From: Mark Lewis (markl11@hotmail.com)
Date: Thu Jun 17 2004 - 19:42:08 GMT-3
Jas,
Please post the debugs, but here's some complete conjecture to be going on
with :)
You'll have to post the debug, but I am guessing that you are seeing
'rsa-sig' as the 'auth' parameter in IKE (ISAKMP) phase 1.
You may get a failure during the exchange of the first 2 IKE messages, but I
am guessing it does this:
I am guessing that you are seeing a 'CR' (certificate request, though this
may not be visible in the debug) payload sent by the PIX (and maybe a 'CERT'
payload sent by the PIX [if you have enrolled it with the CA])?? But the
router is not sending the 'CERT' payload (contains a cert or cert chain) in
response to the CR payload from the PIX.
So, the PIX is trying to do digital signature auth, is requesting a cert or
cert chain from the router, but the router hasn't go a cert to send, and
(another guess without seeing the debug), the IKE (ISAKMP) fails during the
exchange of messages 5 and 6 (assuming main mode for IKE phase 1).
You'll know that IKE (ISAKMP) has failed during the exchange of messages 5
and 6 because you see (depending on which box you are debugging on)
'IKE_I_MM5/6' or 'IKE_R_MM5/6 - the I and R indicate initiator (the box that
initiated IKE negotiation) and responder (the box that didn't initiate IKE).
Shortly after you see 'IKE_x_MM5', I am guessing you can see a 'Notify'
payload (that indicates an error or informational condition - in this case
it actually indicates an IKE failure).
IKE does authentication with messages 5 and 6 in phase 1, so if the two
boxes manage somehow to agree IKE auth (done during IKE messages 1 and 2),
messages 5 and 6 is where it will all go wrong if auth is at fault.
Anyway, enough conjecture - please post the configs :)
BTW- you do indeed have to enroll IPSec boxes with a CA to get a *signed*
digital certificate. That's the whole point about certificates - they are
basically a *signed* assocaition of a public key and identity info. The CA
signs it, and by doing so attests that the public key does indeed belong to
the identity given in the identity info (router's FQDN, etc). Because IPSec
peers trust the CA, they will trust certs signed by the CA, and be able to
authenticate another peer who presents a cert signed by the CA that they
trust. That's how IKE digital signature auth works - the IPSec peers
exchange certs signed by a common CA (or CA hierarchy) during IKE phase 1
(messages 5 and 6 in main mode), and because they both trust the certs
signed by the CA (or CA hierachy) authentication succeeds.
Don't confuse (what Cisco calls) encrypted nonce authentication with
digitial signature auth - both require the generation of RSA keys pairs, but
encrypted nonce authentication does not require enrollment with a CA (and
does not require certificates). Instead with encrypted nonce auth you
exchange IPSec peers' public keys out-of-band, and paste them into the peers
config.
Mark
CCIE#6280 / CCSI#21051 / etc.
Author: www.ciscopress.com/1587051044
>From: "Jaspreet Bhatia" <jasbhati@cisco.com>
>Reply-To: "Jaspreet Bhatia" <jasbhati@cisco.com>
>To: <ccielab@groupstudy.com>
>CC: "'Alejandro Eguiarte (aeguiart)'" <aeguiart@cisco.com>,
><jasbhati@cisco.com>
>Subject: Question about rsa-signatures Date: Thu, 17 Jun 2004 14:59:20
>-0700
>
>Folks,
> I have a question about using the rsa-signature in teh
>isakmp policy . In the router when you do rsa-signature option for
>authentication in the isakmp policy you do not have to configure a CA
>server to get digital certificates . I have been trying to do the same
>option for authentication on the PIX and from the debugs , It seems like
>it is looking for adigital certificate from a CA server . Can anyone
>please throw some light on this issue .
>
>Thanks
>
>Jas
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:43 GMT-3