Firewall Wizards mailing list archives
VPN Client <> PIX 515 with certificates (long!)
From: "Patrick M. Hausen" <hausen () punkt de>
Date: Tue, 17 Aug 2004 09:04:49 +0200 (CEST)
Hello! sorry about the product specific mail, but maybe someone on this list has accomplished to get a similar setup up and running ... I'm fighting with this setup for quite some time now and have somewhat exaustively (so it seems) read everything I found with Google or on the Cisco website. I've setup a Microsoft CA with SCEP for certificate management. This wasn't trivial but I finally succeeded, at least the PIX output looks OK. I manually created a cert for the client using an email address for the identity (the general case in this installation will be mobile users, so email addresses are the only thing known to be unique, hostnames are probably not). I used the same CA, of course. I imported this cert, the CA cert and the firewall's certificate into the VPN client. When trying to connect, the client eventually times out, while the PIX complains about an unknown error. I've left the entire IPSec and IKE configuration on the PIX intact, including an additional gateway-gateway link with a preshared secret. Since the security should not depend on this, I didn't delete the certificate contents or anything else besides keys, the preshared secret and the external IP addresses involved. (Though they are trivial to find out for a determined attacker given the hostname and the other information - again, security of a firewall must not depend on the address being secret ;-) Any hints on what's going wrong here? TIA, Patrick PIX Config ---------- PIX Version 6.3(4) hostname eokfw01 domain-name ekiba.org access-list outside_cryptomap_dyn_10 permit ip any 172.20.150.0 255.255.255.0 access-list outside_cryptomap_20 permit ip 172.20.0.0 255.255.0.0 1.2.3.56 255.255.255.0 ip address outside 1.2.3.50 255.255.255.248 ip address inside 172.20.0.90 255.255.0.0 ip verify reverse-path interface outside ip verify reverse-path interface inside ip local pool VPN-Clients 172.20.150.0-172.20.150.255 sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto dynamic-map outside_dyn_map_1 10 match address outside_cryptomap_dyn_10 crypto dynamic-map outside_dyn_map_1 10 set pfs group5 crypto dynamic-map outside_dyn_map_1 10 set transform-set ESP-AES-256-MD5 crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set pfs group2 crypto map outside_map 20 set peer 1.2.3.56 crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map_1 crypto map outside_map client configuration address initiate crypto map outside_map client configuration address respond crypto map outside_map interface outside isakmp enable outside isakmp key ********** address 1.2.3.56 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication rsa-sig isakmp policy 10 encryption aes-256 isakmp policy 10 hash md5 isakmp policy 10 group 5 isakmp policy 10 lifetime 86400 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup VPN-Clients address-pool VPN-Clients vpngroup VPN-Clients dns-server 172.20.0.26 172.20.0.27 vpngroup VPN-Clients default-domain ekiba.org vpngroup VPN-Clients idle-time 1800 ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll ca configure eok ra 1 3 ca subject-name eok ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE CA Config --------- eokfw01# show ca ident ca identity eok 172.20.0.25:/certsrv/mscep/mscep.dll eokfw01# show ca conf ca configure eok ra 1 3 eokfw01# show ca subject Organization Unit(ou): Evangelischer Oberkirchenrat IT Organiztion(o): Evangelische Landeskirche in Baden Country(c): DE eokfw01# show ca cert RA Signature Certificate Status: Available Certificate Serial Number: 612a1dfb000000000002 Key Usage: Signature CN = EOK RA OU = Evangelischer Oberkirchenrat IT O = Evangelische Landeskirche in Baden L = Karlsruhe C = DE EA =<16> ra () ekiba de Validity Date: start date: 10:00:23 CEDT Aug 3 2004 end date: 10:10:23 CEDT Aug 3 2005 CA Certificate Status: Available Certificate Serial Number: 5e4b7696fe66d980466cf9bf9c8e4288 Key Usage: General Purpose CN = EOK OU = Evangelischer Oberkirchenrat IT O = Evangelische Landeskirche in Baden L = Karlsruhe C = DE EA =<16> ca () ekiba de Validity Date: start date: 09:54:25 CEDT Aug 3 2004 end date: 10:01:16 CEDT Aug 3 2009 RA KeyEncipher Certificate Status: Available Certificate Serial Number: 612a1f82000000000003 Key Usage: Encryption CN = EOK RA OU = Evangelischer Oberkirchenrat IT O = Evangelische Landeskirche in Baden L = Karlsruhe C = DE EA =<16> ra () ekiba de Validity Date: start date: 10:00:24 CEDT Aug 3 2004 end date: 10:10:24 CEDT Aug 3 2005 Certificate Status: Available Certificate Serial Number: 6164a3fa000000000005 Key Usage: General Purpose Subject Name: CN = eokfw01.ekiba.org OU = Evangelischer Oberkirchenrat IT O = Evangelische Landeskirche in Baden C = DE UNSTRUCTURED NAME = eokfw01.ekiba.org UNSTRUCTURED IP = 1.2.3.50 Validity Date: start date: 11:04:19 CEDT Aug 3 2004 end date: 11:14:19 CEDT Aug 3 2005 eokfw01# show ca crl CRL: CRL Issuer Name: CN = EOK, OU = Evangelischer Oberkirchenrat IT, O = Evangelische Landeskirche in Baden, L = Karlsruhe, C = DE, EA =<16> ca () ekiba de LastUpdate: 09:54:30 CEDT Aug 10 2004 NextUpdate: 22:14:30 CEDT Aug 17 2004 eokfw01# show ca subject Organization Unit(ou): Evangelischer Oberkirchenrat IT Organiztion(o): Evangelische Landeskirche in Baden Country(c): DE eokfw01# show ca mypubkey rsa % Key pair was generated at: 14:35:59 CEDT Jul 28 2004 Key name: eokfw01.ekiba.org Usage: General Purpose Key Key Data: ... PIX debug --------- eokfw01# debug crypto ca eokfw01# debug crypto isakmp crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 5 ISAKMP: extended auth RSA sig (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 2 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 5 ISAKMP: extended auth RSA sig (init) ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 3 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash SHA ISAKMP: default group 5 ISAKMP: auth RSA sig ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are not acceptable. Next payload is 3 ISAKMP (0): Checking ISAKMP transform 4 against priority 10 policy ISAKMP: encryption AES-CBC ISAKMP: hash MD5 ISAKMP: default group 5 ISAKMP: auth RSA sig ISAKMP: life type in seconds ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b ISAKMP: keylength of 256 ISAKMP (0): atts are acceptable. Next payload is 3 ISAKMP (0): processing vendor id payload ISAKMP (0): received xauth v6 vendor id ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to a Unity client ISAKMP (0): SA is doing RSA signature authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to another IOS box! ISAKMP (0): processing vendor id payload ISAKMP (0): speaking to a Unity client return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 CRYPTO_PKI: Error: Invalid format for BER encoding while ISAKMP (0): Unknown error in cert validation, 65535 return status is IKMP_ERR_RETRANS crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 CRYPTO_PKI: Error: Invalid format for BER encoding while ISAKMP (0): Unknown error in cert validation, 65535 return status is IKMP_ERR_RETRANS crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 CRYPTO_PKI: Error: Invalid format for BER encoding while ISAKMP (0): Unknown error in cert validation, 65535 return status is IKMP_ERR_RETRANS crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing CERT payload. message ID = 0 CRYPTO_PKI: Error: Invalid format for BER encoding while ISAKMP (0): Unknown error in cert validation, 65535 return status is IKMP_ERR_RETRANS crypto_isakmp_process_block:src:1.2.3.54, dest:1.2.3.50 spt:500 dpt:500 ISAKMP: Created a peer struct for 1.2.3.54, peer port 62465 ISAKMP: reserved not zero on payload 8! ISAKMP: malformed payload ISAKMP (0): deleting SA: src 1.2.3.54, dst 1.2.3.50 ISADB: reaper checking SA 0x14faba4, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 1.2.3.54/500 not found - peers:0 ISAKMP: Deleting peer node for 1.2.3.54 VPN Client debug ---------------- Cisco Systems VPN Client Version 4.0.5 (Rel) Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 1 1 14:26:57.251 08/16/04 Sev=Info/4 CERT/0x63600014 Cert (cn=hausen () ekiba de,ou=Evangelischer Oberkirchenrat IT,o=Evangelische Landeskirche in Baden,c=DE) verification succeeded. 2 14:26:58.267 08/16/04 Sev=Info/6 IKE/0x6300003B Attempting to establish a connection with 1.2.3.50. 3 14:26:58.267 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Unity)) to 1.2.3.50 4 14:26:58.298 08/16/04 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 1.2.3.50 5 14:26:58.298 08/16/04 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (SA) from 1.2.3.50 6 14:26:58.314 08/16/04 Sev=Info/6 IKE/0x63000001 IOS Vendor ID Contruction successful 7 14:26:58.314 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM (KE, NON, VID(?), VID(Unity)) to 1.2.3.50 8 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x6300002F Received ISAKMP packet: peer = 1.2.3.50 9 14:26:58.330 08/16/04 Sev=Info/4 IKE/0x63000014 RECEIVING <<< ISAKMP OAK MM (KE, NON, CERT_REQ, VID(Xauth), VID(dpd), VID(Unity), VID(?)) from 1.2.3.50 10 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001 Peer supports XAUTH 11 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001 Peer supports DPD 12 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000001 Peer is a Cisco-Unity compliant peer 13 14:26:58.330 08/16/04 Sev=Info/5 IKE/0x63000081 Received IOS Vendor ID with unknown capabilities flag 0x00000025 14 14:26:58.376 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(ID, CERT, CERT_REQ, SIG, NOTIFY:STATUS_INITIAL_CONTACT) to 1.2.3.50 15 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 16 14:27:03.439 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50 17 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 18 14:27:08.439 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50 19 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000021 Retransmitting last packet! 20 14:27:13.439 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK MM *(Retransmission) to 1.2.3.50 21 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000017 Marking IKE SA for deletion (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason = DEL_REASON_PEER_NOT_RESPONDING 22 14:27:18.439 08/16/04 Sev=Info/4 IKE/0x63000013 SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 1.2.3.50 23 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x6300004A Discarding IKE SA negotiation (I_Cookie=F1FDA062E32F115B R_Cookie=DF0B42C77160B61B) reason = DEL_REASON_PEER_NOT_RESPONDING 24 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000001 IKE received signal to terminate VPN connection 25 14:27:18.939 08/16/04 Sev=Info/4 IKE/0x63000085 Microsoft IPSec Policy Agent service started successfully +-----------------------------------+ | EuroBSDCon 2004 in Karlsruhe! | | 29. - 31. 10. 2004 | | http://www.eurobsdcon2004.de/ | +-----------------------------------+ -- punkt.de GmbH Internet - Dienstleistungen - Beratung Vorholzstr. 25 Tel. 0721 9109 -0 Fax: -100 76137 Karlsruhe http://punkt.de _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- VPN Client <> PIX 515 with certificates (long!) Patrick M. Hausen (Aug 17)