From: Curt Girardin (curt.girardin@chicos.com)
Date: Sat Oct 07 2006 - 15:38:44 ART
Team,
Pardon me for venting, but I'm getting really frustrated at the lab I've
been working on and I think I'm at a point where I just need another set
of eyes/ears/opinions.
Has ANYBODY successfully completed the IEWB-SC Volume I, version 2, lab
4, section 4.3 task?
Here is the story.
I've been working on this single 6-point task for 3 days now. (thank
GOD I have my own equipment and not stuck to a schedule)
The task asks you to configure 3 ipsec tunnels between a pix, router,
and the concentrator. It asks you to use certificate authentication for
isakmp, and to get the certificates from the certificate server in the
lab using SCEP (MSCEP).
PIX CA AND IDENTITY CERT
========================
The first day and a half was spent simply trying to get a certificate
onto my pix. I'd spent all night on it to no avail. The vendors
solutions-guide uses R6 as a certificate-server as a variation instead
of using the microsoft CA like the lab requires. Don't get me wrong,
this is a really cool feature that I was unaware of before, but it kind
of threw me off-course as there are subtle (yet important) differences
between the microsoft ca and the IOS ca (as you'll see below).
So back on track - the pix cant get a certificate from the microsoft ca
server. The solutions guide suggests using "crypto ca configure IOS_CA
ca 60 30 crloptional". So of couse I tried that and it wouldn't work -
I was unable to get the CA cert. I checked the vendors newsgroup site,
but nothing. Hours later I gave up and sent a plea to group-study.
Someone was nice enough to let me know that microsoft cert server uses
"RA", instead of "CA". So I plug in "crypto ca configure IOS_CA ra 60
30 crloptional" and voila, I now have the CA cert.
Once I got the CA cert the enrollment process for an identity-cert
constantly failed. I'd check the microsoft ca server and I get the
reason denied as "denied by policy module" in certificate authority.
Same message appears in event viewer. This isn't very descriptive or
helpful, so a few more hours later another plea goes out to group-study
and someone suggests to start over and clear my ca config. I tried that
and nothing. So I decide to uninstall and re-install both microsoft
certificate-services and mscep. I clear the entire ca config in the pix
and start over and voila I have both a CA cert and an identity cert.
Great.
Now to get all these devices to isakmp and ipsec happily! Shouldn't be
a problem, right?.
R5 to PIX
=======
Well, after much troubleshooting and reconfiguration, I finally get R5
and the pix to create a working tunnel. I'm not sure exactly what I did
to fix it - so I haven't learned from any "mistakes" yet. I think it
might have something to do with "isakmp identity hostname" being
applied to the pix. I think I might have entered "isakmp identity
address" out of habbit earlier. It seems to take a LONG time to connect
(like 20-30 ping time-outs), but eventually it DOES connect.
R5 to concentrator
==================
With little troubleshooting I got both an identity and ca cert on the
concentrator and now have r5 and the concentrator creating a working
tunnel.
Concentrator to pix
===================
Cannot connect. After cheating and checking cisco's web page everything
leads to this "isakmp identity hostname" vs. "isakmp identity address"
mis-match. I can't find anywhere on the concentrator to specify
hostname vs address, so I shift gears a bit. I decided to check the
config on R5 since it <i>was</i> working with the concentrator. R5
wasn't configured for "crypto isakmp identity hostname" (perhaps that's
why it took SOOOO long to form a tunnel to the pix before). So I
configure R5 for "crypto isakmp identity hostname". Now R5 and the PIX
form a tunnel almost instantly. But this broke my tunnel between the
VPN concentrator and R5. So - AHA - this hostname vs. address thing
seems to be the culprit (or the solution).
Back to the concentrator
========================
I've searched high and low and cannot find anywhere on the concentrator
a place to configure equivalent to the "crypto isakmp identity hostname"
parameter. Does this exist?
Back to the pix
===============
Assuming that theres no-place to specify the equivalent to "crypto
isakmp identity address|hostname" on the concentrator, I decide that
maybe I should have included the IP address on the pix when initially
enrolling for the certificate (maybe the concentrator would see this IP
in the subject and be happy). So I clear out all the CA information on
the pix and start over. This time I use the "ca enroll myca
8FD35FD88EECE928 serial ipaddress" command, in hopes that it will allow
the hostname vs. address thing to go away. Unfortunately I'm now back
to square one, and the CA server keeps denying my enrollment request
with "denied by policy module" as the reason. I've also tried it with
"ca enroll myca <blah>" without the "serial" and "ipaddress" options to
no avail. I am refreshing the mscep screen in certificate services
before each attempt to get a new challenge. I've cleared the ca config
on the pix again, zeriozed things, and rebooted and I still keep getting
denied. WHAT IN THE WORLD AM I DOING WRONG HERE?
I've checked the entire task in the solutions guide and I'm just not
seeing any major differences between their solution and what I'm doing.
I'm at a point where I think I'm starting to forget the things I've
learned in the previous labs because I'm spending SOOOOooooooo much time
(3 days now) troubleshooing single 6-point tasks.
If anyone can help shed some light on this I'd greatly appreciate it.
For now, I think it's about time for me to get away from the problem for
a couple hours, and get some lunch.
Thank you,
Curt
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART