EzVPN with CA

From: Rodrigo Paes (rpaes@pobox.com)
Date: Wed Nov 08 2006 - 02:45:09 ART

Hi all,

        I've been sweating for a couple of hours trying to figure out
what's wrong with my config ... than it dawned on me.. is this thing
covered on the CCIE Sec ? and will it be cover after Jan 2nd ?

well, I don't think so.. but since it's 3:30 AM down here, I have
to get up 7:00 to catch a plane, and I _know_ I've been suffering
from caffeine withdraw for at least 40 minutes... I thought I'd ask :)

Is EzVPN with CA supported on IOS 12.2T ?

and I _hope_ , just for my curiosity... can you guys help me
out with this thing ? what's wrong with it ?

--- Server ---

!
!
aaa authentication login EZVPN_AUTHEN local
aaa authorization network EZVPN_AUTHOR local
!
crypto pki trustpoint ios-ca
 enrollment url http://136.1.56.6:80
 subject-name CN = Rack1R1 , OU = EzVPN , O = Cisco Systems
 revocation-check crl
!
<snip>
!
!
username cisco password 0 cisco
!
crypto isakmp policy 200
 encr 3des
 hash md5
 group 2
!
crypto isakmp client configuration group EzVPN
 key cisco
 acl R1toR2
!
crypto ipsec transform-set T-SET esp-3des esp-md5-hmac
!
crypto dynamic-map d-map 200
 set transform-set T-SET
 reverse-route
!
crypto map VPN client authentication list EZVPN_AUTHEN
crypto map VPN isakmp authorization list EZVPN_AUTHOR
crypto map VPN client configuration address respond
crypto map VPN 200 ipsec-isakmp dynamic d-map
!
<snip>
!
ip access-list extended R1toR2
 permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
!
!
!

----- Client -----

!
crypto pki trustpoint ios-ca
 enrollment url http://136.1.56.6:80
 subject-name CN = Rack1R2 , OU = EzVPN , O = Cisco System
 revocation-check crl
!
crypto isakmp policy 100
 encr 3des
 hash md5
 group 2
!
crypto ipsec client ezvpn EzVPN
 connect manual
 mode network-extension
 peer 136.1.0.1
 xauth userid mode interactive
!

everything seems to go smoothly until I have to do the xauth part...

for those of you who are into this kind of kinky stuff ... here is some
nice debug from the xauth part... server side ;)

Nov 7 06:03:04.257: ISAKMP (0:134217729): received packet from 136.1.0.2 dport 500 sport 500 Global (R) CONF_XAUTH
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):processing transaction payload from 136.1.0.2. message ID = 1027287439
Nov 7 06:03:04.257: ISAKMP: Config payload REPLY
Nov 7 06:03:04.257: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
Nov 7 06:03:04.257: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):deleting node 1027287439 error FALSE reason "Done with xauth request/reply exchange"
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

Nov 7 06:03:04.257: ISAKMP: set new node -1164611800 to CONF_XAUTH
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1): initiating peer config to 136.1.0.2. ID = -1164611800
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1): sending packet to 136.1.0.2 my_port 500 peer_port 500 (R) CONF_XAUTH
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN
Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT

Nov 7 06:03:04.405: ISAKMP (0:134217729): received packet from 136.1.0.2 dport 500 sport 500 Global (R) CONF_XAUTH
Nov 7 06:03:04.413: ISAKMP:(0:1:SW:1):processing transaction payload from 136.1.0.2. message ID = -1164611800
Nov 7 06:03:04.417: ISAKMP: Config payload ACK
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1): XAUTH ACK Processed
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -1164611800 error FALSE reason "Transaction mode done"
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_ACK
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_SET_SENT New State = IKE_P1_COMPLETE

Nov 7 06:03:04.417: ISAKMP (0:134217729): received packet from 136.1.0.2 dport 500 sport 500 Global (R) QM_IDLE
Nov 7 06:03:04.417: ISAKMP: set new node -823426418 to QM_IDLE
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):processing transaction payload from 136.1.0.2. message ID = -823426418
Nov 7 06:03:04.417: ISAKMP: Config payload REQUEST
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):checking request:
Nov 7 06:03:04.417: ISAKMP: IP4_DNS
Nov 7 06:03:04.417: ISAKMP: IP4_DNS
Nov 7 06:03:04.417: ISAKMP: IP4_NBNS
Nov 7 06:03:04.417: ISAKMP: IP4_NBNS
Nov 7 06:03:04.417: ISAKMP: SPLIT_INCLUDE
Nov 7 06:03:04.417: ISAKMP: SPLIT_DNS
Nov 7 06:03:04.417: ISAKMP: DEFAULT_DOMAIN
Nov 7 06:03:04.417: ISAKMP: MODECFG_SAVEPWD
Nov 7 06:03:04.417: ISAKMP: INCLUDE_LOCAL_LAN
Nov 7 06:03:04.417: ISAKMP: PFS
Nov 7 06:03:04.417: ISAKMP: BACKUP_SERVER
Nov 7 06:03:04.417: ISAKMP: APPLICATION_VERSION
Nov 7 06:03:04.417: ISAKMP/author: Author request for group EzVPN successfully sent to AAA
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

Nov 7 06:03:04.417: AAA/AUTHOR/IKMP/LOCAL: group EzVPN does not exist
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):AAA returned a policy error. Sending empty reply.
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -823426418 error FALSE reason "No Error"
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting SA reason "IKMP_ERR_NO_RETRANS" state (R) CONF_ADDR (peer 136.1.0.2)
Nov 7 06:03:04.417: ISAKMP (0:134217729): FSM action returned error: 2
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA, IKE_AAA_GROUP_ATTR
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE

Nov 7 06:03:04.417: ISAKMP: set new node -1568889514 to QM_IDLE
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1): sending packet to 136.1.0.2 my_port 500 peer_port 500 (R) CONF_ADDR
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):purging node -1568889514
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (R) CONF_ADDR (peer 136.1.0.2)
Nov 7 06:03:04.417: ISAKMP: Unlocking IKE struct 0x64990E78 for isadb_mark_sa_deleted(), count 0
Nov 7 06:03:04.417: ISAKMP: Deleting peer node by peer_reap for 136.1.0.2: 64990E78
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node 1027287439 error FALSE reason "IKE deleted"
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -1164611800 error FALSE reason "IKE deleted"
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -823426418 error FALSE reason "IKE deleted"
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

Nov 7 06:03:04.417: IPSEC(key_engine): got a queue event with 1 kei messages
Nov 7 06:03:04.509: ISAKMP (0:134217729): received packet from 136.1.0.2 dport 500 sport 500 Global (R) MM_NO_STATE

If you look closely, there is a nice little message up here in which
the router complains that there is no EzVPN group... I guess that is
the problem...

thanx !!!!

[]s
rodrigo 

-- 
=========================================
\     .-.     +++ Rodrigo Paes +++       \
/     /v\    CCIE #14054 (R&S and SP)    /
\    // \\   LPIC2 #19753                \ 
/   /(   )\  Linux User #324449          /
\    ^^-^^                               \
/   jabber: panfleto@jabber.org          /
\   gtalk : rodp43s@gmail.com            \
 ==========================================

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART