Hi, I use a Cisco VPN 3005 Concentrator and the Cisco 3.6.3 Client. I have successfully deployed a VPN based on shared secrets but I would like to increase security by using certificates. I configured a root CA on a win2k advanced server and managed to install certificates on both client and concentrator. However when I try to connect using certificate authentication I get the following error message in my client logfile:
-----------------------------------------------------------
1 15:45:36.577 04/10/03 Sev=Warning/3 XAUTH/0xE3500007
GI interact request callback timed out.
-----------------------------------------------------------
And there is a pop up window with the message:
-----------------------------------------------------------
System error: unable to retrieve extended authentication parameters.
-----------------------------------------------------------
On the concentrator side I get the following log message:
----------------------------------------------------------
1844 04/10/2003 15:59:28.610 SEV=5 IKE/79 RPT=40 194.xxx.xxx.xxx
Group [exjobb]
Validation of certificate successful
(CN=jola, SN=61298DC8F00000000006)
1846 04/10/2003 15:59:38.250 SEV=5 IKE/50 RPT=34 194.xxx.xxx.xxx
Group [exjobb]
Connection terminated for peer (Peer Terminate)
Remote Proxy N/A, Local Proxy N/A
--------------------------------------------------------
Note that the concentrator validates the certificate without any problems. So it seems that I have a problem with xauth.
Concentrator configuration:
SA:
IPsec Parameters
Authentication Algorithm: esp/md5/hmac128
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: group 2(1024 bits)
Encapsulation Mode: tunnel
IKE Parameters
Negotiation Mode: main
Digital Certificate: Concentrator 3005
IKE Proposal: CiscoVPNClient-3DES-MD5-RSA
In the group matching policy I obtain groupname from OU.
I'm aware of the fact that this is a lot of information for you to read but this problem has been bugging me for several days. I can't create a tunnel with certificate authentication and it's killing me.
If you need any more information please ask!
-----------------------------------------------------------
1 15:45:36.577 04/10/03 Sev=Warning/3 XAUTH/0xE3500007
GI interact request callback timed out.
-----------------------------------------------------------
And there is a pop up window with the message:
-----------------------------------------------------------
System error: unable to retrieve extended authentication parameters.
-----------------------------------------------------------
On the concentrator side I get the following log message:
----------------------------------------------------------
1844 04/10/2003 15:59:28.610 SEV=5 IKE/79 RPT=40 194.xxx.xxx.xxx
Group [exjobb]
Validation of certificate successful
(CN=jola, SN=61298DC8F00000000006)
1846 04/10/2003 15:59:38.250 SEV=5 IKE/50 RPT=34 194.xxx.xxx.xxx
Group [exjobb]
Connection terminated for peer (Peer Terminate)
Remote Proxy N/A, Local Proxy N/A
--------------------------------------------------------
Note that the concentrator validates the certificate without any problems. So it seems that I have a problem with xauth.
Concentrator configuration:
SA:
IPsec Parameters
Authentication Algorithm: esp/md5/hmac128
Encryption Algorithm: 3DES-168
Perfect Forward Secrecy: group 2(1024 bits)
Encapsulation Mode: tunnel
IKE Parameters
Negotiation Mode: main
Digital Certificate: Concentrator 3005
IKE Proposal: CiscoVPNClient-3DES-MD5-RSA
In the group matching policy I obtain groupname from OU.
I'm aware of the fact that this is a lot of information for you to read but this problem has been bugging me for several days. I can't create a tunnel with certificate authentication and it's killing me.
If you need any more information please ask!