[OSL | CCIE_Security] IOS to ASA IPsec with Certificates - Yusuf Lab 1 Q2.3

Ben Shaw Sat, 23 Jun 2012 02:36:24 -0700

Hi All

I am doing Lab 1 from Yusuf's book but cannot get the VPN to negotiate in
question 2.3 with certificates. I originally got it to work fine with PSK
but after changing the configuration to RSA I get a failure which to me
seems to be an issue on the router side as I get the following debugs when
I initiate the VPN from the router (R5)



R5#ping 10.8.8.8 source loopback 0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.8.8, timeout is 2 seconds:
Packet sent with a source address of 10.5.5.5


Jun 23 09:13:20.092: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.55.5, remote= 192.168.9.10,
    local_proxy= 10.5.5.5/255.255.255.255/0/0 (type=1),
    remote_proxy= 10.8.8.8/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Jun 23 09:13:20.116: ISAKMP:(0): SA request profile is (NULL)
Jun 23 09:13:20.116: ISAKMP: Created a peer struct for 192.168.9.10, peer
port 500
Jun 23 09:13:20.120: ISAKMP: New peer created peer = 0x673AFE78 peer_handle
= 0x80000012
Jun 23 09:13:20.124: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
isakmp_initiator
Jun 23 09:13:20.124: ISAKMP: local port 500, remote port 500
Jun 23 09:13:20.128: ISAKMP: set new node 0 to QM_IDLE
Jun 23 09:13:20.132: insert sa successfully sa = 67EEFFC8
Jun 23 09:13:20.132: ISAKMP:(0):Can not start Aggressive mode, trying Main
mode.
Jun 23 09:13:20.136: ISAKMP:(0):No pre-shared key with 192.168.9.10!
Jun 23 09:13:20.140: ISAKMP:(0): No Cert or pre-shared address key.
Jun 23 09:13:20.144: ISAKMP:(0): construct_initial_message: Can not start
Main mode
Jun 23 09:13:20.144: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_unlock_peer_delete_sa(), count 0
Jun 23 09:13:20.148: ISAKMP: Deleting peer node by peer_reap for
192.168.9.10: 673AFE78
Jun 23 09:13:20.152: ISAKMP:(0):purging SA., sa=67EEFFC8, delme=67EEFFC8
Jun 23 09:13:20.156: ISAKMP:(0):p.urging node -1032077271
Jun 23 09:13:20.156: ISAKMP: Error while processing SA request: Failed to
initialize SA
Jun 23 09:13:20.160: ISAKMP: Error while processing KMI message 0, error 2.
Jun 23 09:13:20.168: IPSEC(key_engine): got a queue event with 1 KMI
message(s)....
Success rate is 0 percent (0/5)
R5#


When I try to intiate the VPN from the ASA side I get the following debugs
on the router


R5#
Jun 23 09:14:07.167: ISAKMP (0:0): received packet from 192.168.9.10 dport
500 sport 500 Global (N) NEW SA
Jun 23 09:14:07.171: ISAKMP: Created a peer struct for 192.168.9.10, peer
port 500
Jun 23 09:14:07.175: ISAKMP: New peer created peer = 0x673AFE78 peer_handle
= 0x80000014
Jun 23 09:14:07.179: ISAKMP: Locking peer struct 0x673AFE78, refcount 1 for
crypto_isakmp_process_block
Jun 23 09:14:07.179: ISAKMP: local port 500, remote port 500
Jun 23 09:14:07.183: insert sa successfully sa = 67EEFFC8
Jun 23 09:14:07.187: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jun 23 09:14:07.191: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1
Jun 23 09:14:07.211: ISAKMP:(0): processing SA payload. message ID = 0
Jun 23 09:14:07.215: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.219: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.223: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.227: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.231: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.235: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.239: ISAKMP : Scanning profiles for xauth ... isakmpprof1
Jun 23 09:14:07.243: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 11 policy
Jun 23 09:14:07.243: ISAKMP:      default group 5
Jun 23 09:14:07.247: ISAKMP:      encryption AES-CBC
Jun 23 09:14:07.247: ISAKMP:      keylength of 128
Jun 23 09:14:07.247: ISAKMP:      hash SHA
Jun 23 09:14:07.251: ISAKMP:      auth RSA sig
Jun 23 09:14:07.251: ISAKMP:      life type in seconds
Jun 23 09:14:07.255: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jun 23 09:14:07.259: ISAKMP:(0):RSA signature authentication offered but
does not match policy!
Jun 23 09:14:07.263: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.263: ISAKMP:(0):Checking ISAKMP transform 1 against
priority 65535 policy
Jun 23 09:14:07.267: ISAKMP:      default group 5
Jun 23 09:14:07.267: ISAKMP:      encryption AES-CBC
Jun 23 09:14:07.271: ISAKMP:      keylength of 128
Jun 23 09:14:07.271: ISAKMP:      hash SHA
Jun 23 09:14:07.275: ISAKMP:      auth RSA sig
Jun 23 09:14:07.275: ISAKMP:      life type in seconds
Jun 23 09:14:07.275: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
Jun 23 09:14:07.279: ISAKMP:(0):Encryption algorithm offered does not match
policy!
Jun 23 09:14:07.279: ISAKMP:(0):atts are not acceptable. Next payload is 0
Jun 23 09:14:07.279: ISAKMP:(0):no offers accepted!
Jun 23 09:14:07.279: ISAKMP:(0): phase 1 SA policy not acceptable! (local
192.168.55.5 remote 192.168.9.10)
Jun 23 09:14:07.279: ISAKMP (0:0): incrementing error counter on sa,
attempt 1 of 5: construct_fail_ag_init
Jun 23 09:14:07.279: ISAKMP:(0): sending packet to 192.168.9.10 my_port 500
peer_port 500 (R) MM_NO_STATE
Jun 23 09:14:07.279: ISAKMP:(0):Sending an IKE IPv4 Packet.
Jun 23 09:14:07.283: ISAKMP:(0):peer does not do paranoid keepalives.
Jun 23 09:14:07.287: ISAKMP:(0):deleting SA reason "Phase1 SA policy
proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.291: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.291: ISAKMP:(0): vendor ID seems Unity/DPD but major 123
mismatch
Jun 23 09:14:07.295: ISAKMP:(0): vendor ID is NAT-T v2
Jun 23 09:14:07.299: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.299: ISAKMP:(0): vendor ID seems Unity/DPD but major 157
mismatch
Jun 23 09:14:07.303: ISAKMP:(0): vendor ID is NAT-T v3
Jun 23 09:14:07.303: ISAKMP:(0): processing vendor id payload
Jun 23 09:14:07.307: ISAKMP:(0): processing IKE frag vendor id payload
Jun 23 09:14:07.311: ISAKMP:(0):Support for IKE Fragmentation not enabled
Jun 23 09:14:07.311: ISAKMP (0:0): FSM action returned error: 2
Jun 23 09:14:07.315: ISAKMP:(0):Input = IKE_MESG_INTERNAL,
IKE_PROCESS_MAIN_MODE
Jun 23 09:14:07.319: ISAKMP:(0):Old State = IKE_R_MM1  New State = IKE_R_MM1
Jun 23 09:14:07.343: ISAKMP:(0):deleting SA reason "Phase1 SA policy
proposal not accepted" state (R) MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.343: ISAKMP: Unlocking peer struct 0x673AFE78 for
isadb_mark_sa_deleted(), count 0
Jun 23 09:14:07.343: ISAKMP: Deleting peer node by peer_reap for
192.168.9.10: 673AFE78
Jun 23 09:14:07.343: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jun 23 09:14:07.347: ISAKMP:(0):Old State = IKE_R_MM1  New State =
IKE_DEST_SA
Jun 23 09:14:07.351: IPSEC(key_engine): got a queue event with 1 KMI
message(s)
Jun 23 09:14:07.359: ISAKMP:(0):deleting SA reason "No reason" state (R)
MM_NO_STATE (peer 192.168.9.10)
Jun 23 09:14:07.359: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_ERROR
Jun 23 09:14:07.359: ISAKMP:(0):Old State = IKE_DEST_SA  New State =
IKE_DEST_SA
Jun 23 09:14:15.092: ISAKMP (0:0): received packet from 192.168.9.10 dport
500 sport 500 Global (R) MM_NO_STATE
R5#
R5#


Now it is obviously a Phase 1 issue as the router complains about policies
not matching and also that there is no PSK or Cert defined. I am not using
ISAKMP profiles yet though I know this needs to be added for the
certificate map requirement in the question, I just want to ge this part
working first. Below is the relevant configuration from each device. Any
idea why the router doesn't seem to be using the locally configured CA and
ID Certificate in Phase 1 when negotiating? The ISAKMP policies match.


------------------
ASA2 Config
------------------

ASA Version 8.0(4)23
!
hostname ASA2
domain-name cisco.com
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 192.168.10.10 255.255.255.0
 authentication key eigrp 10 <removed> key-id 1
 authentication mode eigrp 10 md5
!
interface Redundant1
 member-interface Ethernet0/0
 member-interface Ethernet0/2
 nameif outside
 security-level 0
 ip address 192.168.9.10 255.255.255.0
 ospf authentication-key password
 ospf authentication message-digest
!
access-list crypto1 extended permit ip host 10.8.8.8 host 10.5.5.5
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cryptomap1 10 match address crypto1
crypto map cryptomap1 10 set peer 192.168.55.5
crypto map cryptomap1 10 set transform-set aes-sha
crypto map cryptomap1 10 set trustpoint myCA
crypto map cryptomap1 interface outside
!
crypto ca trustpoint myCA
 enrollment url http://10.1.1.1:80
 fqdn ASA2.cisco.com
 subject-name cn=ASA2
 ip-address 192.168.9.10
 keypair myCA-KEYS
 crl configure
!
crypto ca certificate chain myCA
 certificate ca 01
    3082020b 30820174 a0030201 02020101 300d0609 2a864886 f70d0101 05050030
  quit
 certificate 05
    30820245 308201ae a0030201 02020105 300d0609 2a864886 f70d0101 05050030
  quit
crypto isakmp enable outside
crypto isakmp policy 5
 authentication rsa-sig
 encryption aes
 hash sha
 group 5
 lifetime 86400
!
tunnel-group 192.168.55.5 type ipsec-l2l
tunnel-group 192.168.55.5 ipsec-attributes
 trust-point myCA



------------------
R5 Config
------------------

hostname R5
!
crypto pki trustpoint myCA
 enrollment url http://10.1.1.1:80
 fqdn R5.cisco.com
 ip-address 10.5.5.5
 subject-name cn=R5
 revocation-check none
 rsakeypair myCA-KEYS
!
crypto pki certificate map certmap1 10
 issuer-name co myca
 subject-name co asa2
!
crypto pki certificate chain myCA
 certificate 06
  3082021F 30820188 A0030201 02020106 300D0609 2A864886 F70D0101 05050030
        quit
 certificate ca 01
  3082020B 30820174 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
        quit
!
crypto isakmp policy 11
 encr aes
 group 5
crypto isakmp identity dn
crypto isakmp profile isakmpprof1
   self-identity fqdn
   ca trust-point myCA
   match certificate certmap1
!
crypto ipsec transform-set aes-sha esp-aes esp-sha-hmac
!
crypto map cryptomap1 local-address Loopback6
crypto map cryptomap1 10 ipsec-isakmp
 set peer 192.168.9.10
 set transform-set aes-sha
 match address crypto1
!
interface Loopback0
 ip address 10.5.5.5 255.255.255.0
!
interface Loopback6
 ip address 192.168.55.5 255.255.255.0
!
interface Serial0/0
 ip address 192.168.35.5 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 zone-member security REMOTE
 encapsulation ppp
 ip ospf network point-to-point
 no fair-queue
 clock rate 2000000
 crypto map cryptomap1
!
interface Serial0/1
 ip address 192.168.65.5 255.255.255.0
 zone-member security CENTRAL
 encapsulation frame-relay
 ip ospf network point-to-point
 clock rate 2000000
 frame-relay map ip 192.168.65.6 65 broadcast
 frame-relay intf-type dce
 crypto map cryptomap1
!
ip access-list extended crypto1
 permit ip host 10.5.5.5 host 10.8.8.8

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

[OSL | CCIE_Security] IOS to ASA IPsec with Certificates - Yusuf Lab 1 Q2.3

Reply via email to