So I cheated a bit.
Previous post, that would not really work.... here's why. Check out MM3/4 on server side and MM5 on client where it would actually fail.
-----------------------------------
*Dec 28 20:48:41.199: ISAKMP:(1006): processing CERT_REQ payload. message ID = 0
*Dec 28 20:48:41.199: ISAKMP:(1006): peer wants a CT_X509_SIGNATURE cert
*Dec 28 20:48:41.199: ISAKMP:(1006): peer wants cert issued by cn=SUBCA2.cisco.com,ou=LAB1
(....)
*Dec 28 20:48:41.199: ISAKMP:(1006):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Dec 28 20:48:41.215: ISAKMP (1006): constructing CERT_REQ for issuer cn=SUBCA1.cisco.com,ou=LAB
-----------------------------------
Which results in client failing in MM5 because we cannot find a common CA.
Easy fix - enrolling to same CA.
So the end config
-----------------------------------
aaa new-model
aaa authentication login EZ local
aaa authorization network EZ local
crypto pki certificate map MAP1 10
subject-name co lab
crypto isakmp policy 10
encr aes
group 2
crypto isakmp client configuration group EZ_GROUP
domain cisco.com
pool EZ
save-password
include-local-lan
pfs
crypto isakmp profile ISAKMP_PROFILE
match certificate MAP1
client authentication list EZ
isakmp authorization list EZ
client configuration address respond
client configuration group EZ_GROUP
virtual-template 100
crypto ipsec transform-set ITS esp-3des esp-sha-hmac
crypto ipsec profile PRO
set transform-set ITS
interface Virtual-Template100 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile PRO
-----------------------------------
-----------------------------------
crypto ipsec client ezvpn EZ_CLIENT
connect manual
mode client
peer 192.168.0.1
virtual-interface 100
username cisco password cisco
xauth userid mode local
interface Virtual-Template100 type tunnel
no ip address
tunnel mode ipsec ipv4
end
-----------------------------------
Server side debugs:
------------------------------------
*Jan 2 09:53:46.527: ISAKMP:(1003):Old State = IKE_R_MM3 New State = IKE_R_MM3
*Jan 2 09:53:46.547: ISAKMP (0:1003): constructing CERT_REQ for issuer cn=SUBCA2.cisco.com,ou=LAB1
*Jan 2 09:53:46.547: ISAKMP (0:1003): constructing CERT_REQ for issuer cn=SUBCA1.cisco.com,ou=LAB
(....)
*Jan 2 09:53:46.615: ISAKMP:(0):: UNITY's identity group: OU = LAB1
*Jan 2 09:53:46.615: ISAKMP:(0):: peer matches *none* of the profiles
*Jan 2 09:53:46.615: ISAKMP:(1003): processing CERT payload. message ID = 0
*Jan 2 09:53:46.615: ISAKMP:(1003): processing a CT_X509_SIGNATURE cert
*Jan 2 09:53:46.615: ISAKMP:(1003): peer's pubkey is cached
*Jan 2 09:53:46.615: ISAKMP:(1003): OU = LAB1
*Jan 2 09:53:46.615: ISAKMP:(0): certificate map matches ISAKMP_PROFILE profile
*Jan 2 09:53:46.615: ISAKMP:(0): Trying to re-validate CERT using new profile
*Jan 2 09:53:46.615: ISAKMP:(0): CERT validity confirmed.
--------------------------------
Subscribe to:
Post Comments (Atom)
Blog Archive
-
▼
2010
(18)
-
▼
January
(8)
- Troubleshooting DMVPN
- DMVPN phase 3 - basic configuration example.
- FWSM - routing considerations or "Why clearing xla...
- ASA/PIX PKI implementation. Mupliple trustpoints c...
- IPsec VPN on Catalyst 6500 or 7600.
- IPsec and VRFs. So who's doing the VRF handoff any...
- EZVPN with certificates. part3
- EZVPN with certificates. part2
-
▼
January
(8)
No comments:
Post a Comment