Hello.
I have this topology:
(10.10.1.0/24) - Cisco ASA - (192.168.3.0/30) - Router with dhcp to Mikrotik - (192.168.4.8/30) - Mikrotik - (10.10.10.0/24)
I need do vpn-connetion 10.10.1.0-10.10.10.0 on certificates from Win CA (Root and Sub CA)
I did worked vpn on pre-shared key, and write script for change dynamic ip from dhcp to ipsec policies.
Then I change vpn on rsa sig and its not worked. But with Checkpoint configuration of ASA is worked.
Config Mikrotik
peer print
Flags: X - disabled
0 address=192.168.3.1/32 port=500 auth-method=rsa-signature certificate=cert3 remote-certificate=cert3
generate-policy=no exchange-mode=main send-initial-contact=yes nat-traversal=yes my-id-user-fqdn=""
proposal-check=obey hash-algorithm=sha1 enc-algorithm=des dh-group=modp1024 lifetime=1d lifebytes=0 dpd-interval=20s
dpd-maximum-failures=5
policy print
Flags: X - disabled, D - dynamic, I - inactive
0 ;;; dynamic ip
src-address=10.10.10.0/24 src-port=any dst-address=10.10.1.0/24 dst-port=any protocol=all action=encrypt
level=require ipsec-protocols=esp tunnel=yes sa-src-address=192.168.4.10 sa-dst-address=192.168.3.1 proposal=default
priority=0
proposal print
Flags: X - disabled, * - default
0 * name="default" auth-algorithms=sha1 enc-algorithms=des lifetime=1h pfs-group=modp1024
key print
Flags: P - private-key, R - rsa
# NAME KEY-SIZE
0 PR mk 2048-bit
/certificate> print
Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa
0 name="cert1" subject=CN=ROOT-CA issuer=CN=ROOT-CA serial-number="58C77C2497B0E8934796471D5C0D0DFE"
invalid-before=apr/13/2015 16:57:12 invalid-after=apr/13/2020 17:06:05 ca=yes
1 KR name="cert2" subject=DC=ru,DC=work,CN=SUB-CA issuer=CN=ROOT-CA serial-number="614A25CF000000000003"
invalid-before=apr/13/2015 18:15:07 invalid-after=apr/13/2016 18:25:07 ca=yes
2 KR name="cert3" subject=O=LAB,OU=LAB,CN=mk issuer=DC=ru,DC=work,CN=SUB-CA serial-number="6112B24E000000000027"
invalid-before=apr/29/2015 14:20:07 invalid-after=apr/13/2016 18:25:07 ca=yes
3 KR name="cert4" subject=OU=LAB,CN=mk issuer=DC=ru,DC=work,CN=SUB-CA serial-number="611F402B000000000029"
invalid-before=may/05/2015 10:39:23 invalid-after=apr/13/2016 18:25:07 ca=yes
4 name="cert5" subject=unstructuredName=ciscoasa,OU=LAB,CN=ciscoasa issuer=DC=ru,DC=work,CN=SUB-CA
serial-number="610B515A00000000000A" invalid-before=apr/15/2015 06:42:39 invalid-after=apr/13/2016 18:25:07 ca=yes
Config ASA
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map DYN-CMAP 10 set pfs
crypto dynamic-map DYN-CMAP 10 set transform-set ESP-DES-SHA
crypto dynamic-map DYN-CMAP 10 set security-association lifetime seconds 3600
crypto dynamic-map DYN-CMAP 10 set reverse-route
crypto map NEW 65535 ipsec-isakmp dynamic DYN-CMAP
crypto map NEW interface outside
crypto ca trustpoint ROOT-CA
enrollment terminal
crl configure
crypto ca trustpoint SUB-CA
enrollment terminal
fqdn ciscoasa
subject-name CN=ciscoasa,OU=LAB
keypair KEY-CA
crl configure
crypto ca certificate map L2L 10
subject-name attr cn eq mk
crypto ca certificate chain ROOT-CA
certificate ca 58c77c2497b0e8934796471d5c0d0dfe
crypto ca certificate chain SUB-CA
certificate ca 614a25cf000000000003
certificate 610b515a00000000000a
crypto isakmp enable outside
crypto isakmp policy 10
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
tunnel-group LAB type ipsec-l2l
tunnel-group LAB ipsec-attributes
peer-id-validate cert
trust-point SUB-CA
isakmp keepalive threshold 20 retry 5
Log ASA
ciscoasa(config)# May 05 11:26:35 [IKEv1 DEBUG]: IP = 192.168.4.10, Oakley proposal is acceptable
May 05 11:26:35 [IKEv1 DEBUG]: IP = 192.168.4.10, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
May 05 11:26:36 [IKEv1]: IP = 192.168.4.10, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
May 05 11:26:36 [IKEv1]: IP = 192.168.4.10, Connection landed on tunnel_group LAB
May 05 11:26:36 [IKEv1 DEBUG]: Group = LAB, IP = 192.168.4.10, peer ID type 9 received (DER_ASN1_DN)
May 05 11:26:37 [IKEv1]: Group = LAB, IP = 192.168.4.10, PHASE 1 COMPLETED
May 05 11:26:37 [IKEv1]: IP = 192.168.4.10, Keep-alive type for this connection: DPD
May 05 11:26:37 [IKEv1 DEBUG]: Group = LAB, IP = 192.168.4.10, Starting P1 rekey timer: 64800 seconds.
May 05 11:26:37 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 2436583362
May 05 11:26:46 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:26:46 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:26:46 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:26:46 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 2681507956
May 05 11:26:56 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:26:56 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:26:56 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:26:56 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 2272817179
May 05 11:27:06 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:27:06 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:27:06 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:27:06 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 2902861393
May 05 11:27:16 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:27:16 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:27:16 [IKEv1 DEBUG]: Group = LAB, IP = 192.168.4.10, IKE MM Responder FSM error history (struct &0xc92a89c0) <state>, <event>: MM_DONE, EV_ERROR-->MM_ACTIVE, EV_FO_ERR_CLEANUP-->MM_ACTIVE, EV_ERR_CLEANUP-->MM_ACTIVE, EV_RESEND_MSG-->MM_ACTIVE, NullEvent-->MM_RSND_LST_MSG, EV_RESEND_MSG-->MM_ACTIVE, EV_RESEND_MSG-->MM_ACTIVE, NullEvent
May 05 11:27:16 [IKEv1]: Group = LAB, IP = 192.168.4.10, Session is being torn down. Reason: Lost Service
May 05 11:27:16 [IKEv1]: Ignoring msg to mark SA with dsID 966656 dead because SA deleted
May 05 11:27:26 [IKEv1]: IP = 192.168.4.10, Received encrypted packet with no matching SA, dropping
May 05 11:28:22 [IKEv1 DEBUG]: IP = 192.168.4.10, Oakley proposal is acceptable
May 05 11:28:22 [IKEv1 DEBUG]: IP = 192.168.4.10, IKE SA Proposal # 1, Transform # 1 acceptable Matches global IKE entry # 1
May 05 11:28:23 [IKEv1]: IP = 192.168.4.10, Automatic NAT Detection Status: Remote end is NOT behind a NAT device This end is NOT behind a NAT device
May 05 11:28:23 [IKEv1]: IP = 192.168.4.10, Connection landed on tunnel_group LAB
May 05 11:28:23 [IKEv1 DEBUG]: Group = LAB, IP = 192.168.4.10, peer ID type 9 received (DER_ASN1_DN)
May 05 11:28:23 [IKEv1]: Group = LAB, IP = 192.168.4.10, PHASE 1 COMPLETED
May 05 11:28:23 [IKEv1]: IP = 192.168.4.10, Keep-alive type for this connection: DPD
May 05 11:28:23 [IKEv1 DEBUG]: Group = LAB, IP = 192.168.4.10, Starting P1 rekey timer: 64800 seconds.
May 05 11:28:23 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 3973137447
May 05 11:28:33 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:28:33 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:28:33 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:28:33 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 3409286835
May 05 11:28:43 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:28:43 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:28:43 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:28:43 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 2384858238
May 05 11:28:53 [IKEv1]: Group = LAB, IP = 192.168.4.10, Duplicate Phase 1 packet detected. Retransmitting last packet.
May 05 11:28:53 [IKEv1]: Group = LAB, IP = 192.168.4.10, P1 Retransmit msg dispatched to MM FSM
May 05 11:28:53 [IKEv1]: Group = LAB, IP = 192.168.4.10, Responder resending last msg
May 05 11:28:53 [IKEv1]: Group = LAB, IP = 192.168.4.10, Received encrypted Oakley Informational packet with invalid payloads, MessID = 4116024634
May 05 11:29:00 [IKEv1]: Group = LAB, IP = 192.168.4.10, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
May 05 11:29:00 [IKEv1]: Group = LAB, IP = 192.168.4.10, Session is being torn down. Reason: Lost Service
May 05 11:29:00 [IKEv1]: Ignoring msg to mark SA with dsID 970752 dead because SA deleted
May 05 11:29:03 [IKEv1]: IP = 192.168.4.10, Received encrypted packet with no matching SA, dropping
May 05 11:29:13 [IKEv1]: IP = 192.168.4.10, Received encrypted packet with no matching SA, dropping
Log Mikrotik (without hex): http://rghost.ru/7dBwr699X