Hello Group!
I am trying to get an ipsec tunnel up between an 80CM and an ASA.
We are using certificates.
We are using 5.2.4
Certificates were loaded manually through the cli as the gui doesn't like them.
However once entered in the cli they show up nicely to be viewed in the gui.
On the ASA side no errors are seen but we do see a connection being made but then torn down almost immediately.
On the Fgt side we enabled: diagnose debug application ike -255
The results below repeat continuously;
ike 0:Network:326101: auth verify done ike 0:Network:326102: peer certificate not received ike 0:Network:326102: certificate validation failed ike 0:Network:326102: auth verify done ike 0:Network:326103: peer certificate not received ike 0:Network:326103: certificate validation failed ike 0:Network:326103: auth verify done
As a small background, the ASA (main gate) serves hundreds of other ASAs and probably 30 IAS boxes using certs.
This is the first time we have tried using certs on a Fgt.
Not quite sure what "peer certificate not received" alludes to.
Besides the gui issue we have also bumped into a problem with the Remote ID field.
Apparently it will only take 63 chars and below. Our Remote ID of the gate, even if spaces are stripped - is 79 chars.
So we're using "Any peer ID" for now. (but our security people will probably complain) Can this be entered in the cli and will it be saved? If we open that tunnel to edit will the gui then complain about the long string?
So not going as smoothly as hoped. Any suggestions gladly received!
Kevin
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So it seems like you didn't receive a peer-cert, did they do any diagnostics on the cisco ASA? And validate peer certification in the cfg?
e.g
debug crypto isakmp
PCNSE
NSE
StrongSwan
Hi,
I have exactly the same issue,
the problem probably comes from the IKE fragmentation.
BR
I didn't think you could run site2site vpns using a certificate from a ASA or the enrollement server. How did they ( cisco ) 1> craft a certificate for you 2> how did they download it?
Sure the fortigate can't uses SCEP like what's expected and only supported in the cisco ASA, unless I'm mistaken and something has changed in the last few years.
PCNSE
NSE
StrongSwan
Hi,
Before migrate to ikev2, we had a VPN IPSec Site to Site ikev1 (FGT 100D<--> Cisco ASA 5585) with certif function correctly.
The Certificats was issued fron a MS CA Server
BR
How did you export the cert for the fortigate from the MS CA? The cisco ASA only works with SCEP I heard you can manually execute some things but it's not as easy as 1 2 3.
So in the OP post, he needs to make sure the "proper" cert is enabled for the ike authentication and only certificate with no peer-id ( unless the cisco ASA is requiring a peer-id )
PCNSE
NSE
StrongSwan
Hi,
Thank you for your update
I have exported the certif for ASA and FGT from MS CA with Base 64 encoded.
On the ASA side the certif is enabled for the ike authentication :
tunnel-group 10.7.3.28 ipsec-attributes ikev2 remote-authentication certificate ikev2 local-authentication certificate ASA.PCIDSS
BR
So "ASA.PCIDSS" is a certifcate defined on the ASA & the show crypto ca certificate shows the certificates?
e.g
crypto pki certificate chain ASA.PCIDSS
On the fortigate can you validate the certificate with the show full vpn certificate local cmd?
Alternatively you can review the cert in the webGUI and validate the cert is show and the serial#. Since your using ikev2 what does your phase1-interface config looks like on the fortigate?
And finally, did you run any debugs from the ciscoASA to see what it complains about if any?
do the following;
crypto ca enroll
crypto ca authenticate
show crypto ca certificates
and ensure debug is enabled.
debug cry pki messages
debug cry pki trans
Since you have other ASAs I'm betting the problems starts on the fortigate side configurations. You can debug and try to catch the 1st IKE packet from the fortigate send see what it shows as originator.
PCNSE
NSE
StrongSwan
btw post us a update once you get this to work. I have never been sucessful with certificates on ASA and other devices.
;)
PCNSE
NSE
StrongSwan
Hi,
Thank you for update,
ASA.PCIDSS is the trustpoint : CA certificate + Signed Identity Certificate
ASA config:
-----------
crypto ca trustpoint PCIDSS.ASA enrollment terminal fqdn FWMutualisation1.domainName subject-name CN=FWMutualisation1.domainName, OU=XX, O=XX, C=XX, L=XXXX serial-number keypair ASA_PCIDSS crl configure crypto ca trustpool policy
crypto ca certificate chain PCIDSS.ASA
---------------------
I can review the cert in the webGUI and validate it. (status OK)
Config FortiGate phase1 and phase2:
config vpn ipsec phase1-interface edit "MON-SYSBD" set interface "Outside" set ike-version 2 set authmethod signature set proposal aes256-sha512 set dpd disable set dhgrp 2 set remote-gw X.X.X.X set certificate "VPN_PCI_DSS" next end config vpn ipsec phase2-interface edit "MON-SYSBD-2" set phase1name "MON-SYSBD" set proposal aes256-sha512 set dhgrp 5 set auto-negotiate enable set keylifeseconds 28800 set src-name "DMZ_ENTITES" set dst-name "DMZ-CENTRAUX" next end
--------------------------
Yes, I have debugs from the ciscoASA :
IKEv2-PLAT-3: (7483): SENT PKT [IKE_AUTH] [172.21.176.1]:500->[10.7.3.28]:500 InitSPI=0xc8dbf4ef45acf4e0 RespSPI=0xe74e994ac120cf35 MID=00000001 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK IKEv2-PROTO-5: (7483): Action: Action_Null IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_PKI_SESH_CLOSE IKEv2-PROTO-5: (7483): Closing the PKI session IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_UPDATE_CAC_STATS IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_INSERT_IKE IKEv2-PROTO-2: (7483): IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started IKEv2-PROTO-2: (7483): Session with IKE ID PAIR (e=agouzoza@eurafric-information.com,cn=10.7.3.28,ou=Security,l=XX Siege,c=XX, cn=FWMutualisation1.XXXXX,ou=XXXX,o=XXX,l=XXXX,c=XXXX) is UP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_REGISTER_SESSION IKEv2-PLAT-2: (7483): connection auth hdl set to 1204 IKEv2-PLAT-2: (7483): AAA conn attribute retrieval successfully queued for register session request. IKEv2-PROTO-2: (7483): IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_NO_EVENT IKEv2-PLAT-2: (7483): idle timeout set to: 30 IKEv2-PLAT-2: (7483): session timeout set to: 0 IKEv2-PLAT-2: (7483): group policy set to GroupePolicy_10.7.3.28 IKEv2-PLAT-2: (7483): class attr set IKEv2-PLAT-2: (7483): tunnel protocol set to: 0x40 IKEv2-PLAT-2: (7483): IPv4 filter ID not configured for connection IKEv2-PLAT-2: (7483): group lock set to: none IKEv2-PLAT-2: (7483): IPv6 filter ID not configured for connection IKEv2-PLAT-2: (7483): connection attribues set valid to TRUE IKEv2-PLAT-2: (7483): Successfully retrieved conn attrs IKEv2-PLAT-2: (7483): Session registration after conn attr retrieval PASSED, No error IKEv2-PROTO-2: (7483): Initializing DPD, configured for 10 seconds IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_RECD_REGISTER_SESSION_RESP IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_GEN_LOAD_IPSEC IKEv2-PROTO-2: (7483): Load IPSEC key material IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PLAT-2: (7483): Base MTU get: 0 IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_START_ACCT IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHECK_DUPE IKEv2-PROTO-2: (7483): Checking for duplicate IKEv2 SA IKEv2-PROTO-2: (7483): No duplicate IKEv2 SA found IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_CHK4_ROLE IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK IKEv2-PROTO-2: (7483): Starting timer (8 sec) to delete negotiation context IKEv2-PROTO-5: (7483): SM Trace-> SA: I_SPI=C8DBF4EF45ACF4E0 R_SPI=E74E994AC120CF35 (R) MsgID = 00000001 CurState: READY Event: EV_NO_EVENT
------------------
I can't see any error message on this debug
BR
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.