Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PIX 515 - Client VPN, certificate authentication

Status
Not open for further replies.
bryonschultz

bryonschultz

MIS
Joined
May 14, 2003
Messages
2
Location
US
I have a client vpn (as well as a site-to-site vpn) setup on a PIX 515E. Group authentication works great, but I want to use certificates. I can view the cert from the Win2k CA (sh ca cert). Below is the debug when a client trying to authenticate using certificates attempts a connection:

ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: unknown DH group 5
ISAKMP: extended auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 2 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: unknown DH group 5
ISAKMP: extended auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 3 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: unknown DH group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 4 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: unknown DH group 5
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 5 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: extended auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 6 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: extended auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 7 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 8 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4 0x9b
ISAKMP: attribute 3584
ISAKMP (0): atts are not acceptable. Next payload is 3
ISAKMP (0): Checking ISAKMP transform 9 against priority 1 policy
ISAKMP: encryption... What? 7?
ISAKMP: hash SHA
ISAKMP: unknown DH group 5
ISAKMP: extended auth RSA sig
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xc4
crypto_isakmp_process_block: src 67.75.208.16, dest 65.73.240.51
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src 67.75.208.16, dest 65.73.240.51
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing CERT payload. message ID = 0
ISAKMP (0): processing a CT_X509_SIGNATURE cert
ISAKMP (0): cert approved with warning
ISAKMP (0): processing CERT_REQ payload. message ID = 0
ISAKMP (0): peer wants a CT_X509_SIGNATURE cert
ISAKMP (0): processing SIG payload. message ID = 0
ISAKMP (0): processing NOTIFY payload 24578 protocol 1

Anybody have any ideas? I have contacted Cisco, and they are puzzled also. Thanks in advance.

Bryon

 
Sort by date Sort by votes
HI.

Please post more info, including:
PIX OS version.
VPN client version.
PIX "isakmp" configuration (all isakmp commands!)

Look at CCO for the release notes of the VPN client software. You'll find there the supported isakmp configurations. Compare these to your config.

Bye


Yizhar Hurwitz
 
Upvote 0 Downvote
Cisco PIX Firewall Version 6.2(2)
VPN Client 4.0 or 3.64

sh isakmp
isakmp enable outside
isakmp key ******** address 12.118.242.246 netmask 255.255.255.255 no-xauth no-co
nfig-mode
isakmp identity address
isakmp policy 1 authentication rsa-sig
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400



 
Upvote 0 Downvote
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

intel233
  • Locked
  • Question Question
Cisco ASA - VPN Question
Replies
6
Views
1K
intel233
intel233
ISDPCMAN
  • Locked
  • Question Question
RDP fails over VPN
Replies
1
Views
498
gkittelson
gkittelson
Shmid
  • Locked
  • Question Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
1K
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
410
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
290
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top