topic Re: VPN site site with Digital certificate FAIL in Network Security

VPN site site with Digital certificate FAIL

HaroldCalderon — Fri, 17 Jul 2020 17:47:01 GMT

Hello Guys,

I set up the ikv2 VPN with pre sharekay and everything worked, this was done by just modifying the preshare key and placing a digital certificate. Without eembarog although the certificate is loaded and in order the vpn indicates errors for the decryption of the CA.

All truespoint are correct

IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
IKEv2-PROTO-5: (648): Received valid parameteres in process id
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-2: (648): Searching policy based on peer's identity 'serialNumber=A.A.A.A.A.A.A,c=UY,o=B.B.B.B.B ,cn=B.B.B.B.B. of type 'DER ASN1 DN'
IKEv2-PROTO-1: (648): Failed to locate an item in the database
IKEv2-PROTO-1: (648):
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-2: (648): Verification of peer's authentication data FAILED
IKEv2-PROTO-2: (648): Sending authentication failure notify
IKEv2-PROTO-5: Construct Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-2: (648): Building packet for encryption.
(648):
Payload contents:
(648): NOTIFY(AUTHENTICATION_FAILED)(648): Next payload: NONE, reserved: 0x0, length: 8
(648): Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
(648):
IKEv2-PROTO-2: (648): Sending Packet [To1.1.1.1.:500/From 2.2.2.2:500/VRF i0:f0]
(648): Initiator SPI : E521A4F646361EB0 - Responder SPI : 51094EACBA26A502 Message id: 1
(648): IKEv2 IKE_AUTH Exchange RESPONSEIKEv2-PROTO-3: (648): Next payload: ENCR, version: 2.0 (648): Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (648): Message id: 1, length: 88(648):
Payload contents:
(648): ENCR(648): Next payload: NOTIFY, reserved: 0x0, length: 60
(648): Encrypted data: 56 bytes
(648):
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-2: (648): Auth exchange failed
IKEv2-PROTO-1: (648): Auth exchange failed
IKEv2-PROTO-1: (648): Auth exchange failed
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
IKEv2-PROTO-5: (648): SM Trace-> SA: I_SPI=E521A4F646361EB0 R_SPI=51094EACBA26A502 (R) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
IKEv2-PROTO-2: (648): Abort exchange
IKEv2-PROTO-2: (648): Deleting SA

Re: VPN site site with Digital certificate FAIL

Marvin Rhoads — Sat, 18 Jul 2020 12:17:18 GMT

When using certificates for authentication on a site-site VPN both peers must trust the other end's certificate - either via importing the certificate itself or by having a common trusted root CA.

You haven't indicated which approach you are taking.

The debug indicates this:

Verification of peer's authentication data FAILED

...which usually indicates one of the methods I mentioned has not been followed correctly.

Re: VPN site site with Digital certificate FAIL

Sheraz.Salim — Sun, 19 Jul 2020 15:13:01 GMT

pre-shared key was working good then you moved this to cert based.

- now for the cert based are you using public cert or private cert.

- how about the remote side are they also using a public cert or private cert.

if you both (remote and you) are using a public cert in that case you need to install a root cert/inter cert/ and you both side need identity cert (to get identity cert you need to generate a csr and get signed from root ca) once this get signed you need to import it in your ASA/Router.

"All truespoint are correct" have you imported the root ca?

here to give you some start if you using public cert here how to get identity cert for vpn and here

now if you using private cert i guess which will be very unlikely.

as Marvin said on this "Verification of peer's authentication data FAILED" this could be many reason it could be you have not configured cert based vpn properly.

Re: VPN site site with Digital certificate FAIL

HaroldCalderon — Wed, 22 Jul 2020 23:41:56 GMT

Hello and thanks, I had to put down and up the ikv1 and ikv2 for all firewall inside group police and then up phase 1 .

Tunnel-id Local Remote Status Role
2356188877 x.x.x.x/500 x.x.x.x/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 28800/18 sec

but now phase 2 does not Up.

show isakmp

DEBUG

IKEv2-PLAT-2: Certificate validation completed
IKEv2-PLAT-2: (565): Completed authentication for connection
IKEv2-PLAT-2: Build config mode reply: no request stored
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 1
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 3
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 4
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 5
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 7
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 8
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 9
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 10
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 11
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 12
IKEv2-PLAT-2: (565): Crypto Map: No proxy match on map VPN-SITE-TO-SITE seq 15

IKEv2-PLAT-2: (564): IKEv2 session deregistered from session manager. Reason: 6
IKEv2-PLAT-2: (564): session manager killed ikev2 tunnel. Reason: IKE Delete
IKEv2-PLAT-2: (564): PSH cleanup
IKEv2-PLAT-5: Active ike sa request deleted
IKEv2-PLAT-5: Decrement count for incoming active
IKEv2-PLAT-2: (565): idle timeout set to: 30
IKEv2-PLAT-2: (565): session timeout set to: 0
IKEv2-PLAT-2: (565): group policy set to DfltGrpPolicy
IKEv2-PLAT-2: (565): class attr set
IKEv2-PLAT-2: (565): tunnel protocol set to: 0x4c
IKEv2-PLAT-2: (565): IPv4 filter ID not configured for connection
IKEv2-PLAT-2: (565): group lock set to: none
IKEv2-PLAT-2: (565): IPv6 filter ID not configured for connection
IKEv2-PLAT-2: (565): connection attribues set valid to TRUE
IKEv2-PLAT-2: (565): Successfully retrieved conn attrs
IKEv2-PLAT-2: (565): Session registration after conn attr retrieval PASSED, No error

DEBUG PROTOCOL

IKEv2-PROTO-2: (579): Processing IKE_AUTH message
IKEv2-PROTO-1: (579): Failed to find a matching policy
IKEv2-PROTO-1: (579): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA384 Don't use ESN

IKEv2-PROTO-1: (579): Failed to find a matching policy
IKEv2-PROTO-1: (579): Expected Policies:
IKEv2-PROTO-5: (579): Failed to verify the proposed policies
IKEv2-PROTO-1: (579): Failed to find a matching policy
IKEv2-PROTO-1: (579):

I dont understand why say AES-CBC-256 SHA384 Don't use ESN

I have this for phase 1 and 2

PHASE 2

crypto ipsec ikev2 ipsec-proposal NAME
protocol esp encryption aes-256
protocol esp integrity sha-384

---------------------------------------

PHASE 1

crypto ikev2 policy 50
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 28800

where Im wrong

Re: VPN site site with Digital certificate FAIL

HaroldCalderon — Wed, 22 Jul 2020 23:43:46 GMT

Thanks Marvin a lot, Now phase1 is Up phase 2 down hah

Re: VPN site site with Digital certificate FAIL

Marvin Rhoads — Thu, 23 Jul 2020 07:50:38 GMT

Can you confirm the phase 2 policy is the same at both ends?

Also confirm that the crypto maps are mirror images of one another.

Re: VPN site site with Digital certificate FAIL

Sheraz.Salim — Thu, 23 Jul 2020 07:58:39 GMT

ESP: Proposal 1: AES-CBC-256 SHA384 Don't use ESN

your phase 1 is up but phase 2 is failing could you double check you interesting traffic is matching at both sides. more likely the interesting is not matching up.

Re: VPN site site with Digital certificate FAIL

HaroldCalderon — Thu, 23 Jul 2020 18:23:53 GMT

All side by side is good, I mean local and remote ACL are similars.

More Debug

Payload contents:
(546): VID(546): Next payload: IDr, reserved: 0x0, length: 20
(546):
(546): af 74 03 41 c1 f5 81 6f c3 71 30 af d0 fb 26 60
(546): IDr(546): Next payload: CERT, reserved: 0x0, length: 121
(546): Id type: DER ASN1 DN, Reserved: 0x0 0x0
(546):
(546): 30 6f 31 0b 30 09 06 03 55 04 06 13 02 55 59 31
(546): 13 30 11 06 03 55 04 08 13 0a 4d 6f 6e 74 65 76
(546): 69 64 65 6f 31 18 30 16 06 03 55 04 05 13 0f 52
(546): 55 43 32 31 33 32 38 36 35 30 30 30 31 33 31 23
(546): 30 21 06 03 55 04 0a 13 1a 41 44 54 20 53 65 63
(546): 75 72 69 74 79 20 53 65 72 76 69 63 65 73 20 53
(546): 2e 41 2e 31 0c 30 0a 06 03 55 04 03 13 03 41 44
(546): 54
(546): CERT(546): Next payload: AUTH, reserved: 0x0, length: 1669
(546): Cert encoding X.509 Certificate - signature
(546): Cert data: 1664 bytes
(546): AUTH(546): Next payload: NOTIFY, reserved: 0x0, length: 264
(546): Auth method RSA, reserved: 0x0, reserved 0x0
(546): Auth data: 256 bytes
(546): NOTIFY(NO_PROPOSAL_CHOSEN)(546): Next payload: NONE, reserved: 0x0, length: 8
(546): Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

IKEv2-PROTO-2: (20): Processing IKE_AUTH message
IKEv2-PROTO-1: (20): Failed to find a matching policy
IKEv2-PROTO-1: (20): Received Policies:
ESP: Proposal 1: AES-CBC-256 SHA256 Don't use ESN

IKEv2-PROTO-1: (20): Failed to find a matching policy
IKEv2-PROTO-1: (20): Expected Policies:
IKEv2-PROTO-5: (20): Failed to verify the proposed policies
IKEv2-PROTO-1: (20): Failed to find a matching policy

Re: VPN site site with Digital certificate FAIL

Sheraz.Salim — Thu, 23 Jul 2020 18:32:44 GMT

what PRF values configured on the ASA and on the remote side?

Re: VPN site site with Digital certificate FAIL

HaroldCalderon — Thu, 23 Jul 2020 18:41:24 GMT

I understand that neither, because he is a fortigate firewall, Im going to talk back with him. Thanks Salim