From: Mark Lewis (markl11@hotmail.com)
Date: Fri Jun 18 2004 - 19:46:44 GMT-3
Jas,
Glad to be of any help (though I didn't have much to go on :] ). And I'm
glad you were able to decipher my post!
Just one thing - I notice you say that digital signature authentication
'usually' requires a CA. I'd be interested to see any debug/config you have
where enrollment with a CA is not required (there is a case where this is
true, but I'd be surprised if you are seeing it on your router & pix).
You should see this IKE phase *1* exchange with dig sig auth, assuming it is
successful (hope you are conversant with IKE message payloads!) :
<Initiator (I) --- the box that initiates IKE negotiation>
<Responder (R) -- the other peer>
MM1 (main mode message 1) -- I to R: SA (set of transforms [ISAKMP
policies])
MM2 -- R to I: SA (selected transform [ *1* ISAKMP policy])
MM3 -- I to R: KEY + NONCE
MM4 -- R to I: KEY + NONCE
MM5 -- I to R : ID + [CERT] + SIG
MM6 -- R to I : ID + [CERT] + SIG
If you are not conversant with IKE payloads, no problem(sorry, no space to
explain all the payloads here!). But I'd still love to see any successful
digital signature auth IKE exchange you have without enrollment with a CA.
Mark
Author: www.ciscopress.com/1587051044
>From: "Jaspreet Bhatia" <jasbhati@cisco.com>
>Reply-To: "Jaspreet Bhatia" <jasbhati@cisco.com>
>To: "'Mark Lewis'" <markl11@hotmail.com>
>CC: <ccielab@groupstudy.com>
>Subject: RE: Question about rsa-signatures
>Date: Fri, 18 Jun 2004 14:52:27 -0700
>
>Hello Mark,
> I apologize about my confusing question and no debugs .
>This is what I really meant to ask
>
>I knew that on the router three options exist for authentication
>1) pre-shared
>2) encrypted nounces
>3) rsa-signatures
>
>And on the PIX there are only two options
>
>1) pre-shared
>2) rsa-signatures
>
>I first tried the IPSEC tunnel between Router and PIX with pre-shared
>authntication option
>
>Then I changed the authentication option to rsa-signatures but did not
>define a CA .
>
>SO the command crypto isakmp key ***** address "peer_address" was still
>there in the router .
>
>So the debugs in the PIX told me that it was looking for a cert from a
>CA server ( which was normal behoviour) .but the router was still trying
>to establish the tunnel with a pre-shared key as one was still
>configured on the router .
>
>So I found out what I was doing wrong .
>
>Bottom line : RSA-signatures usually are configured with a CA server.
>
>Thanks for your help .
>
>Regards,
>
>Jas
>
>
>
>-----Original Message-----
>From: Mark Lewis [mailto:markl11@hotmail.com]
>Sent: Thursday, June 17, 2004 3:42 PM
>To: jasbhati@cisco.com
>Cc: ccielab@groupstudy.com
>Subject: RE: Question about rsa-signatures
>
>
>Jas,
>
>Please post the debugs, but here's some complete conjecture to be going
>on
>with :)
>
>You'll have to post the debug, but I am guessing that you are seeing
>'rsa-sig' as the 'auth' parameter in IKE (ISAKMP) phase 1.
>
>You may get a failure during the exchange of the first 2 IKE messages,
>but I
>am guessing it does this:
>
>I am guessing that you are seeing a 'CR' (certificate request, though
>this
>may not be visible in the debug) payload sent by the PIX (and maybe a
>'CERT'
>payload sent by the PIX [if you have enrolled it with the CA])?? But the
>
>router is not sending the 'CERT' payload (contains a cert or cert chain)
>in
>response to the CR payload from the PIX.
>
>So, the PIX is trying to do digital signature auth, is requesting a cert
>or
>cert chain from the router, but the router hasn't go a cert to send, and
>
>(another guess without seeing the debug), the IKE (ISAKMP) fails during
>the
>exchange of messages 5 and 6 (assuming main mode for IKE phase 1).
>
>You'll know that IKE (ISAKMP) has failed during the exchange of messages
>5
>and 6 because you see (depending on which box you are debugging on)
>'IKE_I_MM5/6' or 'IKE_R_MM5/6 - the I and R indicate initiator (the box
>that
>initiated IKE negotiation) and responder (the box that didn't initiate
>IKE).
>
>Shortly after you see 'IKE_x_MM5', I am guessing you can see a 'Notify'
>payload (that indicates an error or informational condition - in this
>case
>it actually indicates an IKE failure).
>
>IKE does authentication with messages 5 and 6 in phase 1, so if the two
>boxes manage somehow to agree IKE auth (done during IKE messages 1 and
>2),
>messages 5 and 6 is where it will all go wrong if auth is at fault.
>
>Anyway, enough conjecture - please post the configs :)
>
>BTW- you do indeed have to enroll IPSec boxes with a CA to get a
>*signed*
>digital certificate. That's the whole point about certificates - they
>are
>basically a *signed* assocaition of a public key and identity info. The
>CA
>signs it, and by doing so attests that the public key does indeed belong
>to
>the identity given in the identity info (router's FQDN, etc). Because
>IPSec
>peers trust the CA, they will trust certs signed by the CA, and be able
>to
>authenticate another peer who presents a cert signed by the CA that they
>
>trust. That's how IKE digital signature auth works - the IPSec peers
>exchange certs signed by a common CA (or CA hierarchy) during IKE phase
>1
>(messages 5 and 6 in main mode), and because they both trust the certs
>signed by the CA (or CA hierachy) authentication succeeds.
>
>Don't confuse (what Cisco calls) encrypted nonce authentication with
>digitial signature auth - both require the generation of RSA keys pairs,
>but
>encrypted nonce authentication does not require enrollment with a CA
>(and
>does not require certificates). Instead with encrypted nonce auth you
>exchange IPSec peers' public keys out-of-band, and paste them into the
>peers
>config.
>
>Mark
>
>CCIE#6280 / CCSI#21051 / etc.
>
>Author: www.ciscopress.com/1587051044
>
>
>
> >From: "Jaspreet Bhatia" <jasbhati@cisco.com>
> >Reply-To: "Jaspreet Bhatia" <jasbhati@cisco.com>
> >To: <ccielab@groupstudy.com>
> >CC: "'Alejandro Eguiarte (aeguiart)'" <aeguiart@cisco.com>,
> ><jasbhati@cisco.com>
> >Subject: Question about rsa-signatures Date: Thu, 17 Jun 2004 14:59:20
> >-0700
> >
> >Folks,
> > I have a question about using the rsa-signature in
> >teh isakmp policy . In the router when you do rsa-signature option for
>
> >authentication in the isakmp policy you do not have to configure a CA
> >server to get digital certificates . I have been trying to do the same
> >option for authentication on the PIX and from the debugs , It seems
> >like it is looking for adigital certificate from a CA server . Can
> >anyone please throw some light on this issue .
> >
> >Thanks
> >
> >Jas
> >
> >_______________________________________________________________________
> >Please help support GroupStudy by purchasing your study materials from:
>
> >http://shop.groupstudy.com
> >
> >Subscription information may be found at:
> >http://www.groupstudy.com/list/CCIELab.html
>
>_________________________________________________________________
>Watch the online reality show Mixed Messages with a friend and enter to
>win
>a trip to NY
>http://www.msnmessenger-download.click-url.com/go/onm00200497ave/direct/
>01/
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:
>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:44 GMT-3