[c-nsp] L2TP over IPSec on an ASA using machine certificate authentication -- anyone has success?

Inca tincan at gmail.com
Wed Dec 17 14:28:36 EST 2008


Has anyone has success implementing L2TP over IPSec remote access VPN
using machine certificate for phase 1 negotiation (instead of
pre-shared key)? If we use pre-shared key for the phase 1 negotiation,
the VPN connection is successful. But once we switch over to using
certificate for phase 1 negotiation, ISAKMP just doesn't seem to
complete properly enough for phase 2 to kick in (although "debug
crypto isakmp 255" on the ASA does say that "PHASE 1 COMPLETED",
"debug crypto ipsec 255" returns no messages). The machine and root
certificates on the OS X 10.5.5 client were successfully imported into
the keychain; the trust point on the ASA5510 is also setup properly.
Yet, for some reason, the phase 1 negotiation just doesn't seem to
jive well. We also tested using a Windows XP client machine, but that
didn't work either. If anyone has had success with implementing L2TP
over IPSec using machine certificate, I sure would appreciate any
pointers. I've included debug messages from both the client and the
ASA.

TIA,
Inca


Remote access client (Mac OS X 10.5.5, at 172.17.1.1)
-------------------------------------------------------------------------
Wed Dec 17 10:54:49 2008 : L2TP connecting to server '192.168.254.254'
(192.168.254.254)...
Wed Dec 17 10:54:52 2008 : L2TP sent SCCRQ
Wed Dec 17 10:54:52 2008 : IPSec connection started
Wed Dec 17 10:54:52 2008 : IPSec phase 1 client started
Wed Dec 17 10:54:52 2008 : IPSec phase 1 server replied
Wed Dec 17 10:54:52 2008 : IPSec connection failed <IKE Error 18
(0x12) Invalid id information>




ASA5510 (running software 8.0(4)16, at 192.168.254.254)
-----------------------------------------------------------------------------
Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total
length : 300
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Oakley proposal is acceptable
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal RFC VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal
ver 03 VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received NAT-Traversal
ver 02 VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing VID payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, Received DPD VID
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, processing IKE SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, IKE SA Proposal # 1,
Transform # 1 acceptable  Matches global IKE entry # 10
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ISAKMP SA payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Traversal VID ver 02 payload
Dec 17 10:54:38 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
Fragmentation VID + extended capabilities payload
Dec 17 10:54:38 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) +
NONE (0) total length : 124
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + NAT-D (130) +
NAT-D (130) + NONE (0) total length : 228
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ke payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ISA_KE payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing nonce payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing ke payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing nonce payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing certreq payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing Cisco
Unity VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing xauth V6
VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Send IOS VID
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Constructing ASA
spoofing IOS Vendor ID payload (version: 1.0.0, capabilities:
20000001)
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing VID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Send Altiga/Cisco
VPN3000/Cisco ASA GW VID
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, constructing
NAT-Discovery payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, computing NAT Discovery hash
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Generating keys for Responder...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + KE (4) + NONCE (10) + CERT_REQ (7) +
CERT_REQ (7) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) +
NAT-D (130) + NAT-D (130) + NONE (0) total length : 623
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE RECEIVED Message
(msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + CERT_REQ
(7) + NONE (0) total length : 1509
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing ID payload
Dec 17 10:54:39 [IKEv1 DECODE]: IP = 172.17.1.1, DER_ASN1_DN ID
received, len 148
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing cert payload
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing RSA signature
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, Computing hash for ISAKMP
Dec 17 10:54:39 [IKEv1 DEBUG]: IP = 172.17.1.1, processing cert request payload
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Automatic NAT Detection
Status:     Remote end is NOT behind a NAT device     This   end is
NOT behind a NAT device
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via OU...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, No Group found by matching
OU(s) from ID payload:   ou=Information Management Systems and
Services,
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via IKE ID...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via IP ADDR...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Trying to find group via
default group...
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Connection landed on
tunnel_group DefaultRAGroup
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, peer ID type 9 received (DER_ASN1_DN)
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing ID payload
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing cert payload
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing RSA signature
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, Computing hash for ISAKMP
Dec 17 10:54:39 [IKEv1 DECODE]: Constructed Signature Len: 128
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, constructing dpd vid payload
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, IKE_DECODE SENDING Message
(msgid=0) with payloads : HDR + ID (5) + CERT (6) + SIG (9) + VENDOR
(13) + NONE (0) total length : 1510
Dec 17 10:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 172.17.1.1,
PHASE 1 COMPLETED
Dec 17 10:54:39 [IKEv1]: IP = 172.17.1.1, Keep-alive type for this
connection: DPD
Dec 17 10:54:39 [IKEv1 DEBUG]: Group = DefaultRAGroup, IP =
172.17.1.1, Starting P1 rekey timer: 2700 seconds.
Dec 17 10:54:39 [IKEv1]: Group = DefaultRAGroup, IP = 172.17.1.1,
Received encrypted Oakley Informational packet with invalid payloads,
MessID = 3526517605


More information about the cisco-nsp mailing list