RE: Isakmp key exchange question

["Gareth Bromley" <garethb@xxxxxxxxxx>]

Yep you missed something.

PKI based IPSec works roughly as follows:
1. Create the public/private certifications for each router
2. Give the public cert to the CA for signing into a certifcate
3. When you create an IPSec connection that requires certs to athenticate
each end of the IPSec connection and you wish to use a CA to prove validity,
then the devices will present each other there public certs which each
device will then validate via the CA. The CA is there solely to be a trusted
party that can validate a cert and also provide a list of revoked
certificates.
4. If all is well, Phase 1 completes and Phase 2 starts .......

Hope this clarifies what goes on (high level)

If you have the money/will buy the CSVPN coursebook, it is one of the best
books (and I have a lot of them) I've seen on the subject, very well
explained and detailed.

--Gareth Bromley
CCNP CSS1 CCIP Security CCSA CCSE RHCE
Senior Network Engineer, Sports.com Ltd

-----Original Message-----
From: nobody@xxxxxxxxxxxxxx [mailto:nobody@xxxxxxxxxxxxxx]On Behalf Of
Roberts, Larry
Sent: 29 May 2002 05:38
To: 'Keyur Shah'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
Subject: RE: Isakmp key exchange question


OK,
I am really confused.
You say the cert must be configured beforehand, then you state that during
phase 1 process they exchange certs..
Am I missing something here,or are you saying I must request the cert twice?

Thanks

Larry

-----Original Message-----
From: Keyur Shah [mailto:kshah@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, May 28, 2002 11:38 PM
To: 'Roberts, Larry'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
Subject: RE: Isakmp key exchange question


cert must be requested beforehand from CA. keep CRL optional, unless you
have it properly configured. during phase 1 process, they will exchange
certs.

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
CISSP,ccsa,css1,scsa,scna,mct,mcse,cni,mcne
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com <http://www.hellocomputers.com>
Toll-Free: 1.877.794.3556


-----Original Message-----
From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx]
Sent: Tuesday, May 28, 2002 9:20 PM
To: 'Keyur Shah'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
Subject: RE: Isakmp key exchange question


Im using the Windows 2K cert server.

Wouldn't the router request the cert. automatically?
>From what I have read, the router ( router_G) will request the cert from
the
second router ( router_d) This cert will have be verified by the CA.
Is that not correct ?



Thanks

Larry

-----Original Message-----
From: Keyur Shah [mailto:kshah@xxxxxxxxxxxxxxxxxx]
Sent: Tuesday, May 28, 2002 11:23 PM
To: 'Roberts, Larry'; Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
Subject: RE: Isakmp key exchange question



Larry,

You do need to request cert of the adjacent router. Also make sure your
clock is set correctly. Which CA are you using?

Thanks

-Keyur Shah-
CCIE# 4799 (Security; Routing and Switching)
CISSP,ccsa,css1,scsa,scna,mct,mcse,cni,mcne
Hello Computers
"Say Hello to Your Future!"
http://www.hellocomputers.com <http://www.hellocomputers.com>
Toll-Free: 1.877.794.3556
Fremont: 510.795.6815
Santa Clara: 408.496.0801
Europe: +(44)20 7900 3011
Fax: 510.291.2250


-----Original Message-----
From: Roberts, Larry [mailto:Larry.Roberts@xxxxxxxxxxxx
<mailto:Larry.Roberts@xxxxxxxxxxxx> ]
Sent: Tuesday, May 28, 2002 7:41 PM
To: Cisco Security Mailing List (security@xxxxxxxxxxxxxx)
Subject: Isakmp key exchange question


OK,
I am attempting to create an IPSec tunnel with isakmp rsa-sig key exchange.

I have generated the keys, authenticated the ca and enrolled.
I am using hostname authentication.
When I attempt to form the tunnel, nothing happens.
A debug shows the following:

01:29:32: ISAKMP: received ke message (1/1)
01:29:32: ISAKMP: local port 500, remote port 500
01:29:32: ISAKMP (0:1): No Cert or pre-shared address key.
01:29:32: ISAKMP (0:1): Can not start Main mode
01:29:32: ISAKMP (0:1): Can not start aggressive mode.
01:29:32: ISAKMP (0:1): purging SA.
01:29:32: ISAKMP (0:1): purging node 1351240705
01:30:02: ISAKMP: received ke message (3/1)
01:30:02: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src
192. 168.148.54 dst 192.168.148.53 for SPI 0x0

I have verified reachability to all devices.
I am assuming that I need to do something else to request the cert of the
adjacent router, but I cant for the life of me figure out what. Shouldn't
the router request the cert from the other router, then verify with the CA ?

No matter which router that I am doing this from, I get the same error.

And for the relevant config:

crypto ca identity CASERVER
 enrollment mode ra
 enrollment url http://explabdc01:80/certsrv/mscep/mscep.dll
<http://explabdc01:80/certsrv/mscep/mscep.dll>

 crl optional
!
! Keys ommitted
!
crypto isakmp policy 10
crypto isakmp identity hostname
!
!
crypto ipsec transform-set TRANSFORM esp-des esp-md5-hmac
!
crypto map MYMAP local-address FastEthernet0/0
crypto map MYMAP 10 ipsec-isakmp
 set peer 192.168.148.53
 set transform-set TRANSFORM
 match address 100

Only thing that I can imagine that I need would be the Query URL, but every
LDAP address I place in there doesn't work and all the examples I look at
say that this is optional.

Any help is appreciated.


Thanks

Larry __________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing: unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY
__________________________________________________________________
To unsubscribe from the SECURITY list, send a message to
majordomo@xxxxxxxxxxxxxx with the body containing:
unsubscribe SECURITY