Solved: ASA-ASA ISAKMP auth fails with ADCS certs

nickmsv8 · ‎05-17-2023

Hello guys!

I have had multiple attempts on establishing a L2L IPsec tunnel using certs that I installed on both ASA firewalls using NDES SCEP from a Windows Server 2019 AD CS VM. The certs are RSA 2048 based with SHA 512 signature. I tried both IKEv1 and IKEv2, the tunnels work perfectly if I switch to PSK, but when I use certs, for example with IKEv2, it gets stuck in IKE_AUTH step. FW1 sends the fragmented cert to FW2 and FW2 sends a response and then after a few seconds they start negotiating again.

If you guys need wireshark captures or configurations, let me know. I also tried both policy based and route based tunneling using VTI, same result.

Thanks.

nickmsv8 · ‎05-20-2023

Using the command debug crypto ca 255 I found the real problem:

CRYPTO_PKI: Found a suitable authenticated trustpoint server.pki.ro
CRYPTO_PKI: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable for usage type IPSEC VPN Peer
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873
ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 560000000BE944F8CD7A0D3EA400000000000B, subject name: hostname=ASA2.pki.ro

Found the solution here: https://community.cisco.com/t5/vpn/certificates-for-ipsec-vpn-clients-in-asa-8-0/td-p/1032006

Apparently, Ms AD CS services add extra certificate usage roles, that's why the certificate verification always failed.

When configuring crypto ca trustpoint, this command is necessary ignore-ipsec-keyusage.

Thank you guys for all the help and guidance and hope that someone else will get the help needed from this post.

View solution in original post

Rob Ingram · ‎05-17-2023

@nickmsv8 is the trustpoint configured to perform a CRL check? You can disable and try again, example:

crypto ca trustpoint <TRUSTPOINTNAME>
crl nocheck

Can you enable IKEv2 or IKEv1/ISAKMP debugs and provide the output for review.

Please provide your configuration.

nickmsv8 · ‎05-19-2023

Hello, thank you for helping me!

ASA1 configuration:

ASA Version 9.9(2)
!
hostname ASA1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.15.10 255.255.255.0
!
interface Tunnel1
nameif tunnel_1
ip address 10.12.12.1 255.255.255.252
tunnel source interface outside
tunnel destination 60.60.60.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE_1
!
router ospf 1
router-id 10.10.10.10
network 10.10.10.0 255.255.255.0 area 1
network 10.12.12.0 255.255.255.252 area 1
network 192.168.1.0 255.255.255.0 area 1
area 1 stub
log-adj-changes
redistribute static subnets
!
route tunnel_1 192.168.6.0 255.255.255.0 10.12.12.2 1

http server enable
http 192.168.15.0 255.255.255.0 mgmt

crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256
protocol esp integrity sha-512

crypto ipsec profile PROFILE_1
set ikev2 ipsec-proposal AES-SHA
set pfs group20
set security-association lifetime seconds 86400
set trustpoint server.pki.ro

crypto ca trustpoint server.pki.ro
enrollment protocol scep url http://50.50.50.1:80/certsrv/mscep/mscep.dll
fqdn ASA1.pki.ro
keypair asa1
crl configure

crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 20
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 60.60.60.2 type ipsec-l2l
tunnel-group 60.60.60.2 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate server.pki.ro

------------------------

ASA2 configuration:

ASA Version 9.9(2)
!
hostname ASA2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.60.60.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.15.60 255.255.255.0
!
interface Tunnel1
nameif tunnel_1
ip address 10.12.12.2 255.255.255.252
tunnel source interface outside
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE_1

router ospf 1
router-id 60.60.60.60
network 10.12.12.0 255.255.255.252 area 2
network 60.60.60.0 255.255.255.0 area 2
network 192.168.6.0 255.255.255.0 area 2
area 2 stub
log-adj-changes
redistribute static subnets
!
route tunnel_1 192.168.1.0 255.255.255.0 10.12.12.1 1

http server enable
http 192.168.15.0 255.255.255.0 mgmt

crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256
protocol esp integrity sha-512

crypto ipsec profile PROFILE_1
set ikev2 ipsec-proposal AES-SHA
set pfs group20
set security-association lifetime seconds 86400
set trustpoint server.pki.ro

crypto ca trustpoint server.pki.ro
enrollment protocol scep url http://50.50.50.1:80/certsrv/mscep/mscep.dll
fqdn ASA2.pki.ro
keypair asa2
crl configure

crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 20
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside

tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate server.pki.ro

nickmsv8 · ‎05-19-2023

This is what happens in wireshark:

If I change to PSK it will work perfectly. Also, crl nocheck is deprecated, I tried with revocation check none and still same result. Also, all 3 devices, 2 ASAs and the windows server are using EVE-NG NTP so they are all synced. I have to say that I sometimes get the message in CLI that these ASA are unlicensed. Is this maybe whats causing the trouble?

MHM Cisco World · ‎05-19-2023

how you generate Cert. in ASA ?
can you share the steps

nickmsv8 · ‎05-19-2023

I generate certificates with Windows server 2019 ADCS and get them in ASA using NDES, which is based on SCEP

nickmsv8 · ‎05-20-2023

Hello, this what i get when using debug crypto ikev2 protocol 255:

IKEv2-PROTO-4: (430): Get peer's authentication method
IKEv2-PROTO-4: (430): Peer's authentication method is 'RSA'
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CERT_ENC
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_X509_CERTS
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (430): Failed to verify certificate.
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_RECD_VERIFY_CERT
IKEv2-PROTO-7: (430): Action: Action_Null
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CERT_FAIL
IKEv2-PROTO-4: (430): Verify cert failed
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (430): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (430): Sending authentication failure notify
IKEv2-PROTO-7: Construct Notify Payload: AUTHENTICATION_FAILEDI

MHM Cisco World · ‎05-20-2023

 peer-id-validate nocheck <<- try add this under the tunnel-group and check debug again

nickmsv8 · ‎05-20-2023

Same result unfortunately. I have to say I tried 2048 bits pki, 1024 bits pki with both SHA2 and SHA1, same results. If I switch to PSK it will work instantly.

nickmsv8 · ‎05-20-2023