gman14
asked on
Need instruction on creating a VPN certificate
I need instruction on creating and authenticating a vpn certificate for individual user. So that certificate can be requested, issued and athenticated from outside the network. I need to know how to configure the VPN client in order to make it work with our Cisco ASA. Thanks for your help.
ASKER
Thanks about it. i actually tried what was stated on the links you had provided but when i tried to connect with a certificate i had created, this was what i got---
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
93 17:31:29.796 10/03/07 Sev=Info/4 CM/0x63100002
Begin connection process
94 17:31:29.812 10/03/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
95 17:31:29.812 10/03/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "12.167.19.194"
96 17:31:30.812 10/03/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 12.167.19.194.
97 17:31:30.875 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 12.167.19.194
98 17:31:30.890 10/03/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
99 17:31:30.890 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 17:31:36.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
101 17:31:36.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
102 17:31:41.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
103 17:31:41.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
104 17:31:46.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
105 17:31:46.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
106 17:31:51.312 10/03/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPON DING
107 17:31:51.812 10/03/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPON DING
108 17:31:51.812 10/03/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "12.167.19.194" because of "DEL_REASON_PEER_NOT_RESPO NDING"
109 17:31:51.812 10/03/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
110 17:31:51.812 10/03/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
111 17:31:51.828 10/03/07 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
112 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
113 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
114 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
115 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2
93 17:31:29.796 10/03/07 Sev=Info/4 CM/0x63100002
Begin connection process
94 17:31:29.812 10/03/07 Sev=Info/4 CM/0x63100004
Establish secure connection using Ethernet
95 17:31:29.812 10/03/07 Sev=Info/4 CM/0x63100024
Attempt connection with server "12.167.19.194"
96 17:31:30.812 10/03/07 Sev=Info/6 IKE/0x6300003B
Attempting to establish a connection with 12.167.19.194.
97 17:31:30.875 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 12.167.19.194
98 17:31:30.890 10/03/07 Sev=Info/4 IPSEC/0x63700008
IPSec driver successfully started
99 17:31:30.890 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
100 17:31:36.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
101 17:31:36.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
102 17:31:41.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
103 17:31:41.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
104 17:31:46.312 10/03/07 Sev=Info/4 IKE/0x63000021
Retransmitting last packet!
105 17:31:46.312 10/03/07 Sev=Info/4 IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194
106 17:31:51.312 10/03/07 Sev=Info/4 IKE/0x63000017
Marking IKE SA for deletion (I_Cookie=9F5A9C309A965466
107 17:31:51.812 10/03/07 Sev=Info/4 IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9F5A9C309A965466
108 17:31:51.812 10/03/07 Sev=Info/4 CM/0x63100014
Unable to establish Phase 1 SA with server "12.167.19.194" because of "DEL_REASON_PEER_NOT_RESPO
109 17:31:51.812 10/03/07 Sev=Info/5 CM/0x63100025
Initializing CVPNDrv
110 17:31:51.812 10/03/07 Sev=Info/4 IKE/0x63000001
IKE received signal to terminate VPN connection
111 17:31:51.828 10/03/07 Sev=Info/4 IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully
112 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
113 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
114 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x63700014
Deleted all keys
115 17:31:51.828 10/03/07 Sev=Info/4 IPSEC/0x6370000A
IPSec driver successfully stopped
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. i have posted both the
client debug- https://filedb.experts-exchange.com/incoming/ee-stuff/4920-VPN-client--debug.txt
if that helps
client debug- https://filedb.experts-exchange.com/incoming/ee-stuff/4920-VPN-client--debug.txt
if that helps
I would need to see the complete configuration of the ASA. Can you post it up to ee-stuff?
ASKER
This is the link to the complete config
--https://filedb.experts-exchange.com/incoming/ee-stuff/4918-VPN-client--debug.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/4919-Debug-ASA.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/4920-VPN-client--debug.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/4921-NYASA.txt
any help will be greatly appreciated. Thanks.
--https://filedb.experts-exchange.com/incoming/ee-stuff/4918-VPN-client--debug.txthttps://filedb.experts-exchange.com/incoming/ee-stuff/4919-Debug-ASA.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/4920-VPN-client--debug.txt
https://filedb.experts-exchange.com/incoming/ee-stuff/4921-NYASA.txt
any help will be greatly appreciated. Thanks.
>access-list splittunnel standard permit 10.30.0.0 255.255.255.0
You can remove this, it is not necessary to add the vpn ip pool to the list.
>access-list combolist extended permit ip 172.31.176.0 255.255.255.0 10.30.0.0 255.255.255.0
Is it your intent that the VPN users can only access the 172.31.176.0 subnet?
>route inside 172.31.176.0 255.255.255.0 10.8.0.254
Does this router at 10.8.0.254 have a route back to this ASA for the 10.30.0.0/24 vpn ip pool subnet?
From the debug:
>All SA proposals found unacceptable
this appears to have been fixed with the proper transform/policy match
>outside_dyn_map 20 set transform-set ESP-3DES-SHA
Matches the policy, so that error message does not show up again in the debug logs.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
It appears that the certificate exchange is good, but something else is preventing phase1 from completing.
I hate to say it, but I'd punt this one over to Cisco TAC and see if they can help. I just don't have enough experience at debugging using certificates....
You can remove this, it is not necessary to add the vpn ip pool to the list.
>access-list combolist extended permit ip 172.31.176.0 255.255.255.0 10.30.0.0 255.255.255.0
Is it your intent that the VPN users can only access the 172.31.176.0 subnet?
>route inside 172.31.176.0 255.255.255.0 10.8.0.254
Does this router at 10.8.0.254 have a route back to this ASA for the 10.30.0.0/24 vpn ip pool subnet?
From the debug:
>All SA proposals found unacceptable
this appears to have been fixed with the proper transform/policy match
>outside_dyn_map 20 set transform-set ESP-3DES-SHA
Matches the policy, so that error message does not show up again in the debug logs.
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
It appears that the certificate exchange is good, but something else is preventing phase1 from completing.
I hate to say it, but I'd punt this one over to Cisco TAC and see if they can help. I just don't have enough experience at debugging using certificates....
ASKER
172.31.176.0 255.255.255.0 10.30.0.0 255.255.255.0
route inside 172.31.176.0 255.255.255.0 10.8.0.254
is for our VOIP phones which has to be in another subnet different from our main subnet. I have placed the issue with Cisco TAC, hopefully i find a solution to that. Thanks for all your help
route inside 172.31.176.0 255.255.255.0 10.8.0.254
is for our VOIP phones which has to be in another subnet different from our main subnet. I have placed the issue with Cisco TAC, hopefully i find a solution to that. Thanks for all your help
i know this is very old, but did you get it resolved? i have the same problem
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml
What version VPN client?
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009468a.shtml
The procedure would be basically the same with any other client. Request the cert from the CA server, download the cert and import it.
Procedures for 4.6
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/win/user/guide/vc6.html
5.0 client will be same procedure as 4.6 through the VPN Client GUI interface.