[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec between W2K and Cisco router
Hi,
I'm trying to configure IPsec between a Win2000 client and a cisco router in
a test environment.
The final goal is to implement a VPN for mobile users (using W2K on their
laptops and dialing into any ISP).
As I don't like to implement IPsec on a bastion host (separation of
duties... not to speak of performance problems) the endpoint for the VPN
connections shall be a corporate cisco router which terminates the IPsec
connection (+ L2TP connection on top of it).
I'm working with W2K SP1 on the client side and a cisco 3620 running
'c3620-is56i-mz.121-5.T.bin' (I know: early deployment... but then I'm able
to use SSH on the router... and don't blame me for not using 3DES... too
much effort to register on cco... and, as I said, it's just a test lab).
And I want to use cert-based authentication...
So, I installed an W2K-based CA with CEP add-on (from the rk) and got some
certs for the router and the client.
I ended up with the cisco claiming 'certificate invalid' during IKE several
times.
Question 1.) Which type of cert should I use for the client to avoid this? I
tried several ones (the so called 'Ipsec cert', the 'client auth cert' and
others), without any success. I think W2K CA issues standard X509v3 certs
(but I'm not sure here, can anybody confirm or deny?).
Sure, I could install an Linux or BSD-based CA (e.g. isakmpd on one of my
OpenBSD boxes) but this would add even more heterogenity.
So, where is the problem for the cisco to accept the client's certificate??
-----
Then I broke down to 'pre-shared' to get it running and potentially find my
problem. Just for testing... I don't like the idea of using 'pre-shared'...
Now I succeed in phase 1 and then this happens [taken from the router with
'debug crypto isakmp']:
*Mar 6 04:45:02: ISAKMP: transform 1, ESP_DES
*Mar 6 04:45:02: ISAKMP: attributes in transform:
*Mar 6 04:45:02: ISAKMP: SA life type in seconds
*Mar 6 04:45:02: ISAKMP: SA life duration (VPI) of 0x0 0x0 0x3 0x84
*Mar 6 04:45:02: ISAKMP: SA life type in kilobytes
*Mar 6 04:45:02: ISAKMP: SA life duration (VPI) of 0x0 0x1 0x86 0xA0
*Mar 6 04:45:02: ISAKMP: encaps is 2
*Mar 6 04:45:02: ISAKMP: authenticator is HMAC-MD5
*Mar 6 04:45:02: ISAKMP (0:3): atts are acceptable.
*Mar 6 04:45:02: ISAKMP (0:3): IPSec policy invalidated proposal
*Mar 6 04:45:02: ISAKMP (0:3): phase 2 SA not acceptable!
Question2:
What does 'IPsec policy invalidated proposal' mean? Which policy invalidated
whose proposal and for what possible reason?
This is what I get on the client:
3-12: 19:18:33:160 Setting SA timeout: 25860
3-12: 19:18:33:160 Added Timeout af0a0
3-12: 19:18:33:160 Copying temp iv to sa->crypt_iv
3-12: 19:18:33:160 Created new conn entry 23b4f0
3-12: 19:18:33:160 Starting QM with mess ID bb3bac5f
3-12: 19:18:33:160 find(ipsec): da2998ca-d62c-44c5-92c1d0257ac79274
3-12: 19:18:33:160 GetSpi: src = 192.168.96.4.0000, dst =
192.168.96.12.0000, proto = 00, context = 81301F28, srcMask =
255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
3-12: 19:18:33:160 Setting SPI 594964592
3-12: 19:18:33:160 constructing ISAKMP Header
3-12: 19:18:33:160 constructing HASH (null)
3-12: 19:18:33:160 constructing SA (IPSEC)
3-12: 19:18:33:160 constructing NONCE (IPSEC)
3-12: 19:18:33:160 constructing ID (proxy)
3-12: 19:18:33:160 constructing ID (proxy)
3-12: 19:18:33:160 constructing HASH (QM)
3-12: 19:18:33:160 Construct QM Hash mess ID = 1605123003
3-12: 19:18:33:160 Throw: State mask=30000
3-12: 19:18:33:160 Doing DES
3-12: 19:18:33:160 Added Timeout b1cd8
3-12: 19:18:33:160 Setting Retransmit: sa 23cc90 centry 23b4f0 handle b1cd8
context 23ab38
3-12: 19:18:33:160
3-12: 19:18:33:160 Sending: SA = 0x0023CC90 to 192.168.96.4
3-12: 19:18:33:160 ISAKMP Header: (V1.0), len = 268
3-12: 19:18:33:160 I-COOKIE a7f1496896f5bbde
3-12: 19:18:33:160 R-COOKIE 6408de5fe3fa3d3a
3-12: 19:18:33:160 exchange: Oakley Quick Mode
3-12: 19:18:33:160 flags: 1 ( encrypted )
3-12: 19:18:33:160 next payload: HASH
3-12: 19:18:33:160 message ID: bb3bac5f
3-12: 19:18:33:160
3-12: 19:18:33:160 Resume: (get) SA = 0x0023cc90 from 192.168.96.4
3-12: 19:18:33:160 ISAKMP Header: (V1.0), len = 244
3-12: 19:18:33:160 I-COOKIE a7f1496896f5bbde
3-12: 19:18:33:160 R-COOKIE 6408de5fe3fa3d3a
3-12: 19:18:33:160 exchange: ISAKMP Informational Exchange
3-12: 19:18:33:160 flags: 1 ( encrypted )
3-12: 19:18:33:160 next payload: HASH
3-12: 19:18:33:160 message ID: ec51de13
3-12: 19:18:33:160 Doing DES
3-12: 19:18:33:160 Received InfoExchange with mess ID 3964788243
3-12: 19:18:33:160 processing HASH (ND)
3-12: 19:18:33:160 ND Verify Hash skeyid_a 02097b90ceddbfe5f5ecb9518b5e2426
3-12: 19:18:33:160 e3db3240
3-12: 19:18:33:160 Verify ND Hash mess ID ec51de13
3-12: 19:18:33:160 Verify ND hash message len = 184 hdrlen=236 hashpl=24
3-12: 19:18:33:160 ND Hash message 000000b8000000010304000e23767070
3-12: 19:18:33:160 0a0000a8000000010000000100000000
3-12: 19:18:33:160 62533dfc000000006254994461165bac
3-12: 19:18:33:160 010000180000007462533dfc623ab008
3-12: 19:18:33:160 01549944623ab08862549944623ab088
3-12: 19:18:33:160 62540fdc0000000802c043d800000001
3-12: 19:18:33:160 6207d8f461164a5862533ea40000010c
3-12: 19:18:33:160 bb3bac5f623ab038bb3bac5f00000000
3-12: 19:18:33:160 0000010c61d900006207d8f4611666ec
3-12: 19:18:33:160 61f5196c61f582d8623ab0b4623ab088
3-12: 19:18:33:160 0100000c6116541061a00000623ab0b0
3-12: 19:18:33:160 62533ec862533dc8
3-12: 19:18:33:160 processing payload NOTIFY
3-12: 19:18:33:160 notify: NO-PROPOSAL-CHOSEN
----------
Thanks a lot for any advice or pointer &
regards,
Enno Rey
PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222
Follow-Ups: