From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Mon Oct 09 2006 - 07:08:36 ART
Hi Curt,
As for your task - It's pretty complex, I must admit :) Working on it now,
("from scratch") for second time, i spend almost 1.5 hours of total time.
That's mostly because I configured everything (including routing)
from bare minimum, and configured VPN3000 via text CLI only
(my hobby, hate GUIs :) No big problems anywhere with this task,
just a lot of configuration :)
If you'd like, i can send you some my current configs, and comment more
on solution.
Why did I use IOS CA instead of MS CA? :) Well, basically, for me MS CA
is harder to set up and configure. It also has sucky error messages that
leaves you scratching your head :) So from IOS standpoint there is
no actual difference, besides mode (RA/CA) and enrollment URL. Just
remember that basically MS CA is configured in RA mode, and IOS CA in
CA mode :) That may hurt first time (it did with me back in days ;)
PIX-IOS works fine without a glitch. Just don't forget to set up NAT
exemption
and check identity stuff (hostname). Also a static route :)
As for PIX-VPN3000/IOS-VPN3000. Make sure you match IKE proposals
on VPN/IOS/PIX box. VPN3000 uses DH group2 by default, so it won't
respond on anything else. That may hurt!
Also, don't try to set up L2L/RA VPN on VPN3000 via CLI for first time.
It's complex - first practice with GUI wizard. I killed endless hours
debugging
my CLI configs :)
And finally: you can post any IEWB-SC specific questions on IEWB-SC forum.
I keep a close eye on it, and try to respond on every question promptly!
Thanks!
2006/10/7, Curt Girardin <curt.girardin@chicos.com>:
>
> Team,
>
> Pardon me for venting, but I'm getting really frustrated at the lab I've
> been working on and I think I'm at a point where I just need another set
> of eyes/ears/opinions.
>
> Has ANYBODY successfully completed the IEWB-SC Volume I, version 2, lab
> 4, section 4.3 task?
>
> Here is the story.
>
> I've been working on this single 6-point task for 3 days now. (thank
> GOD I have my own equipment and not stuck to a schedule)
>
> The task asks you to configure 3 ipsec tunnels between a pix, router,
> and the concentrator. It asks you to use certificate authentication for
> isakmp, and to get the certificates from the certificate server in the
> lab using SCEP (MSCEP).
>
>
> PIX CA AND IDENTITY CERT
> ========================
> The first day and a half was spent simply trying to get a certificate
> onto my pix. I'd spent all night on it to no avail. The vendors
> solutions-guide uses R6 as a certificate-server as a variation instead
> of using the microsoft CA like the lab requires. Don't get me wrong,
> this is a really cool feature that I was unaware of before, but it kind
> of threw me off-course as there are subtle (yet important) differences
> between the microsoft ca and the IOS ca (as you'll see below).
>
> So back on track - the pix cant get a certificate from the microsoft ca
> server. The solutions guide suggests using "crypto ca configure IOS_CA
> ca 60 30 crloptional". So of couse I tried that and it wouldn't work -
> I was unable to get the CA cert. I checked the vendors newsgroup site,
> but nothing. Hours later I gave up and sent a plea to group-study.
> Someone was nice enough to let me know that microsoft cert server uses
> "RA", instead of "CA". So I plug in "crypto ca configure IOS_CA ra 60
> 30 crloptional" and voila, I now have the CA cert.
>
> Once I got the CA cert the enrollment process for an identity-cert
> constantly failed. I'd check the microsoft ca server and I get the
> reason denied as "denied by policy module" in certificate authority.
> Same message appears in event viewer. This isn't very descriptive or
> helpful, so a few more hours later another plea goes out to group-study
> and someone suggests to start over and clear my ca config. I tried that
> and nothing. So I decide to uninstall and re-install both microsoft
> certificate-services and mscep. I clear the entire ca config in the pix
> and start over and voila I have both a CA cert and an identity cert.
> Great.
>
> Now to get all these devices to isakmp and ipsec happily! Shouldn't be
> a problem, right?.
>
> R5 to PIX
> =======
> Well, after much troubleshooting and reconfiguration, I finally get R5
> and the pix to create a working tunnel. I'm not sure exactly what I did
> to fix it - so I haven't learned from any "mistakes" yet. I think it
> might have something to do with "isakmp identity hostname" being
> applied to the pix. I think I might have entered "isakmp identity
> address" out of habbit earlier. It seems to take a LONG time to connect
> (like 20-30 ping time-outs), but eventually it DOES connect.
>
>
> R5 to concentrator
> ==================
> With little troubleshooting I got both an identity and ca cert on the
> concentrator and now have r5 and the concentrator creating a working
> tunnel.
>
>
> Concentrator to pix
> ===================
> Cannot connect. After cheating and checking cisco's web page everything
> leads to this "isakmp identity hostname" vs. "isakmp identity address"
> mis-match. I can't find anywhere on the concentrator to specify
> hostname vs address, so I shift gears a bit. I decided to check the
> config on R5 since it <i>was</i> working with the concentrator. R5
> wasn't configured for "crypto isakmp identity hostname" (perhaps that's
> why it took SOOOO long to form a tunnel to the pix before). So I
> configure R5 for "crypto isakmp identity hostname". Now R5 and the PIX
> form a tunnel almost instantly. But this broke my tunnel between the
> VPN concentrator and R5. So - AHA - this hostname vs. address thing
> seems to be the culprit (or the solution).
>
> Back to the concentrator
> ========================
> I've searched high and low and cannot find anywhere on the concentrator
> a place to configure equivalent to the "crypto isakmp identity hostname"
> parameter. Does this exist?
>
> Back to the pix
> ===============
> Assuming that theres no-place to specify the equivalent to "crypto
> isakmp identity address|hostname" on the concentrator, I decide that
> maybe I should have included the IP address on the pix when initially
> enrolling for the certificate (maybe the concentrator would see this IP
> in the subject and be happy). So I clear out all the CA information on
> the pix and start over. This time I use the "ca enroll myca
> 8FD35FD88EECE928 serial ipaddress" command, in hopes that it will allow
> the hostname vs. address thing to go away. Unfortunately I'm now back
> to square one, and the CA server keeps denying my enrollment request
> with "denied by policy module" as the reason. I've also tried it with
> "ca enroll myca <blah>" without the "serial" and "ipaddress" options to
> no avail. I am refreshing the mscep screen in certificate services
> before each attempt to get a new challenge. I've cleared the ca config
> on the pix again, zeriozed things, and rebooted and I still keep getting
> denied. WHAT IN THE WORLD AM I DOING WRONG HERE?
>
> I've checked the entire task in the solutions guide and I'm just not
> seeing any major differences between their solution and what I'm doing.
>
> I'm at a point where I think I'm starting to forget the things I've
> learned in the previous labs because I'm spending SOOOOooooooo much time
> (3 days now) troubleshooing single 6-point tasks.
>
> If anyone can help shed some light on this I'd greatly appreciate it.
> For now, I think it's about time for me to get away from the problem for
> a couple hours, and get some lunch.
>
>
> Thank you,
>
> Curt
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Wed Nov 01 2006 - 07:29:04 ART