Installation of wildcard certificate on Cisco ASA 5525-X (9.1(3))
Hello
I would very much appreciate your help in regards to installation of a wildcard certificate on our Cisco ASA 5525-X.
Setup:
We have two Cisco ASA 5525-X in a active/passive failover setup. The ASA is to be used for AnyConnect SSL VPN. I am trying to install our wildcard certificate on the firewall, but unfortunately with no luck so far. As a bonus information, I previously had a test setup (Stand alone ASA 5510 - 8.2(5)), where I did manage to install the certificate. I do believe I am performing the same steps, but still no luck. Could it be due to that I am running a failover setup now and didn't previously or maybe that I am running different software versions? Before you ask, I've tried to do an export on the test firewall (crypto ca export vpn.trustpoint pkcs12 mysecretpassword) but this actually also failed (ERROR: A required certificate or keypair was not found) even though the cert was imported successfully and is working as it should in the lab.
Configuration in regards to certificate:
crypto key generate rsa label vpn.company.dk modulus 2048
crypto ca trustpoint vpn.trustpoint
keypair vpn.company.dk
fqdn none
subject-name CN=*.company.dk,C=DK
!id-usage ssl-ipsec
enrollment terminal
crl configure
crypto ca authenticate vpn.trustpoint
! <import intermediate certificate>
crypto ca enroll vpn.trustpoint
! <send CSR to CA>
crypto ca import vpn.trustpoint certificate
! <import SSL cert received back from CA>
ssl trust-point vpn.trustpoint outside
Problem:
When I try to import the certificate I receive the following error:
crypto ca import vpn.trustpoint certificate
WARNING: The certificate enrollment is configured with an fqdn
that differs from the system fqdn. If this certificate will be
used for VPN authentication this may cause connection problems.
Would you like to continue with this enrollment? [yes/no]: yes
% The fully-qualified domain name will not be included in the certificate
Enter the base 64 encoded certificate.
End with the word "quit" on a line by itself
-----BEGIN CERTIFICATE-----
<certificate>
-----END CERTIFICATE-----
quit
ERROR: Failed to parse or verify imported certificate
Question:
- Does any one of you have any pointers in regards to what is going wrong?
- Especially in regards to fqdn and CN, I also have a question. My config
fqdn none
subject-name CN=*.company.dk,C=DK
would that be correct? I've read online, that fqdn has to be none, and CN should be *.company.dk when using a wildcard certificate. However when I generate the CSR and also when I try to import the certificate, I receive the following warning: "The certificate enrollment is configured with an fqdn that differs from the system fqdn. If this certificate will be used for VPN authentication this may cause connection problems".
So do you have insight or pointers which might help me?
Thank you in advance
I also have a wildcard cert for my SSL VPN ASAs.
When i import the cert I use ASDM instead of CLI...
I import the wildcard as a *.pfx file and type in the password. works fine...
Perhaps the format is incorrect?
Also, my "hostname.domain.lan" does not match my "company.domain.com" fqdn domain but it still works. I only apply this wildcard cert to the outside interface not inside.
Not sure if this helps but give ASDM a try?
Similar Messages
-
DNS Resolution in Cisco ASA 5525
Hey all,
I will begin by telling you what my end goal is, I am trying to block specific websites on our cisco ASA 5525 using FDQN. I know that this functionality for DNS resolution was not implemented until a specific version.
Current Version: Cisco ASA 5525
ASA Version: 8.6(1)
I can ping external addresses from the ASA however I cannot ping hostnames like "ping google.ca" does not work.
What I've done.
dns domain-lookup inside
dns domain-lookup outside
name-server x.x.x.x (Primary internal dns server)
name-server x.x.x.x (Secondary internal dns server)
name-server 8.8.8.8 (Google external dns server)
name-server 8.8.4.4 (Google external dns server)
domain-name example.com
With this config I can, however, ping hostnames of internal servers.
This is an example of me pinging an external hostname.
ciscoasa# ping google.ca
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:803::101f, timeout is 2 seconds:
No route to host 2607:f8b0:4009:803::101f
Success rate is 0 percent (0/1)
Any ideas?
Thanks!officeasa# ping www.google.com
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:f8b0:4009:802::1012, timeout is 2 seconds:
No route to host 2607:f8b0:4009:802::1012
Success rate is 0 percent (0/1)
John, due to the sensitive nature displayed within show route output, is there any other information I can tell you, what exactly did you need to see from this information?
(I know without certain information you cannot help but I need to ensure security on my end)
Thanks for understanding. -
HA between a Cisco ASA 5520 and a Cisco ASA 5525-X
Hi all!
we have a couple of Cisco ASA 5520 running 8.4(3) software, and we want to improve throughput changing them with a couple of Cisco ASA 5525-X. Since software is theorically compatible, we are not going to upgrade it right now.
We don't want to stop service, so we are thinking about switching off backup 5520 firewall, change it with a 5525-X and balance service to that one while we change the other 5520 fw. So the question is, has someone tried to make an active-pasive cluster with both technologies, Cisco ASA an Cisco ASA-X firewalls? We were said that it should be theorically compatible, but we'd like to know if someone tried before.
Best regards for all,You cannot make a 5520 establish failover with the mate being a 5525-X.
1. The configuration guide (here) states:
The two units in a failover configuration must be the same model, have the same number and types of interfaces, the same SSMs installed (if any), and the same RAM installed.
2. A 5525-X requires 8.6 software. 8.6 does not support non-X series ASAs. (Reference) Even if you wait until 9.0 is available (next month) for both you still fail on the model and RAM (X series has much more than the 5520) checks noted above. -
Installing 3rd party certificate in Cisco ASA
Hi,
We have configured an CSR in Cisco ASA for 3rd party CA to generate the certificate, however, the CSR configuration was lost because of some reason.
How can we install this certificate without the CSR in Cisco ASA. Or we have to generate another certificate from CA, it will be chargebale for the new certificate.
Anyone can help to advise ?
Thanks
VeonYou don't need the CSR once you have received the certificate from the third party certificate vendor. Just upload the CA Root certificate and the identity certificate from the certificate vendor to the ASA.
Here is configuration guide for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808b3cff.shtml
Hope that helps. -
Installing wildcard certificate - error
Hello guys,
I'm not quite sure do I post within the right thread so please correct me if I'm wrong.
Anyway, the problem is as subject says - Problem with installation of wildcard certificate on Cisco ASA 5520 (VPN Plus license). Software version is 8.2(2).
I noticed two issues. We've bought a wildcard certificate for our domains example.com, example.org. Certificate provider is Geo Trust.
The first problem is that I'm unable to install the complete certificate chain. If I install the Root CA of GeoTrust, I'm unable to install the sub-ordinate CA, which has actually signed my cert, within the same trustpoint. The warning message says that "WARNING: Trustpoint GeoTrustRA is already authenticated." (this happens when I try to install the sub-ordinate CA, which stays in between Root CA and my certificate, within the same trustpoint as RootCA certificate.
The second problem is the actuall problem however. When I try to install the wildcard certificate, using ASDM, i got the following error: (actually I did intentionally type the wrong password and I receive absolutely the same error)
Here is the setup of CA. As you can see, both certificates which must relay on the same trustpoint as chain, are divided in two trustpoint configurations:
I tried to debug crypto ca 255 but there is nothing interesting within the log file.
If I try to add the Sub-ordinate certificate within the trustpoint where Root CA is installed, I got the following error:
When I try to manually install the wildcard certificate from CLI (It's in BASE-64 format), I do receive the following error:
CLI Issue
vpngw2(config)# crypto ca import GeoTrust pkcs12 password_here
Enter the base 64 encoded pkcs12.
End with the word "quit" on a line by itself:
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgICekswDQYJKoZIhvcNAQEFBQAwQDELMAkGA1UEBhMCVVMx
[cut]
RPg4gnOGlySGVA==
-----END CERTIFICATE-----
quit
ERROR: Import PKCS12 operation failed
Any thoughts, ideas, questions or whetever are more than welcome!Hi there,
I just wanted to tell you that I have found the solution for this case. It appears that the wildcard certificate had been enrolled without State ("ST") attribute of x509.3 certificate. The issuer (GeoTrust) refused to enroll it again evethough we have supplied that information and it was completely their fault. Anyway, we changed the issuer and now everything is just fine.
Sent from Cisco Technical Support iPad App -
P2P blocking on ASA 5525 with Software Version 8.6(1)2
Hello,
We have Cisco ASA 5525 with Software Version 8.6(1)2. We have permitted all the traffic from inside to outside.
Now we want to block P2P sharing Bit torrent to internet sites. Please help me with the configuration.
We have DMZ setup & also inline IPS module.
Thanks in advance.
Regards,
Sandeshc Chavan.Hi Chavan ,
You can try to block this by port.
The well known TCP port for BitTorrent traffic is 6881-6889 (and 6969 for the tracker port).
The config is
Access-list BLOCK-P2P-TRAFFIC deny tcp any any range 6881 6889 log
And applies to the desire interface with the "Access-group command"
For example:
Access-group BLOCK-P2P-TRAFFIC outbound interface DMZ
However Blocking Bittorrent is challenging, and can't really be done effectively with port blocks. The standard ports are 6881-6889 TCP, but the protocol can be run on any port, and the peer-to-peer nature of the protocol means that discovering peers that use unblocked ports is simple.
Also you can execute from the cmd on windows the command netstat -a and check the port Bit torrent is using .
Hope this helps. -
Hi All,
I'm looking to connect a Cisco ASA 5525 firewall that will provide primary internet access to our core network. I want the ASA to learn routes from our core and advertise a default route by OSPF.
I'm happy with the basic configuration here but I'm wondering if there is any advatange to have the ASA sitting in a non-backbone area instead of area 0. Are there any best practises with this scenario or is connecting the ASA to area 0 perfectly acceptable?
Thanks,Hi Will,
I Suggest you to keep your ASA in Area 0, instead of non-backbone area.
I assume your asa will be having one end connected with LAN/Core LAN and other end with the public segment right.....
Then you can have the basic configuration set on ASA, as simple as possible...
router ospf 1
router-id 1.1.1.1.
network 1.1.1.0 255.255.255.0 area 0
timers spf 1 10
log-adj-changes
You will be running the OSPF between your edge router and asa....
Please correct me if my understanding is wrong.
Regards
Karthik -
VPN Cluster and Wildcard Certificate
Hi,
I am setting up a VPN cluster with three ASA boxes and i am wondering if anyone has any experience using a wildcard certificate with this kind of setup.
I am done with the setup and everything works fine, but as my initial setup (and the doc i have been reading) shows, the client first connect to:
cluster.domain.com
Then the master returns the address or fqdn (i am using fqdn) of the least busy asa in the cluster:
vpn01.domain.com
or
vpn02.domain.com
or
vpn03.domain.com
Thus i would need 4 certificates to meet my needs. The cluster.domain.com certificate also must be present on all 3 boxes, because the cluster ip is configured on all boxes, and the master role is shifted if one of the boxes fail.
Because of this i thought it would be a good idea to use 1 wildcard certificate (*.doman.com) on all boxes and avoid the hassle.
Any experience or recommendations?
BR,
/KHello Kenneth,
It was working for version before 9.
On ASA9 you even can not install wildcard certificate to manage ASA via ASDM, so i guess vpn loadbalancing with wildcard certificate will not work either (but i have not tested that).
And it's not a bug - it's a feature - it's a security device and wildcardard certificates are strongly discouraged
Michal -
Cisco ASA 5585-X SSP-20 SSL wildcard SSL certificate support ?
Hello
i want to verify if Cisco ASA 5585-X SSP-20 supports Wildcard SSL's.
CheersSupports them how?
As certificates issued to the ASA and properly bound to it's interfaces to support SSL VPN or ASDM access - yes.
You can configure a wildcard (or any other) certificate improperly and cause things not to work. However it's not a limitation of the device's operating system not supporting it. -
Cisco ASA 5505 and comodo SSL certificate
Hey All,
I am having an issue with setting up the SSL certificate piece of the Cisco AnyConnect VPN. I purchased the certificate and installed it via the ASDM under Configuration > Remote Access VPN > Certificate Management > Identity Certificates. I also placed the CA 2 piece under the CA Certificates. I have http redirect to https and under my browser it is green.
Once the AnyConnect client installs and automatically connects i get no errors or anything. The minute I disconnect and try to reconnect again, I get the "Untrusted VPN Server Certificate!" which isn't true because the connection information is https://vpn.mydomain.com and the SSL Cert is setup as vpn.mydomain.com.
On that note it lists the IP address instead of the vpn.mydomain.com as the untrusted piece of this. Now obviously I don't have the IP address as part of the SSL cert, just the web address. On the web side I have an A record setup to go from vpn.mydomain.com to the IP address of the Cisco ASA.
What am I missing here? I can post config if anyone needs it.
(My Version of ASA Software is 9.0 (2) and ASDM Version 7.1 (2))It's AnyConnect version 3.0. I don't know about the EKU piece. I didn't know that was required. I will attach my config.
ASA Version 9.0(2)
hostname MyDomain-firewall-1
domain-name MyDomain.com
enable password omitted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd omitted
names
name 10.0.0.13.1 MyDomain-Inside description MyDomain Inside
name 10.200.0.0 MyDomain_New_IP description MyDomain_New
name 10.100.0.0 MyDomain-Old description Inside_Old
name XXX.XXX.XX.XX Provider description Provider_Wireless
name 10.0.13.2 Cisco_ASA_5505 description Cisco ASA 5505
name 192.168.204.0 Outside_Wireless description Outside Wireless for Guests
ip local pool MyDomain-Employee-Pool 192.168.208.1-192.168.208.254 mask 255.255.255.0
ip local pool MyDomain-Vendor-Pool 192.168.209.1-192.168.209.254 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address Cisco_ASA_5505 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address Provider 255.255.255.252
boot system disk0:/asa902-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.0.3.21
domain-name MyDomain.com
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MyDomain-Employee
subnet 192.168.208.0 255.255.255.0
description MyDomain-Employee
object-group network Inside-all
description All Networks
network-object MyDomain-Old 255.255.254.0
network-object MyDomain_New_IP 255.255.192.0
network-object host MyDomain-Inside
access-list inside_access_in extended permit ip any4 any4
access-list split-tunnel standard permit host 10.0.13.1
pager lines 24
logging enable
logging buffered errors
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static Inside-all Inside-all destination static RVP-Employee RVP-Employee no-proxy-arp route-lookup
object network obj_any
nat (inside,outside) dynamic interface
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XX.XX 1
route inside MyDomain-Old 255.255.254.0 MyDomain-Inside 1
route inside MyDomain_New_IP 255.255.192.0 MyDomain-Inside 1
route inside Outside_Wireless 255.255.255.0 MyDomain-Inside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
action terminate
dynamic-access-policy-record "Network Access Policy Allow VPN"
description "Must have the Network Access Policy Enabled to get VPN access"
aaa-server LDAP_Group protocol ldap
aaa-server LDAP_Group (inside) host 10.0.3.21
ldap-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-group-base-dn ou=MyDomain,dc=MyDomainnet,dc=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=Cisco VPN,ou=Special User Accounts,ou=MyDomain,dc=MyDomainNET,dc=local
server-type microsoft
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http MyDomain_New_IP 255.255.192.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint LOCAL-CA-SERVER
keypair LOCAL-CA-SERVER
no validation-usage
no accept-subordinates
no id-cert-issuer
crl configure
crypto ca trustpoint VPN
enrollment terminal
fqdn vpn.mydomain.com
subject-name CN=vpn.mydomain.com,OU=IT
keypair vpn.mydomain.com
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
crypto ca server
shutdown
crypto ca certificate chain LOCAL-CA-SERVER
certificate ca 01
omitted
quit
crypto ca certificate chain VPN
certificate
omitted
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate ca
omitted
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint VPN
telnet timeout 5
ssh MyDomain_New_IP 255.255.192.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-filter updater-client enable
dynamic-filter use-database
dynamic-filter enable
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 rc4-md5 des-sha1
ssl trust-point VPN outside
webvpn
enable outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-macosx-i386-2.4.1012-k9.pkg 3
anyconnect image disk0:/anyconnect-linux-2.4.1012-k9.pkg 4
anyconnect image disk0:/anyconnect-win-3.1.01065-k9.pkg 5
anyconnect profiles MyDomain-employee disk0:/MyDomain-employee.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.0.3.21
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
default-domain value MyDomain.com
group-policy MyDomain-Employee internal
group-policy MyDomain-Employee attributes
wins-server none
dns-server value 10.0.3.21
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value MyDomain.com
webvpn
anyconnect profiles value MyDomain-employee type user
username MyDomainadmin password omitted encrypted privilege 15
tunnel-group MyDomain-Employee type remote-access
tunnel-group MyDomain-Employee general-attributes
address-pool MyDomain-Employee-Pool
authentication-server-group LDAP_Group LOCAL
default-group-policy MyDomain-Employee
tunnel-group MyDomain-Employee webvpn-attributes
group-alias MyDomain-Employee enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:1c7e3d7ff324e4fd7567aa21a96a8b22
: end
asdm image disk0:/asdm-712.bin
asdm location MyDomain_New_IP 255.255.192.0 inside
asdm location MyDomain-Inside 255.255.255.255 inside
asdm location MyDomain-Old 255.255.254.0 inside
no asdm history enable -
Unable to install WildCard Certificate for ASA 5512-x
Have a customer who we manage an ASA 5512-X for. I am configuring a Wildcard Certificate for AnyConnect. They have a wildcard certificate purchased through Godaddy.com. I am utilizing ASDM 7.3 for the installation of the certificate. I added the Identity Certificate ASDM_TrustPoint0. Checked the radio button "Add a new identity certificate:" Named the Key Pair WildCard, and set the size to 2048. I also changed the "Certificate Subject DN: to CN=cityvpn.wirapids.org. There were no other attributes to add. I also changed the FQDN under the advanced tab to the same cityvpn.wirapids.org. Then clicked Add Certificate. Successful
Under CA Certificates I added the certificate from file. Which I added the bundle.crt from Godaddy. Certificate was added successfully.
Going back to Identity Certificates. I click on install. Install from a file. Which I tried the other crt file and the bundle file from Godaddy. I get an Error: Failed to parse or verify imported certificate. With the other .crt file from Godaddy I get the same error, but "Certificate does not contain device's General Purpose Public Key."
Not sure what to think. Any suggestions or help would be great. Thanks
PaulYou should never ever get a wildcard certificate. Because if that certificates private key gets stolen, the thief can impersonate all ssl-protected services. The clients view them as valid resources, because the certificate is correct. The only thing to do then, is to revocate the certificate, which will cause you to get a new certificate installed on ALL services that you had protected with the wildcard one.
Even worse, most broswers (besides IE) ignore certificate revocation lists in various cases! -
NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication
Hi everyone,
Hoping someone can help please.
We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
Has anyone implemented this before and if so, are there any guides available please?
Many Thanks,
Dean.Hi Dean,
Thanks for posting here.
Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
Checklist: Configure NPS for Dial-Up and VPN Access
http://technet.microsoft.com/en-us/library/cc754114.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support -
Cisco ASA Backup Restore Certificates
I have a Cisco ASA 5505 as a BOVPN endpoint using certificates. The config is complete and I now need to back it up and restore to a cold standby Cisco ASA 5505 that will sit on the shelf until something goes wrong.
Problem is I cannot restore my certifcates to the standby.
Can someone point me to a process please.
I have tried the backup and restore wizard in ASDM and to be honest it didn't work.
Please help.
Thanks,Martin,
Wouldn't it be simpler to put the two in failover for a few minutes (sync is done automatically on bulk sync).
Otherwise I can suggest to export the certificate in PKCS12 (cert + RSA) from active unit and import it into the "standby".
Active:
ciscoasa(config)# crypto ca export TEST pkcs12 cisco123
Standby:
ciscoasa(config)# crypto ca import TESTBLA pkcs12 cisco123
Marcin -
Is it possible to use a wildcard SSL cert on an ASA? That is, instead of getting a specific cert with the FQDN of the ASA, we would use the wildcard cert issued?
Absolutely, it's especially needed in ASA vpn load balancing environments. When you connect to a FQDN that translates to a load balancing IP, one of the ASAs will do an http redirect to its individual hostname, your browser (or AnyConnect) will attempt that connection and ASA needs to have a certificate for that specific hostname. Having a wildcard cert on all ASAs resolves this. I've got this running on several customers.
If you need help with configuration, let me know.
You can either generate private keys on the ASA (and later export it to another ASA or other non-cisco devices), or you could import an existing wildcard certificate with the private keys (in PKCS12-BASE64 format)
Regards,
Roman -
Setting up site to site vpn with cisco asa 5505
I have a cisco asa 5505 that needs to be set up for site to site vpn to a cisco asa 5500. The 5505 is the remote office and the 5500 is the main office.
IP of remote office router is 71.37.178.142
IP of the main office firewall is 209.117.141.82
Can someone tell me if my config is correct, this is the first time I am setting this up and it can not be tested until I set it up at the remote office. I would rather know its correct before I go.
ciscoasa# show run
: Saved
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password TMACBloMlcBsq1kp encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 209.117.141.82
access-list inside_nat0_outbound extended permit ip host 71.37.178.142 host 209.117.141.82
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 209.117.141.82
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
vpdn username [email protected] password ********* store-local
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.129 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:7e338fb2bf32a9ceb89560b314a5ef6c
: end
ciscoasa#
Thanks!Hi Mandy,
By using following access list define Peer IP as source and destination
access-list outside_1_cryptomap extended permit ip host 71.37.178.142 host 209.117.141.82
you are not defining the interesting traffic / subnets from both ends.
Make some number ACL 101 as you do not have to write the extended keyword then if you like as follows, or else NAME aCL will also work:
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4 access-list 101 remark IPSEC Rule
!.1..source subnet(called local encryption domain) at your end 192.168.200.0
!..2.and destination subnet(called remote encryption domain)at other end 192.168.100.0 !.3..I mean you have to define what subnets you need to communicate between which are behind these firewalls
!..4...Local Subnets behind IP of the main office firewall is 209.117.141.82 say
!...at your end 192.168.200.0
!..5.Remote Subnets behind IP of remote office router is 71.37.178.142 say
!...at other end 192.168.100.0
Please use Baisc Steps as follows:
A. Configuration in your MAIN office having IP = 209.117.141.82 (follow step 1 to 6)
Step 1.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.200.0 0.0.0.255 192.168.100.0 0.0.0.255
Step 2.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 3.
Define Preshared key or PKI which you will use with other side Peer address 71.37.178.142, either key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 2 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 71.37.178.142
or , but not both
crypto isakmp key 6 CISCO123 address71.37.178.142
step 4.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 5.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 6.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Configure the same but just change ACL on other end in step one by reversing source and destination
and also set the peer IP of this router in other end.
So other side config should look as follows:
B. Configuration in oyur Remote PEER IP having IP = 71.37.178.142 (follow step 7 to 12)
Step 7.
Define Crypto ACL/ mirror ACL for other end (change source to destination and destination to source in other side router or VPN device and thats why they are called mirror ACL/ or also called Proxy ID or also called Proxy ACL, your interesting traffic , that you want to encrypt / trave/enter in the tunnel)
access-list outside_1_cryptomap extended ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255
Step 8.
Config ISAKMP Policy with minimum 4 parameters are to be config for
crypto isakmp policy 10
authentication pre-share ---> Ist parameter of setting Authentication type ISAKMP Policy is OK
encryption aes-256 --->2nd parameter of ISAKMP Policy is OK
hash sha ---> 3rd parameter of ISAKMP Policy is OK
group 5 ---> 4th parameter of ISAKMP Policy is OK
lifetime 86400 ------ > this 5th parameter is optional , and will negotiate for the less value at either end or by default is will be taken 86400
Step 9.
Define Preshared key or PKI which you will use with other side Peer address key type 0 is Plain text anyone can see it over internet, or use key type 6 for encrypted key , say your password is CISCO123
Here in your case in step 8 Authentication is using PSK, looks you have not defines Password
Use following command:
crypto isakmp key 0 CISCO123 address 209.117.141.82
or , but not both
crypto isakmp key 6 CISCO123 address 209.117.141.82
step 10.
Define Transform set , which will be used for phase 2 tunnel parameters, if you use ESP it can have to sets one cor encryption and other for Authentication.
Here is yours one:
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
this is correct but give name somthing easier to remember /distinguish it is a transform set , like TSET1 instead of ESP-AES-256-SHA ,try following (here you are using ESP so for encryption we use first set as esp-des and for authentication we use second set esp-sha-hmac)
crypto ipsec transform-set TSET1 esp-des esp-sha-hmac
or
crypto ipsec transform-set TSET1 esp-aes-256 esp-sha-hmac
Suppose you are using only AH then as AH does not support encryption or confidentiality hence it always use onle one set not 2 sets like ESP(remember the difference) say for example only one set for auth etc but no set for encryption hence AH have no such sets like ah-des or ah-3des or ah-aes, it has only second set for authentication like
ah-sha-hmac or ah-md5-hmac
crypto ipsec transform-set TSET1 ah-sha-hmac
or
crypto ipsec transform-set TSET1 ah-md5-hmac
Step 11.
Now configure Crypto MAP as follows and only one CMPA can be applied to OUTSIDE Interface as VPN tunnel is alsways applied for traffic from inside subnets to outside subnets and only once Cryptomap can be applied to OUTSIDE Interface and hence for several VPN peers from different vendors we use seq no 10, 2 30 for different tunnels in one single CMAP:
crypto map ipsec-isakmp
1. Define peer -- called WHO to set tunnel with
2. Define or call WHICH - Transform Set, only one is permissible
3. Define WHAT to call interesting traffic define in your ACL or Proxy ID or Proxy ACL in step 1 using match address
Like in your case it is but ipsec-isakmp keyword missing in the ;ast
crypto map outside_map 10 ipsec-isakmp
1. set peer 209.117.141.82 -----> is correct as this is your other side peer called WHO in my step
2. set transform-set TSET1 -----> is correct as this is WHICH, and only one transform set can be called
!..In you case it is correct
!...set transform-set ESP-AES-256-SHA (also correct)
3. match address outside_1_cryptomap ---->Name of the extended ACL define as WHAT to pass through this tunnel
4. set pfs group5 (this is optional but if config at one end same has to be config at other side peer as well)
Step 12.
Now apply this one crypto MAP to your OUTSIDE interface always
interface outside
crypto map outside_map
Now initite a ping
Here is for your summary:
IPSec: Site to Site - Routers
Configuration Steps
Phase 1
Step 1: Configure Mirrored ACL/Crypto ACL for Interesting Traffic
Step 2: Configure ISAKMP Policy
Step 3: Configure ISAKMP Key
Phase 2
Step 4: Configure Transform Set
Step 5: Configure Crypto Map
Step 6: Apply Crypto Map to an Interface
To debug for Phase 1 and Phase 2. Store it in buffer without displaying logs on terminal.
Router#debug crpyto isakmp
Router#debug crpyto ipsec
Router(config)# logging buffer 7
Router(config)# logging buffer 99999
Router(config)# logging console 6
Router# clear logging
Configuration
In R1:
(config)# access-list 101 permit ipo host 10.1.1.1 host 10.1.2.1
(config)# crypto isakmp policy 10
(config-policy)# encryption 3des
(config-policy)# authentication pre-share
(config-policy)# group 2
(config-policy)# hash sha1
(config)# crypto isakmp key 0 cisco address 2.2.2.1
(config)# crypto ipsec transform-set TSET esp-3des sha-aes-hmac
(config)# crypto map CMAP 10 ipsec-isakmp
(config-crypto-map)# set peer 2.2.2.1
(config-crypto-map)# match address 101
(config-crypto-map)# set transform-set TSET
(config)# int f0/0
(config-if)# crypto map CMAP
Similarly in R2
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Change to Transport Mode, add the following command in Step 4:
(config-tranform-set)# mode transport
Even after doing this change, the ipsec negotiation will still be done through tunnel mode if pinged from Loopback to Loopback. To overcome this we make changes to ACL.
Change to Aggressive Mode, replace the Step 3 command with these commands in R1:
(config)# crypto isakmp peer address 2.2.2.1
(config-peer)# set aggressive-mode password cisco
(config-peer)# set aggressive-mode clien-endpoint ipv4-address 2.2.2.1
Similarly on R2.
The below process is for the negotiation using RSA-SIG (PKI) as authentication type
Debug Process:
After we debug, we can see the negotiation between the two peers. The first packet of the interesting traffic triggers the ISAKMP (Phase1) negotiation. Important messages are marked in BOLD and explanation in RED
R2(config)#do ping 10.1.1.1 so lo0 // Interesting Traffic
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
Mar 2 16:18:42.939: ISAKMP:(0): SA request profile is (NULL) // Router tried to find any IPSec SA matching the outgoing connection but no valid SA has been found in Security Association Database (SADB)
Mar 2 16:18:42.939: ISAKMP: Created a peer struct for 20.1.1.10, peer port 500
Mar 2 16:18:42.939: ISAKMP: New peer created peer = 0x46519678 peer_handle = 0x8000000D
Mar 2 16:18:42.939: ISAKMP: Locking peer struct 0x46519678, refcount 1 for isakmp_initiator
Mar 2 16:18:42.939: ISAKMP: local port 500, remote port 500
Mar 2 16:18:42.939: ISAKMP: set new node 0 to QM_IDLE
Mar 2 16:18:42.939: ISAKMP:(0):insert sa successfully sa = 4542B818
Mar 2 16:18:42.939: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. // Not an error. By default it is configured for Main Mode
Mar 2 16:18:42.939: ISAKMP:(0):No pre-shared key with 20.1.1.10! // Since we are using RSA Signature, this message. If we use pre-share, this is where it would indicate so!
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-07 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-03 ID
Mar 2 16:18:42.939: ISAKMP:(0): constructed NAT-T vendor-02 ID
Mar 2 16:18:42.939: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Mar 2 16:18:42.939: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
Mar 2 16:18:42.943: ISAKMP:(0): beginning Main Mode exchange
Mar 2 16:18:42.943: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.943: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.943: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_NO_STATE // Sending ISAKMP Policy to peer
Mar 2 16:18:42.947: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.947: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
Mar 2 16:18:42.947: ISAKMP:(0): processing SA payload. message ID = 0
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch // Do not worry about this! Not an ERROR!
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947:.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
R2(config)# ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.947: ISAKMP : Scanning profiles for xauth ...
Mar 2 16:18:42.947: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
Mar 2 16:18:42.947: ISAKMP: encryption 3DES-CBC
Mar 2 16:18:42.947: ISAKMP: hash SHA
Mar 2 16:18:42.947: ISAKMP: default group 2
Mar 2 16:18:42.947: ISAKMP: auth RSA sig
Mar 2 16:18:42.947: ISAKMP: life type in seconds
Mar 2 16:18:42.947: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
Mar 2 16:18:42.947: ISAKMP:(0):atts are acceptable. Next payload is 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:actual life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Acceptable atts:life: 0
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa vpi_length:4
Mar 2 16:18:42.947: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
Mar 2 16:18:42.947: ISAKMP:(0):Returning Actual lifetime: 86400
Mar 2 16:18:42.947: ISAKMP:(0)::Started lifetime timer: 86400.
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
Mar 2 16:18:42.947: ISAKMP:(0): vendor ID is NAT-T v2
Mar 2 16:18:42.947: ISAKMP:(0): processing vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0): processing IKE frag vendor id payload
Mar 2 16:18:42.951: ISAKMP:(0):Support for IKE Fragmentation not enabled
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
Mar 2 16:18:42.951: ISAKMP (0): constructing CERT_REQ for issuer cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:42.951: ISAKMP:(0): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_SA_SETUP // Sending Key Exchange Information to peer
Mar 2 16:18:42.951: ISAKMP:(0):Sending an IKE IPv4 Packet.
Mar 2 16:18:42.951: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:42.951: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
Mar 2 16:18:42.955: ISAKMP (0): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_SA_SETUP // Receive key exchange information from peer
Mar 2 16:18:42.955: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:42.955: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
Mar 2 16:18:42.959: ISAKMP:(0): processing KE payload. message ID = 0
Mar 2 16:18:43.003: ISAKMP:(0): processing NONCE payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): processing CERT_REQ payload. message ID = 0
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants a CT_X509_SIGNATURE cert
Mar 2 16:18:43.007: ISAKMP:(1008): peer wants cert issued by cn=ca_server OU=cisco C=India S=Karnataka L=Bangalore
Mar 2 16:18:43.007: Choosing trustpoint CA_Server as issuer
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is Unity
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID seems Unity/DPD but major 180 mismatch
Mar 2 16:18:43.007: ISAKMP:(1008): vendor ID is XAUTH
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008): speaking to another IOS box!
Mar 2 16:18:43.007: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.007: ISAKMP:(1008):vendor ID seems Unity/DPD but hash mismatch
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): His hash no match - this node outside NAT
Mar 2 16:18:43.007: ISAKMP:received payload type 20
Mar 2 16:18:43.007: ISAKMP (1008): No NAT Found for self or peer
Mar 2 16:18:43.007: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.007: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM4
Mar 2 16:18:43.011: ISAKMP:(1008):Send initial contact
Mar 2 16:18:43.011: ISAKMP:(1008):My ID configured as IPv4 Addr, but Addr not in Cert!
Mar 2 16:18:43.011: ISAKMP:(1008):Using FQDN as My ID
Mar 2 16:18:43.011: ISAKMP:(1008):SA is doing RSA signature authentication using id type ID_FQDN
Mar 2 16:18:43.011: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : R2
protocol : 17
port : 500
length : 10
Mar 2 16:18:43.011: ISAKMP:(1008):Total payload length: 10
Mar 2 16:18:43.019: ISAKMP (1008): constructing CERT payload for hostname=R2+serialNumber=FHK1502F2H8
Mar 2 16:18:43.019: ISAKMP:(1008): using the CA_Server trustpoint's keypair to sign
Mar 2 16:18:43.035: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) MM_KEY_EXCH
Mar 2 16:18:43.035: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.035: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.035: ISAKMP:(1008):Old State = IKE_I_MM4 New State = IKE_I_MM5
Mar 2 16:18:43.047: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) MM_KEY_EXCH
// "MM_KEY_EXCH" indicates that the peers have exchanged DH Public keys and generated a shared secret!
Mar 2 16:18:43.047: ISAKMP:(1008): processing ID payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP (1008): ID payload
next-payload : 6
type : 2
FQDN name : ASA1
protocol : 0
port : 0
length : 12
Mar 2 16:18:43.047: ISAKMP:(0):: peer matches *none* of the profiles // Normal Message! Not an error!
Mar 2 16:18:43.047: ISAKMP:(1008): processing CERT payload. message ID = 0
Mar 2 16:18:43.047: ISAKMP:(1008): processing a CT_X509_SIGNATURE cert
Mar 2 16:18:43.051: ISAKMP:(1008): peer's pubkey isn't cached
Mar 2 16:18:43.059: ISAKMP:(1008): Unable to get DN from certificate!
Mar 2 16:18:43.059: ISAKMP:(1008): Cert presented by peer contains no OU field.
Mar 2 16:18:43.059: ISAKMP:(0):: peer matches *none* of the profiles
Mar 2 16:18:43.063: ISAKMP:(1008): processing SIG payload. message ID = 0
Mar 2 16:18:43.067: ISAKMP:received payload type 17
Mar 2 16:18:43.067: ISAKMP:(1008): processing vendor id payload
Mar 2 16:18:43.067: ISAKMP:(1008): vendor ID is DPD
Mar 2 16:18:43.067: ISAKMP:(1008):SA authentication status:
authenticated
Mar 2 16:18:43.067: ISAKMP:(1008):SA has been authenticated with 20.1.1.10
Mar 2 16:18:43.067: ISAKMP: Trying to insert a peer 40.1.1.1/20.1.1.10/500/, and inserted successfully 46519678. // SA inserted into SADB
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM5 New State = IKE_I_MM6
Mar 2 16:18:43.067: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
Mar 2 16:18:43.067: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_I_MM6
Mar 2 16:18:43.071: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
Mar 2 16:18:43.071: ISAKMP:(1008):beginning Quick Mode exchange, M-ID of -1523793378
Mar 2 16:18:43.071: ISAKMP:(1008):QM Initiator gets spi
Mar 2 16:18:43.075: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.075: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.075: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Mar 2 16:18:43.075: ISAKMP:(1008):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Mar 2 16:18:43.075: ISAKMP:(1008):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
Mar 2 16:18:43.079: ISAKMP (1008): received packet from 20.1.1.10 dport 500 sport 500 Global (I) QM_IDLE // IPSec Policies
Mar 2 16:18:43.079: ISAKMP:(1008): processing HASH payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing SA payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008):Checking IPSec proposal 1
Mar 2 16:18:43.079: ISAKMP: transform 1, ESP_3DES
Mar 2 16:18:43.079: ISAKMP: attributes in transform:
Mar 2 16:18:43.079: ISAKMP: SA life type in seconds
Mar 2 16:18:43.079: ISAKMP: SA life duration (basic) of 3600
Mar 2 16:18:43.079: ISAKMP: SA life type in kilobytes
Mar 2 16:18:43.079: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
Mar 2 16:18:43.079: ISAKMP: encaps is 1 (Tunnel)
Mar 2 16:18:43.079: ISAKMP: authenticator is HMAC-SHA
Mar 2 16:18:43.079: ISAKMP:(1008):atts are acceptable. // IPSec attributes are acceptable!
Mar 2 16:18:43.079: ISAKMP:(1008): processing NONCE payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.079: ISAKMP:(1008): processing ID payload. message ID = -1523793378
Mar 2 16:18:43.083: ISAKMP:(1008): Creating IPSec SAs
Mar 2 16:18:43.083: inbound SA from 20.1.1.10 to 40.1.1.1 (f/i) 0/ 0
(proxy 1.1.1.1 to 2.2.2.2)
Mar 2 16:18:43.083: has spi 0xA9A66D46 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: outbound SA from 40.1.1.1 to 20.1.1.10 (f/i) 0/0
(proxy 2.2.2.2 to 1.1.1.1)
Mar 2 16:18:43.083: has spi 0x2B367FB4 and conn_id 0
Mar 2 16:18:43.083: lifetime of 3600 seconds
Mar 2 16:18:43.083: lifetime of 4608000 kilobytes
Mar 2 16:18:43.083: ISAKMP:(1008): sending packet to 20.1.1.10 my_port 500 peer_port 500 (I) QM_IDLE
Mar 2 16:18:43.083: ISAKMP:(1008):Sending an IKE IPv4 Packet.
Mar 2 16:18:43.083: ISAKMP:(1008):deleting node -1523793378 error FALSE reason "No Error"
Mar 2 16:18:43.083: ISAKMP:(1008):Node -1523793378, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Mar 2 16:18:43.083: ISAKMP:(1008):Old State = IKE_QM_I_QM1 New State = IKE_QM_PHASE2_COMPLETE // At this point tunnels are up and ready to pass traffic!
Verification Commands
#show crypto isakmp SA
#show crypto ipsec SA
Kindly rate if you find the explanation useful !!
Best Regards
Sachin Garg
Maybe you are looking for
-
Anonymous user can't access WPC pages in TREX search result list
An anonymous user can use TREX service to enter query string in search iView and to get the list of results. But when he tries to open a page (web_paragraph or web_article ) generated by WPC (by clicking on the page link in result list) a logon scree
-
Hi Friends, I am not getting Item and Header Texts for Import Po document type. Where as for remaining document types, I am getting the texts. Can anybody suggest me, what can I do? Regards,
-
Acrobat Pro DC, now Chrome doesn't work.
Installed the new Acrobat Pro DC, now Chrome doesn't work, Acrobat won't work either. What to do?
-
Documentation of case handling in worksheet
Hi there, can anybody point me to a point in the sqldev-documentation, where the two ways (1.settings, 2.Button on the sql-worksheet button-bar) to handle automatic case changing, is being explained. Even in this forum, there seems to be an unclear p
-
Server log showing problems with Mail Server
Ok, so I followed the instructions in that PDF about how to make virtual mail users in 10.5.1 since they are broken. So I did it in the WGM and the Postfix stuff as the document said. Now I get all these errors in the server log and I have no idea ho