Re: EzVPN with CA

From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Nov 08 2006 - 07:17:59 ART

As of 12.2T, ezVPN *Remote* does NOT support certificates for client
authentication.
This feature has been introduced in 12.3T train:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00806503f5.html

<quote>
In Cisco IOS Release 12.2(13)T, the Cisco Easy VPN Remote feature does not
support authentication using digital certificates. Authentication is
supported using preshared keys and Extended Authentication (XAUTH).
</quote>

However, you may configure *Cisco VPN Client* to authenticate to ezVPN
server
using digital ceritificates.

2006/11/8, Rodrigo Paes <rpaes@pobox.com>:
>
> Hi all,
>
> I've been sweating for a couple of hours trying to figure out
> what's wrong with my config ... than it dawned on me.. is this thing
> covered on the CCIE Sec ? and will it be cover after Jan 2nd ?
>
> well, I don't think so.. but since it's 3:30 AM down here, I have
> to get up 7:00 to catch a plane, and I _know_ I've been suffering
> from caffeine withdraw for at least 40 minutes... I thought I'd ask :)
>
> Is EzVPN with CA supported on IOS 12.2T ?
>
>
>
> and I _hope_ , just for my curiosity... can you guys help me
> out with this thing ? what's wrong with it ?
>
>
> --- Server ---
>
> !
> !
> aaa authentication login EZVPN_AUTHEN local
> aaa authorization network EZVPN_AUTHOR local
> !
> crypto pki trustpoint ios-ca
> enrollment url http://136.1.56.6:80
> subject-name CN = Rack1R1 , OU = EzVPN , O = Cisco Systems
> revocation-check crl
> !
> <snip>
> !
> !
> username cisco password 0 cisco
> !
> crypto isakmp policy 200
> encr 3des
> hash md5
> group 2
> !
> crypto isakmp client configuration group EzVPN
> key cisco
> acl R1toR2
> !
> crypto ipsec transform-set T-SET esp-3des esp-md5-hmac
> !
> crypto dynamic-map d-map 200
> set transform-set T-SET
> reverse-route
> !
> crypto map VPN client authentication list EZVPN_AUTHEN
> crypto map VPN isakmp authorization list EZVPN_AUTHOR
> crypto map VPN client configuration address respond
> crypto map VPN 200 ipsec-isakmp dynamic d-map
> !
> <snip>
> !
> ip access-list extended R1toR2
> permit ip 10.1.1.0 0.0.0.255 10.2.2.0 0.0.0.255
> !
> !
> !
>
> ----- Client -----
>
> !
> crypto pki trustpoint ios-ca
> enrollment url http://136.1.56.6:80
> subject-name CN = Rack1R2 , OU = EzVPN , O = Cisco System
> revocation-check crl
> !
> crypto isakmp policy 100
> encr 3des
> hash md5
> group 2
> !
> crypto ipsec client ezvpn EzVPN
> connect manual
> mode network-extension
> peer 136.1.0.1
> xauth userid mode interactive
> !
>
> everything seems to go smoothly until I have to do the xauth part...
>
>
> for those of you who are into this kind of kinky stuff ... here is some
> nice debug from the xauth part... server side ;)
>
> Nov 7 06:03:04.257: ISAKMP (0:134217729): received packet from 136.1.0.2dport 500 sport 500 Global (R) CONF_XAUTH
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):processing transaction payload from
> 136.1.0.2. message ID = 1027287439
> Nov 7 06:03:04.257: ISAKMP: Config payload REPLY
> Nov 7 06:03:04.257: ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2
> Nov 7 06:03:04.257: ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):deleting node 1027287439 error
> FALSE reason "Done with xauth request/reply exchange"
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER,
> IKE_CFG_REPLY
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_REQ_SENT New
> State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT
>
> Nov 7 06:03:04.257: ISAKMP: set new node -1164611800 to CONF_XAUTH
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1): initiating peer config to
> 136.1.0.2. ID = -1164611800
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1): sending packet to 136.1.0.2my_port 500 peer_port 500 (R) CONF_XAUTH
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA,
> IKE_AAA_CONT_LOGIN
> Nov 7 06:03:04.257: ISAKMP:(0:1:SW:1):Old State =
> IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT
>
> Nov 7 06:03:04.405: ISAKMP (0:134217729): received packet from 136.1.0.2dport 500 sport 500 Global (R) CONF_XAUTH
> Nov 7 06:03:04.413: ISAKMP:(0:1:SW:1):processing transaction payload from
> 136.1.0.2. message ID = -1164611800
> Nov 7 06:03:04.417: ISAKMP: Config payload ACK
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1): XAUTH ACK Processed
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -1164611800 error
> FALSE reason "Transaction mode done"
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER,
> IKE_CFG_ACK
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_XAUTH_SET_SENT New
> State = IKE_P1_COMPLETE
>
> Nov 7 06:03:04.417: ISAKMP (0:134217729): received packet from 136.1.0.2dport 500 sport 500 Global (R) QM_IDLE
> Nov 7 06:03:04.417: ISAKMP: set new node -823426418 to QM_IDLE
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):processing transaction payload from
> 136.1.0.2. message ID = -823426418
> Nov 7 06:03:04.417: ISAKMP: Config payload REQUEST
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):checking request:
> Nov 7 06:03:04.417: ISAKMP: IP4_DNS
> Nov 7 06:03:04.417: ISAKMP: IP4_DNS
> Nov 7 06:03:04.417: ISAKMP: IP4_NBNS
> Nov 7 06:03:04.417: ISAKMP: IP4_NBNS
> Nov 7 06:03:04.417: ISAKMP: SPLIT_INCLUDE
> Nov 7 06:03:04.417: ISAKMP: SPLIT_DNS
> Nov 7 06:03:04.417: ISAKMP: DEFAULT_DOMAIN
> Nov 7 06:03:04.417: ISAKMP: MODECFG_SAVEPWD
> Nov 7 06:03:04.417: ISAKMP: INCLUDE_LOCAL_LAN
> Nov 7 06:03:04.417: ISAKMP: PFS
> Nov 7 06:03:04.417: ISAKMP: BACKUP_SERVER
> Nov 7 06:03:04.417: ISAKMP: APPLICATION_VERSION
> Nov 7 06:03:04.417: ISAKMP/author: Author request for group EzVPN
> successfully sent to AAA
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER,
> IKE_CFG_REQUEST
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New
> State = IKE_CONFIG_AUTHOR_AAA_AWAIT
>
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_COMPLETE
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State =
> IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_CONFIG_AUTHOR_AAA_AWAIT
>
> Nov 7 06:03:04.417: AAA/AUTHOR/IKMP/LOCAL: group EzVPN does not exist
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):AAA returned a policy error.
> Sending empty reply.
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -823426418 error
> FALSE reason "No Error"
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):peer does not do paranoid
> keepalives.
>
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting SA reason
> "IKMP_ERR_NO_RETRANS" state (R) CONF_ADDR (peer 136.1.0.2)
> Nov 7 06:03:04.417: ISAKMP (0:134217729): FSM action returned error: 2
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_AAA,
> IKE_AAA_GROUP_ATTR
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State =
> IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_P1_COMPLETE
>
> Nov 7 06:03:04.417: ISAKMP: set new node -1568889514 to QM_IDLE
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1): sending packet to 136.1.0.2my_port 500 peer_port 500 (R) CONF_ADDR
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):purging node -1568889514
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL,
> IKE_PHASE1_DEL
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New
> State = IKE_DEST_SA
>
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting SA reason "No reason"
> state (R) CONF_ADDR (peer 136.1.0.2)
> Nov 7 06:03:04.417: ISAKMP: Unlocking IKE struct 0x64990E78 for
> isadb_mark_sa_deleted(), count 0
> Nov 7 06:03:04.417: ISAKMP: Deleting peer node by peer_reap for 136.1.0.2:
> 64990E78
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node 1027287439 error
> FALSE reason "IKE deleted"
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -1164611800 error
> FALSE reason "IKE deleted"
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):deleting node -823426418 error
> FALSE reason "IKE deleted"
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER,
> IKE_MM_EXCH
> Nov 7 06:03:04.417: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State
> = IKE_DEST_SA
>
> Nov 7 06:03:04.417: IPSEC(key_engine): got a queue event with 1 kei
> messages
> Nov 7 06:03:04.509: ISAKMP (0:134217729): received packet from 136.1.0.2dport 500 sport 500 Global (R) MM_NO_STATE
>
>
> If you look closely, there is a nice little message up here in which
> the router complains that there is no EzVPN group... I guess that is
> the problem...
>
>
>
> thanx !!!!
>
>
> []s
> rodrigo
>
>
>
>
>
>
>
> --
> =========================================
> \ .-. +++ Rodrigo Paes +++ \
> / /v\ CCIE #14054 (R&S and SP) /
> \ // \\ LPIC2 #19753 \
> / /( )\ Linux User #324449 /
> \ ^^-^^ \
> / jabber: panfleto@jabber.org /
> \ gtalk : rodp43s@gmail.com \
> ==========================================
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

-- 
Petr Lapukhov, CCIE #16379
petr@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:45 ART