topic Re: FTD IKE/IPSec VPN site to site certificate authentication error in Network Security

FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 08:21:40 GMT

hello all ,

recently i tried to configure VPN site to site with certificate authentication type, i got the certificate signed by a third party autority , and when i did the debugs i got this log :

CRYPTO_PKI: bitValue of KEY_USAGE = a0PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.

PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.

PKI[7]: ExtendedKeyUsage OID = serverAuth NOT acceptable for usage type IPSEC VPN Peer

PKI[4]: check_key_usage: No acceptable ExtendedKeyUsage OIDs found

PKI[7]: check_key_usage: IGNORING IPSec Key Usage check failure

PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164

PKI[9]: Async unlocked for session 0x9a679795

PKI[12]: CERT_VerifyData, vpn3k_cert_api.c:603

PKI[9]: CERT API thread sleeps!

i saw some documentation that recommend to apply the ignore-ipsec-keyusage , even the support suggest to apply this command on the trustpoint and that what i did :

sh run cry ca trustpoint VPN

crypto ca trustpoint VPN

keypair VPN_BA_AGB

ignore-ipsec-keyusage <---

crl configure

i also checked the option : ignore ipsec key usage on the enroulement in key tab ,

and this is an other recommendation of support :

The recommendation is to get the right EKU/OID on the certificate in order for the firewall to be able to use it for IPSec VPN certificate authentication

but the CA authority confirm to me that they do that with other vendors and it works fine and they can not change th EKU cause this is not allowed ,

is there any way to force FTD to escape the EKU check ?

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 11:25:36 GMT

you use FMC to mgmt FTD?\

under FMC cert. you can select ignore the keyusage

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 11:57:39 GMT

thanks for the replay ,

i alredy did select the ignore the key usage :

and even i used Flexconfig to ignore the ipsec keyusage as follow :

crypto ca trustpoint VPN
keypair VPN_BA_AGB
ignore-ipsec-keyusage
crl configure

i hope there is another way to ignore this check

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 14:37:35 GMT

> show crypto ca trustpoints

can you check if command we config via flexconfig is successfully add to FTD

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 15:16:38 GMT

thanks for the replay :

sho run crypto ca trustpoint VPN
crypto ca trustpoint VPN
keypair VPN_BA_AGB
ignore-ipsec-keyusage
crl configure

sho crypto ca trustpoints VPN

Trustpoint VPN:
Subject Name:
cn=xxxxxxxxxxxxxx
o=xxxxxxxxxxxxxxxxxxxxxxxxx
c=XX
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Certificate configured.

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 15:22:10 GMT

Cisco Bug: CSCvp56951 - FDM/FTDvirtual unable to support/deploy "ignore-ipsec-keyusage" flexconfig object

check this bug

thanks

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

tvotna — Tue, 19 Mar 2024 15:48:33 GMT

This is the only and absolutely correct way to ignore EKU check on received certificates. And from the debug it is evident that the command "ignore-ipsec-keyusage" works as expected (below in bold):

PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = serverAuth NOT acceptable for usage type IPSEC VPN Peer
PKI[4]: check_key_usage: No acceptable ExtendedKeyUsage OIDs found
PKI[7]: check_key_usage: IGNORING IPSec Key Usage check failure

Alternatively you can use CA which can generate certs with proper KU and EKU set. So far as I remember, the KU should contain bit Digital Signature and EKU should contain id-kp-ipsecEndSystem (1.3.6.1.5.5.7.3.5) or id-kp-ipsecTunnel (1.3.6.1.5.5.7.3.6) or id-kp-clientAuth (1.3.6.1.5.5.7.3.2) or id-kp-ipsecUser (1.3.6.1.5.5.7.3.7). The serverAuth EKU is good when ASA/FTD responds to client end systems. For L2L VPN this EKU indeed looks a bit strange, that is why it is not accepted by default for L2L.

If your tunnel is not established, it is due to something else and not due to wrong EKU.

HTH

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 18:51:25 GMT

Indeed it can cert. Is accept

IKEv2-PROTO-4: (2793): Verification of peer's authenctication data PASSED

Check the acl of vpn in both side' the acl dont match any crypto map seq

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 19:12:44 GMT

what i don't understand is when i change to pre shared key the VPN works fine

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 19:20:35 GMT

this is the the out put of debug crypto ca 14 :

CRYPTO_PKI: bitValue of KEY_USAGE = a0PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = serverAuth NOT acceptable for usage type IPSEC VPN Peer
PKI[4]: check_key_usage: No acceptable ExtendedKeyUsage OIDs found
PKI[7]: check_key_usage: IGNORING IPSec Key Usage check failure
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164
PKI[9]: Async unlocked for session 0x3e3190cd
PKI[12]: CERT_VerifyData, vpn3k_cert_api.c:603
PKI[9]: CERT API thread sleeps!
PKI[13]: CERT_GetPeerCertValidityEndTime, vpn3k_cert_api.c:3489
PKI[12]: asn1_to_unix_time, crypto_pki.c:1720
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[13]: CERT_SignData, vpn3k_cert_api.c:361
PKI[14]: map_status, vpn3k_cert_api.c:2512
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[13]: CERT_Close, vpn3k_cert_api.c:291
PKI[8]: Close session 0x47861677 synchronously
PKI[13]: pki_ossl_free_valctx, pki_ossl_validate.c:251
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267
PKI[14]: CERT_GetPrintableX500DN, vpn3k_cert_api.c:3267

and this for debug crypto ikev2 protocol 255 in attachement

Re: FTD IKE/IPSec VPN site to site certificate authentication error

tvotna — Tue, 19 Mar 2024 19:45:33 GMT

Peer doesn't respond to CREATE_CHILD_SA request. You need to collect logs/debugs from both sides at once, otherwise it's difficult to say something, because debugs depend on initiator/responder roles.

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 20:31:25 GMT

thanks for the replay , @tvotna

unfortunatley i don't have control on the peer side , i'll ask them to give me some logs if it is possible

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 20:35:46 GMT

(1986):  TSi(1986):   Next payload: TSr, reserved: 0x0, length: 24
(1986):     Num of TSs: 1, reserved 0x0, reserved 0x0
(1986):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(1986):     start port: 0, end port: 65535
(1986):     start addr: 10.199.199.89, end addr: 10.199.199.89
(1986):  TSr(1986):   Next payload: NONE, reserved: 0x0, length: 24
(1986):     Num of TSs: 1, reserved 0x0, reserved 0x0
(1986):     TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
(1986):     start port: 0, end port: 65535
(1986):     start addr: remote LAN IP, end addr: remote LAN IP

this is VPN proxy selector IP, for which crypto map Seq this ACL belong ?

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Tue, 19 Mar 2024 20:53:11 GMT

this is the crypto map :

crypto map CSM_INTERNET_AT_map 6 match address CSM_IPSEC_ACL_3
crypto map CSM_INTERNET_AT_map 6 set pfs group20
crypto map CSM_INTERNET_AT_map 6 set peer (peer pub ip)
crypto map CSM_INTERNET_AT_map 6 set ikev2 ipsec-proposal CSM_IP_2
crypto map CSM_INTERNET_AT_map 6 set security-association lifetime kilobytes unlimited
crypto map CSM_INTERNET_AT_map 6 set trustpoint VPN
crypto map CSM_INTERNET_AT_map 6 set df-bit clear-df
crypto map CSM_INTERNET_AT_map 6 set reverse-route
crypto map CSM_INTERNET_AT_map 30000 ipsec-isakmp dynamic CSM_INTERNET_AT_map_dynamic
crypto map CSM_INTERNET_AT_map interface INTERNET_AT

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Tue, 19 Mar 2024 20:58:23 GMT

This crypto map done by fmc not by cli? Am I correct

CSM_IPSEC_ACL_3 <- this acl permit traffic from which to which LAN

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Wed, 20 Mar 2024 10:13:01 GMT

correct , it's permit the mapped add (natted add) of my lan to the remote lan

sho run access-list CSM_IPSEC_ACL_3 access-list CSM_IPSEC_ACL_3 extended permit ip host (the NAT ip of my lan) host (the remote LAN ip)

and i get this log also :

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 1 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 2 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 3 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 4 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto Map: No proxy match on map CSM_INTERNET_AT_map seq 6

IKEv2-PLAT-4: (3989): Crypto map: Skipping dynamic map CSM_INTERNET_AT_map_dynamic sequence 30000: cannot match peerless map when peer found in previous map entry.IKEv2-PROTO-7: (3989): Failed to verify the proposed policies

IKEv2-PROTO-2: (3989): There was no IPSEC policy found for received TS

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Thu, 21 Mar 2024 08:28:17 GMT

hello all,

Please, I'm really struggling with this point. If anyone can help, I would appreciate it!

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Thu, 21 Mar 2024 09:10:57 GMT

Sorry for some delay in my reply
your Side use ACL
NAT-IP of your LAN -> Remote LAN

the other side of VPN must use
Remote LAN -> NAT-IP of your LAN
and also they need route for this NAT-IP toward the interface of IPsec

if the other side use real IP then you will face issue in IPSec selector

MHM

Re: FTD IKE/IPSec VPN site to site certificate authentication error

soufiansaheb — Thu, 21 Mar 2024 10:38:07 GMT

thanks for the replay , i don't have control in the other side but when we switch back to preshared key authentification the VPN works fine .

Re: FTD IKE/IPSec VPN site to site certificate authentication error

MHM Cisco World — Thu, 28 Mar 2024 22:16:19 GMT

Hi friend

If this issue not solved can you share

Show crypto ikev2 sa detail

When you try use cert. For vpn auth

MHM