[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPsec between W2K and Cisco router

To: "Enno Rey" <erey@ix.urz.uni-heidelberg.de>, <ipsec@lists.tislabs.com>
Subject: Re: IPsec between W2K and Cisco router
From: "Scott Fanning" <sfanning@cisco.com>
Date: Mon, 12 Mar 2001 12:06:07 -0800
Organization: Cisco Systems
References: <AIEDIEKCJAADIEBGDEBOIEECCEAA.erey@ix.urz.uni-heidelberg.de>
Sender: owner-ipsec@lists.tislabs.com

This is not the correct list. If you need specific product help, please
contact the Cisco TAC. I am sure they can help.

Thanks

Regards
Scott
----- Original Message -----
From: "Enno Rey" <erey@ix.urz.uni-heidelberg.de>
To: <ipsec@lists.tislabs.com>
Sent: Monday, March 12, 2001 11:37 AM
Subject: IPsec between W2K and Cisco router


> Hi,
>
> I'm trying to configure IPsec between a Win2000 client and a cisco router
in
> a test environment.
> The final goal is to implement a VPN for mobile users (using W2K on their
> laptops and dialing into any ISP).
> As I don't like to implement IPsec on a bastion host (separation of
> duties... not to speak of performance problems) the endpoint for the VPN
> connections shall be a corporate cisco router which terminates the IPsec
> connection (+ L2TP connection on top of it).
>
> I'm working with W2K SP1 on the client side and a cisco 3620 running
> 'c3620-is56i-mz.121-5.T.bin' (I know: early deployment... but then I'm
able
> to use SSH on the router... and don't blame me for not using 3DES... too
> much effort to register on cco... and, as I said, it's just a test lab).
>
> And I want to use cert-based authentication...
>
> So, I installed an W2K-based CA with CEP add-on (from the rk) and got some
> certs for the router and the client.
> I ended up with the cisco claiming 'certificate invalid' during IKE
several
> times.
>
> Question 1.) Which type of cert should I use for the client to avoid this?
I
> tried several ones (the so called 'Ipsec cert', the 'client auth cert' and
> others), without any success. I think W2K CA issues standard X509v3 certs
> (but I'm not sure here, can anybody confirm or deny?).
> Sure, I could install an Linux or BSD-based CA (e.g. isakmpd on one of my
> OpenBSD boxes) but this would add even more heterogenity.
> So, where is the problem for the cisco to accept the client's
certificate??
>
> -----
>
> Then I broke down to 'pre-shared' to get it running and potentially find
my
> problem. Just for testing... I don't like the idea of using
'pre-shared'...
>
> Now I succeed in phase 1 and then this happens [taken from the router with
> 'debug crypto isakmp']:
>
> *Mar  6 04:45:02: ISAKMP: transform 1, ESP_DES
> *Mar  6 04:45:02: ISAKMP:   attributes in transform:
> *Mar  6 04:45:02: ISAKMP:      SA life type in seconds
> *Mar  6 04:45:02: ISAKMP:      SA life duration (VPI) of  0x0 0x0 0x3 0x84
> *Mar  6 04:45:02: ISAKMP:      SA life type in kilobytes
> *Mar  6 04:45:02: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x86
0xA0
> *Mar  6 04:45:02: ISAKMP:      encaps is 2
> *Mar  6 04:45:02: ISAKMP:      authenticator is HMAC-MD5
> *Mar  6 04:45:02: ISAKMP (0:3): atts are acceptable.
> *Mar  6 04:45:02: ISAKMP (0:3): IPSec policy invalidated proposal
> *Mar  6 04:45:02: ISAKMP (0:3): phase 2 SA not acceptable!
>
> Question2:
>
> What does 'IPsec policy invalidated proposal' mean? Which policy
invalidated
> whose proposal and for what possible reason?
>
> This is what I get on the client:
>
> 3-12: 19:18:33:160 Setting SA timeout: 25860
>  3-12: 19:18:33:160 Added Timeout af0a0
>  3-12: 19:18:33:160 Copying temp iv to sa->crypt_iv
>  3-12: 19:18:33:160 Created new conn entry 23b4f0
>  3-12: 19:18:33:160 Starting QM with mess ID bb3bac5f
>  3-12: 19:18:33:160 find(ipsec): da2998ca-d62c-44c5-92c1d0257ac79274
>  3-12: 19:18:33:160 GetSpi: src = 192.168.96.4.0000, dst =
> 192.168.96.12.0000, proto = 00, context = 81301F28, srcMask =
> 255.255.255.255, destMask = 255.255.255.255, TunnelFilter 0
>  3-12: 19:18:33:160 Setting SPI  594964592
>  3-12: 19:18:33:160 constructing ISAKMP Header
>  3-12: 19:18:33:160 constructing HASH (null)
>  3-12: 19:18:33:160 constructing SA (IPSEC)
>  3-12: 19:18:33:160 constructing NONCE (IPSEC)
>  3-12: 19:18:33:160 constructing ID (proxy)
>  3-12: 19:18:33:160 constructing ID (proxy)
>  3-12: 19:18:33:160 constructing HASH (QM)
>  3-12: 19:18:33:160 Construct QM Hash mess ID = 1605123003
>  3-12: 19:18:33:160 Throw: State mask=30000
>  3-12: 19:18:33:160 Doing DES
>  3-12: 19:18:33:160 Added Timeout b1cd8
>  3-12: 19:18:33:160 Setting Retransmit: sa 23cc90 centry 23b4f0 handle
b1cd8
> context 23ab38
>  3-12: 19:18:33:160
>  3-12: 19:18:33:160 Sending: SA = 0x0023CC90 to 192.168.96.4
>  3-12: 19:18:33:160 ISAKMP Header: (V1.0), len = 268
>  3-12: 19:18:33:160   I-COOKIE a7f1496896f5bbde
>  3-12: 19:18:33:160   R-COOKIE 6408de5fe3fa3d3a
>  3-12: 19:18:33:160   exchange: Oakley Quick Mode
>  3-12: 19:18:33:160   flags: 1 ( encrypted )
>  3-12: 19:18:33:160   next payload: HASH
>  3-12: 19:18:33:160   message ID: bb3bac5f
>  3-12: 19:18:33:160
>  3-12: 19:18:33:160 Resume: (get) SA = 0x0023cc90 from 192.168.96.4
>  3-12: 19:18:33:160 ISAKMP Header: (V1.0), len = 244
>  3-12: 19:18:33:160   I-COOKIE a7f1496896f5bbde
>  3-12: 19:18:33:160   R-COOKIE 6408de5fe3fa3d3a
>  3-12: 19:18:33:160   exchange: ISAKMP Informational Exchange
>  3-12: 19:18:33:160   flags: 1 ( encrypted )
>  3-12: 19:18:33:160   next payload: HASH
>  3-12: 19:18:33:160   message ID: ec51de13
>  3-12: 19:18:33:160 Doing DES
>  3-12: 19:18:33:160 Received InfoExchange with mess ID 3964788243
>  3-12: 19:18:33:160 processing HASH (ND)
>  3-12: 19:18:33:160 ND Verify Hash skeyid_a
02097b90ceddbfe5f5ecb9518b5e2426
>  3-12: 19:18:33:160 e3db3240
>  3-12: 19:18:33:160 Verify ND Hash mess ID ec51de13
>  3-12: 19:18:33:160 Verify ND hash message len = 184 hdrlen=236 hashpl=24
>  3-12: 19:18:33:160 ND Hash message 000000b8000000010304000e23767070
>  3-12: 19:18:33:160 0a0000a8000000010000000100000000
>  3-12: 19:18:33:160 62533dfc000000006254994461165bac
>  3-12: 19:18:33:160 010000180000007462533dfc623ab008
>  3-12: 19:18:33:160 01549944623ab08862549944623ab088
>  3-12: 19:18:33:160 62540fdc0000000802c043d800000001
>  3-12: 19:18:33:160 6207d8f461164a5862533ea40000010c
>  3-12: 19:18:33:160 bb3bac5f623ab038bb3bac5f00000000
>  3-12: 19:18:33:160 0000010c61d900006207d8f4611666ec
>  3-12: 19:18:33:160 61f5196c61f582d8623ab0b4623ab088
>  3-12: 19:18:33:160 0100000c6116541061a00000623ab0b0
>  3-12: 19:18:33:160 62533ec862533dc8
>  3-12: 19:18:33:160 processing payload NOTIFY
>  3-12: 19:18:33:160 notify: NO-PROPOSAL-CHOSEN
>
> ----------
>
> Thanks a lot for any advice or pointer &
>
> regards,
>
> Enno Rey
>
> PGP 74C0 C7E1 3875 E4EB 9B75  8B9D 5E2D 3178 685B F222
>

References:

IPsec between W2K and Cisco router

From: "Enno Rey" <erey@ix.urz.uni-heidelberg.de>

Prev by Date: IPsec between W2K and Cisco router
Next by Date: RE: SHA-256/384/512
Prev by thread: IPsec between W2K and Cisco router
Next by thread: AH with SHA-256/384/512
Index(es):
- Main
- Thread