+
| EuroBSDCon 2004 in Karlsruhe! |
| 29. - 31. 10. 2004 |
| http://www.eurobsdcon2004.de/ |
+-----------------------------------+
--
punkt.de GmbH Internet - Dienstleistungen - Beratung
Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100
76137 Karlsruhe http://punkt.de
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN Client <> PIX 515 with certificates (long!) Patrick M. Hausen (Aug 17)