ASA with router l2l ipsec using certificates

Hi All,

 

Wel... I got a question. I have both ASA and router trying to bring up an IPSEC.

 

The network behind the ASA is 162.1.113.0 which is also its' outside interface network.

The network behind the R is 10.35.35.0, which is its' fa0/0 network.

between these two, I have another router which has network 162.1.113.0 on its' fa0/0 which is connected to the ASA, and that's why I added a route going from this router to the ASA in order to get to the 10.35.35.0 network.

The problem is the I get all the time on phase2 on router 3 that says that the proxy ID won't match, although the ACLs are ok. When I try to initiate traffic from R1 which is "behind" the protected network of the ASA....It doesn't work.

 

the topology goes like this:

ASA-->R1 , ASA address 162.1.113.13, R1 address 162.113.1.1.

R1-->R3,  R1 address 162.1.13.1, R3 address 13.3.

The peers are ASA and R3, and R1 knows how to get to R3.

I also added a route from R1 to 10.35.35.0 through the ASA.

The configurations are:

ASA

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto map MYMAP 10 match address VLAN113TOVLAN3
crypto map MYMAP 10 set connection-type originate-only
crypto map MYMAP 10 set peer 162.1.13.3
crypto map MYMAP 10 set transform-set 3DES-MD5
crypto map MYMAP 10 set trustpoint CA
crypto map MYMAP interface outside
crypto ca trustpoint CA
 revocation-check crl none
 enrollment url http://150.1.6.6:80
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication rsa-sig
 encryption 3des
 hash md5
 group 2
 lifetime 86400
same-security-traffic permit intra-interface
access-list VLAN113TOVLAN3 extended permit ip 162.1.113.0 255.255.255.0 10.35.35.0 255.255.255.0

tunnel-group 162.1.13.3 type ipsec-l2l
tunnel-group 162.1.13.3 ipsec-attributes
 peer-id-validate cert
 trust-point CA

show int  ip brie
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up 
Ethernet0/0.113            162.1.113.13    YES CONFIG up                    up 
Ethernet0/1                unassigned      YES unset  up                    up 
Ethernet0/1.100            192.10.1.13     YES CONFIG up                    up 

R1

on the ip route table:

S       10.35.35.0 [1/0] via 162.1.113.13

R3

crypto pki trustpoint CA
 enrollment url http://150.1.6.6:80
 revocation-check none
 source interface Loopback0
crypto isakmp policy 10
 encr 3des
 hash md5
 group 2
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map DYN 10
 set transform-set 3DES-MD5
 match address VLAN3TOVLAN113
crypto map MYMAP 10 ipsec-isakmp dynamic DYN

ip access-list extended VLAN3TOVLAN113
 permit ip 10.35.35.0 0.0.0.255 162.1.113.0 0.0.0.255

 

show ip int brie
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            10.35.35.3      YES NVRAM  up                    up     
FastEthernet0/1            162.1.38.3      YES NVRAM  up                    up     
Serial0/0/0                unassigned      YES NVRAM  up                    up     
Serial0/0/0.2345           162.1.0.3       YES NVRAM  up                    up     
Serial0/0/1                unassigned      YES NVRAM  up                    up     
Serial0/0/1.13             162.1.13.3      YES NVRAM  up                    up     
NVI0                       10.35.35.3      YES unset  up                    up     
Loopback0                  150.1.3.3       YES NVRAM  up                    up     

 

show run int ser0/0/1.13
Building configuration...

Current configuration : 198 bytes
!
interface Serial0/0/1.13 point-to-point
 ip address 162.1.13.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 snmp trap link-status
 frame-relay interface-dlci 311  
 crypto map MYMAP
end

NOW - the NAT you see here is between this interface and fa0/1 interface, which I thing doesn't relay to my problem....

Now, what I get on R3 is:

Nov 19 12:06:05.231: ISAKMP:(1056): Unable to get DN from certificate!
Nov 19 12:06:05.231: ISAKMP:(1056): Cert presented by peer contains no OU field.
Nov 19 12:06:05.239: ISAKMP:(1056):My ID configured as IPv4 Addr, but Addr not in Cert!
Nov 19 12:06:05.239: ISAKMP:(1056):Using FQDN as My ID
Nov 19 12:06:05.375: IPSEC(validate_proposal_request): proposal part #1
Nov 19 12:06:05.375: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 162.1.13.3, remote= 162.1.113.13,
    local_proxy= 162.1.13.3/255.255.255.255/0/0 (type=1),
    remote_proxy= 162.1.113.13/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Nov 19 12:06:05.375: Crypto mapdb : proxy_match
        src addr     : 162.1.13.3
        dst addr     : 162.1.113.13
        protocol     : 0
        src port     : 0
        dst port     : 0
Nov 19 12:06:05.375: Crypto mapdb : proxy_match
        src addr     : 162.1.13.3
        dst addr     : 162.1.113.13
        protocol     : 0
        src port     : 0
        dst port     : 0
Nov 19 12:06:05.375: map_db_find_best did not find matching map
Nov 19 12:06:05.375: IPSEC(ipsec_process_proposal): proxy identities not supported
Nov 19 12:06:05.375: ISAKMP:(1056): IPSec policy invalidated proposal with error 32
Rack1R3#
Nov 19 12:06:05.375: ISAKMP:(1056): phase 2 SA policy not acceptable! (local 162.1.13.3 remote 162.1.113.13)
Nov 19 12:06:05.379: ISAKMP:(1056):deleting node 610612316 error TRUE reason "QM rejected"

And that is after I pinged from R1 to 10.35.35.3, which has to go through the ASA and hit the interesting traffic.

 

 

Please help.

Comments

  • Hi

    do you have the following command in R3?

    crypto isakmp identity dn (or hostname)

     

    Nov 19 12:06:05.231: ISAKMP:(1056): Unable to get DN from certificate!
    Nov 19 12:06:05.231: ISAKMP:(1056): Cert presented by peer contains no OU field.
    Nov 19 12:06:05.239: ISAKMP:(1056):My ID configured as IPv4 Addr, but Addr not in Cert!
    Nov 19 12:06:05.239: ISAKMP:(1056):Using FQDN as My ID
    Nov 19 12:06:05.375: IPSEC(validate_proposal_request): proposal part #1
    Nov 19 12:06:05.375: IPSEC(validate_proposal_request): proposal part #1,

    Fred.

  • Hi Fred,

     

    I tried changing it, and it's my fault here,

     

    Thanks,

     

    Guy.

Sign In or Register to comment.