05-17-2023 11:30 AM
Hello guys!
I have had multiple attempts on establishing a L2L IPsec tunnel using certs that I installed on both ASA firewalls using NDES SCEP from a Windows Server 2019 AD CS VM. The certs are RSA 2048 based with SHA 512 signature. I tried both IKEv1 and IKEv2, the tunnels work perfectly if I switch to PSK, but when I use certs, for example with IKEv2, it gets stuck in IKE_AUTH step. FW1 sends the fragmented cert to FW2 and FW2 sends a response and then after a few seconds they start negotiating again.
If you guys need wireshark captures or configurations, let me know. I also tried both policy based and route based tunneling using VTI, same result.
Thanks.
Solved! Go to Solution.
05-20-2023 09:47 AM
Using the command debug crypto ca 255 I found the real problem:
CRYPTO_PKI: Found a suitable authenticated trustpoint server.pki.ro
CRYPTO_PKI: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable for usage type IPSEC VPN Peer
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found
CRYPTO_PKI: Certificate validation: Failed, status: 1873
ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 560000000BE944F8CD7A0D3EA400000000000B, subject name: hostname=ASA2.pki.ro
Found the solution here: https://community.cisco.com/t5/vpn/certificates-for-ipsec-vpn-clients-in-asa-8-0/td-p/1032006
Apparently, Ms AD CS services add extra certificate usage roles, that's why the certificate verification always failed.
When configuring crypto ca trustpoint, this command is necessary ignore-ipsec-keyusage.
Thank you guys for all the help and guidance and hope that someone else will get the help needed from this post.
05-17-2023 11:49 AM
@nickmsv8 is the trustpoint configured to perform a CRL check? You can disable and try again, example:
crypto ca trustpoint <TRUSTPOINTNAME>
crl nocheck
Can you enable IKEv2 or IKEv1/ISAKMP debugs and provide the output for review.
Please provide your configuration.
05-19-2023 05:18 AM
Hello, thank you for helping me!
ASA1 configuration:
ASA Version 9.9(2)
!
hostname ASA1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.10.10.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.15.10 255.255.255.0
!
interface Tunnel1
nameif tunnel_1
ip address 10.12.12.1 255.255.255.252
tunnel source interface outside
tunnel destination 60.60.60.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE_1
!
router ospf 1
router-id 10.10.10.10
network 10.10.10.0 255.255.255.0 area 1
network 10.12.12.0 255.255.255.252 area 1
network 192.168.1.0 255.255.255.0 area 1
area 1 stub
log-adj-changes
redistribute static subnets
!
route tunnel_1 192.168.6.0 255.255.255.0 10.12.12.2 1
http server enable
http 192.168.15.0 255.255.255.0 mgmt
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec profile PROFILE_1
set ikev2 ipsec-proposal AES-SHA
set pfs group20
set security-association lifetime seconds 86400
set trustpoint server.pki.ro
crypto ca trustpoint server.pki.ro
enrollment protocol scep url http://50.50.50.1:80/certsrv/mscep/mscep.dll
fqdn ASA1.pki.ro
keypair asa1
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 20
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 60.60.60.2 type ipsec-l2l
tunnel-group 60.60.60.2 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate server.pki.ro
------------------------
ASA2 configuration:
ASA Version 9.9(2)
!
hostname ASA2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 60.60.60.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.6.1 255.255.255.0
!
interface Management0/0
nameif mgmt
security-level 0
ip address 192.168.15.60 255.255.255.0
!
interface Tunnel1
nameif tunnel_1
ip address 10.12.12.2 255.255.255.252
tunnel source interface outside
tunnel destination 10.10.10.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROFILE_1
router ospf 1
router-id 60.60.60.60
network 10.12.12.0 255.255.255.252 area 2
network 60.60.60.0 255.255.255.0 area 2
network 192.168.6.0 255.255.255.0 area 2
area 2 stub
log-adj-changes
redistribute static subnets
!
route tunnel_1 192.168.1.0 255.255.255.0 10.12.12.1 1
http server enable
http 192.168.15.0 255.255.255.0 mgmt
crypto ipsec ikev2 ipsec-proposal AES-SHA
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec profile PROFILE_1
set ikev2 ipsec-proposal AES-SHA
set pfs group20
set security-association lifetime seconds 86400
set trustpoint server.pki.ro
crypto ca trustpoint server.pki.ro
enrollment protocol scep url http://50.50.50.1:80/certsrv/mscep/mscep.dll
fqdn ASA2.pki.ro
keypair asa2
crl configure
crypto ikev2 policy 1
encryption aes-256
integrity sha512
group 20
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate server.pki.ro
05-19-2023 05:23 AM
This is what happens in wireshark:
If I change to PSK it will work perfectly. Also, crl nocheck is deprecated, I tried with revocation check none and still same result. Also, all 3 devices, 2 ASAs and the windows server are using EVE-NG NTP so they are all synced. I have to say that I sometimes get the message in CLI that these ASA are unlicensed. Is this maybe whats causing the trouble?
05-19-2023 06:28 AM
how you generate Cert. in ASA ?
can you share the steps
05-19-2023 01:41 PM
I generate certificates with Windows server 2019 ADCS and get them in ASA using NDES, which is based on SCEP
05-20-2023 01:59 AM
Hello, this what i get when using debug crypto ikev2 protocol 255:
IKEv2-PROTO-4: (430): Get peer's authentication method
IKEv2-PROTO-4: (430): Peer's authentication method is 'RSA'
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CHK_CERT_ENC
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_X509_CERTS
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-7: (430): Failed to verify certificate.
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_RECD_VERIFY_CERT
IKEv2-PROTO-7: (430): Action: Action_Null
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_CERT_FAIL
IKEv2-PROTO-4: (430): Verify cert failed
IKEv2-PROTO-7: (430): SM Trace-> SA: I_SPI=9C4E1179A56E3186 R_SPI=1A351DB0F7DC6061 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-4: (430): Verification of peer's authentication data FAILED
IKEv2-PROTO-4: (430): Sending authentication failure notify
IKEv2-PROTO-7: Construct Notify Payload: AUTHENTICATION_FAILEDI
05-20-2023 03:39 AM
peer-id-validate nocheck <<- try add this under the tunnel-group and check debug again
05-20-2023 08:53 AM
Same result unfortunately. I have to say I tried 2048 bits pki, 1024 bits pki with both SHA2 and SHA1, same results. If I switch to PSK it will work instantly.
05-20-2023 09:47 AM
Using the command debug crypto ca 255 I found the real problem:
CRYPTO_PKI: Found a suitable authenticated trustpoint server.pki.ro
CRYPTO_PKI: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable for usage type IPSEC VPN Peer
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found
CRYPTO_PKI: Certificate validation: Failed, status: 1873
ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 560000000BE944F8CD7A0D3EA400000000000B, subject name: hostname=ASA2.pki.ro
Found the solution here: https://community.cisco.com/t5/vpn/certificates-for-ipsec-vpn-clients-in-asa-8-0/td-p/1032006
Apparently, Ms AD CS services add extra certificate usage roles, that's why the certificate verification always failed.
When configuring crypto ca trustpoint, this command is necessary ignore-ipsec-keyusage.
Thank you guys for all the help and guidance and hope that someone else will get the help needed from this post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide