Friday, January 01, 2010

EZVPN with certificates. part2

So I cheated a bit.

Previous post, that would not really work.... here's why.  Check out MM3/4 on server side and MM5 on client where it would actually fail.
-----------------------------------
*Dec 28 20:48:41.199: ISAKMP:(1006): processing CERT_REQ payload. message ID = 0
*Dec 28 20:48:41.199: ISAKMP:(1006): peer wants a CT_X509_SIGNATURE cert
*Dec 28 20:48:41.199: ISAKMP:(1006): peer wants cert issued by cn=SUBCA2.cisco.com,ou=LAB1
(....)
*Dec 28 20:48:41.199: ISAKMP:(1006):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Dec 28 20:48:41.215: ISAKMP (1006): constructing CERT_REQ for issuer cn=SUBCA1.cisco.com,ou=LAB
-----------------------------------

Which results in client failing in MM5 because we cannot find a common CA.

Easy fix - enrolling to same CA.

So the end config
-----------------------------------
aaa new-model
aaa authentication login EZ local
aaa authorization network EZ local
crypto pki certificate map MAP1 10
 subject-name co lab
crypto isakmp policy 10
 encr aes
 group 2
crypto isakmp client configuration group EZ_GROUP
 domain cisco.com
 pool EZ
 save-password
 include-local-lan
 pfs
crypto isakmp profile ISAKMP_PROFILE
   match certificate MAP1
   client authentication list EZ
   isakmp authorization list EZ
   client configuration address respond
   client configuration group EZ_GROUP
   virtual-template 100
crypto ipsec transform-set ITS esp-3des esp-sha-hmac
crypto ipsec profile PRO
 set transform-set ITS

interface Virtual-Template100 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile PRO
-----------------------------------


-----------------------------------
crypto ipsec client ezvpn EZ_CLIENT
 connect manual
 mode client
 peer 192.168.0.1
 virtual-interface 100
 username cisco password cisco
 xauth userid mode local
interface Virtual-Template100 type tunnel
 no ip address
 tunnel mode ipsec ipv4
end
-----------------------------------


Server side debugs:
------------------------------------
*Jan  2 09:53:46.527: ISAKMP:(1003):Old State = IKE_R_MM3  New State = IKE_R_MM3
*Jan  2 09:53:46.547: ISAKMP (0:1003): constructing CERT_REQ for issuer cn=SUBCA2.cisco.com,ou=LAB1
*Jan  2 09:53:46.547: ISAKMP (0:1003): constructing CERT_REQ for issuer cn=SUBCA1.cisco.com,ou=LAB
(....)
*Jan  2 09:53:46.615: ISAKMP:(0):: UNITY's identity group: OU = LAB1
*Jan  2 09:53:46.615: ISAKMP:(0):: peer matches *none* of the profiles
*Jan  2 09:53:46.615: ISAKMP:(1003): processing CERT payload. message ID = 0
*Jan  2 09:53:46.615: ISAKMP:(1003): processing a CT_X509_SIGNATURE cert
*Jan  2 09:53:46.615: ISAKMP:(1003): peer's pubkey is cached
*Jan  2 09:53:46.615: ISAKMP:(1003): OU = LAB1
*Jan  2 09:53:46.615: ISAKMP:(0): certificate map matches ISAKMP_PROFILE profile
*Jan  2 09:53:46.615: ISAKMP:(0): Trying to re-validate CERT using new profile
*Jan  2 09:53:46.615: ISAKMP:(0): CERT validity confirmed.
--------------------------------

No comments: