RE: Question about rsa-signatures

From: Jaspreet Bhatia (jasbhati@cisco.com)
Date: Fri Jun 18 2004 - 18:52:27 GMT-3

Hello Mark,
                 I apologize about my confusing question and no debugs .
This is what I really meant to ask

I knew that on the router three options exist for authentication
1) pre-shared
2) encrypted nounces
3) rsa-signatures

And on the PIX there are only two options

1) pre-shared
2) rsa-signatures

I first tried the IPSEC tunnel between Router and PIX with pre-shared
authntication option

Then I changed the authentication option to rsa-signatures but did not
define a CA .

SO the command crypto isakmp key ***** address "peer_address" was still
there in the router .

So the debugs in the PIX told me that it was looking for a cert from a
CA server ( which was normal behoviour) .but the router was still trying
to establish the tunnel with a pre-shared key as one was still
configured on the router .

So I found out what I was doing wrong .

Bottom line : RSA-signatures usually are configured with a CA server.

Thanks for your help .

Regards,

Jas

-----Original Message-----
From: Mark Lewis [mailto:markl11@hotmail.com]
Sent: Thursday, June 17, 2004 3:42 PM
To: jasbhati@cisco.com
Cc: ccielab@groupstudy.com
Subject: RE: Question about rsa-signatures

Jas,

Please post the debugs, but here's some complete conjecture to be going
on
with :)

You'll have to post the debug, but I am guessing that you are seeing
'rsa-sig' as the 'auth' parameter in IKE (ISAKMP) phase 1.

You may get a failure during the exchange of the first 2 IKE messages,
but I
am guessing it does this:

I am guessing that you are seeing a 'CR' (certificate request, though
this
may not be visible in the debug) payload sent by the PIX (and maybe a
'CERT'
payload sent by the PIX [if you have enrolled it with the CA])?? But the

router is not sending the 'CERT' payload (contains a cert or cert chain)
in
response to the CR payload from the PIX.

So, the PIX is trying to do digital signature auth, is requesting a cert
or
cert chain from the router, but the router hasn't go a cert to send, and

(another guess without seeing the debug), the IKE (ISAKMP) fails during
the
exchange of messages 5 and 6 (assuming main mode for IKE phase 1).

You'll know that IKE (ISAKMP) has failed during the exchange of messages
5
and 6 because you see (depending on which box you are debugging on)
'IKE_I_MM5/6' or 'IKE_R_MM5/6 - the I and R indicate initiator (the box
that
initiated IKE negotiation) and responder (the box that didn't initiate
IKE).

Shortly after you see 'IKE_x_MM5', I am guessing you can see a 'Notify'
payload (that indicates an error or informational condition - in this
case
it actually indicates an IKE failure).

IKE does authentication with messages 5 and 6 in phase 1, so if the two
boxes manage somehow to agree IKE auth (done during IKE messages 1 and
2),
messages 5 and 6 is where it will all go wrong if auth is at fault.

Anyway, enough conjecture - please post the configs :)

BTW- you do indeed have to enroll IPSec boxes with a CA to get a
*signed*
digital certificate. That's the whole point about certificates - they
are
basically a *signed* assocaition of a public key and identity info. The
CA
signs it, and by doing so attests that the public key does indeed belong
to
the identity given in the identity info (router's FQDN, etc). Because
IPSec
peers trust the CA, they will trust certs signed by the CA, and be able
to
authenticate another peer who presents a cert signed by the CA that they

trust. That's how IKE digital signature auth works - the IPSec peers
exchange certs signed by a common CA (or CA hierarchy) during IKE phase
1
(messages 5 and 6 in main mode), and because they both trust the certs
signed by the CA (or CA hierachy) authentication succeeds.

Don't confuse (what Cisco calls) encrypted nonce authentication with
digitial signature auth - both require the generation of RSA keys pairs,
but
encrypted nonce authentication does not require enrollment with a CA
(and
does not require certificates). Instead with encrypted nonce auth you
exchange IPSec peers' public keys out-of-band, and paste them into the
peers
config.

Mark

CCIE#6280 / CCSI#21051 / etc.

Author: www.ciscopress.com/1587051044

>From: "Jaspreet Bhatia" <jasbhati@cisco.com>
>Reply-To: "Jaspreet Bhatia" <jasbhati@cisco.com>
>To: <ccielab@groupstudy.com>
>CC: "'Alejandro Eguiarte (aeguiart)'" <aeguiart@cisco.com>,
><jasbhati@cisco.com>
>Subject: Question about rsa-signatures Date: Thu, 17 Jun 2004 14:59:20
>-0700
>
>Folks,
> I have a question about using the rsa-signature in
>teh isakmp policy . In the router when you do rsa-signature option for

>authentication in the isakmp policy you do not have to configure a CA
>server to get digital certificates . I have been trying to do the same
>option for authentication on the PIX and from the debugs , It seems
>like it is looking for adigital certificate from a CA server . Can
>anyone please throw some light on this issue .
>
>Thanks
>
>Jas
>
>_______________________________________________________________________
>Please help support GroupStudy by purchasing your study materials from:

>http://shop.groupstudy.com
>
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:44 GMT-3