03-19-2024 01:21 AM
hello all ,
recently i tried to configure VPN site to site with certificate authentication type, i got the certificate signed by a third party autority , and when i did the debugs i got this log :
CRYPTO_PKI: bitValue of KEY_USAGE = a0PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.
PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.
PKI[7]: ExtendedKeyUsage OID = serverAuth NOT acceptable for usage type IPSEC VPN Peer
PKI[4]: check_key_usage: No acceptable ExtendedKeyUsage OIDs found
PKI[7]: check_key_usage: IGNORING IPSec Key Usage check failure
PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164
PKI[9]: Async unlocked for session 0x9a679795
PKI[12]: CERT_VerifyData, vpn3k_cert_api.c:603
PKI[9]: CERT API thread sleeps!
i saw some documentation that recommend to apply the ignore-ipsec-keyusage , even the support suggest to apply this command on the trustpoint and that what i did :
sh run cry ca trustpoint VPN
crypto ca trustpoint VPN
keypair VPN_BA_AGB
ignore-ipsec-keyusage <---
crl configure
i also checked the option : ignore ipsec key usage on the enroulement in key tab ,
and this is an other recommendation of support :
The recommendation is to get the right EKU/OID on the certificate in order for the firewall to be able to use it for IPSec VPN certificate authentication
but the CA authority confirm to me that they do that with other vendors and it works fine and they can not change th EKU cause this is not allowed ,
is there any way to force FTD to escape the EKU check ?
03-19-2024 02:11 PM - edited 03-20-2024 03:13 AM
correct , it's permit the mapped add (natted add) of my lan to the remote lan
sho run access-list CSM_IPSEC_ACL_3 access-list CSM_IPSEC_ACL_3 extended permit ip host (the NAT ip of my lan) host (the remote LAN ip)
and i get this log also :
IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 1 peer doesn't match map entry
IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 2 peer doesn't match map entry
IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 3 peer doesn't match map entry
IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 4 peer doesn't match map entry
IKEv2-PLAT-4: (3989): Crypto Map: No proxy match on map CSM_INTERNET_AT_map seq 6
IKEv2-PLAT-4: (3989): Crypto map: Skipping dynamic map CSM_INTERNET_AT_map_dynamic sequence 30000: cannot match peerless map when peer found in previous map entry.IKEv2-PROTO-7: (3989): Failed to verify the proposed policies
IKEv2-PROTO-2: (3989): There was no IPSEC policy found for received TS
03-21-2024 02:10 AM
Sorry for some delay in my reply
your Side use ACL
NAT-IP of your LAN -> Remote LAN
the other side of VPN must use
Remote LAN -> NAT-IP of your LAN
and also they need route for this NAT-IP toward the interface of IPsec
if the other side use real IP then you will face issue in IPSec selector
MHM
03-21-2024 03:38 AM
thanks for the replay , i don't have control in the other side but when we switch back to preshared key authentification the VPN works fine .
03-21-2024 01:28 AM
hello all,
Please, I'm really struggling with this point. If anyone can help, I would appreciate it!
03-28-2024 03:16 PM
Hi friend
If this issue not solved can you share
Show crypto ikev2 sa detail
When you try use cert. For vpn auth
MHM
03-29-2024 02:39 AM
please find the output below :
IKEv2 SAs:
Session-id:70325, Status:UP-IDLE, IKE count:1, CHILD count:0
Tunnel-id Local Remote Status Role
1811581195 MypublicIP/500 remotePublicIP/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:20, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/54 sec
Session-id: 70325
Status Description: Negotiation done
Local spi: B2B659E89D6B112E Remote spi: 21B3558F22D77214
Local id: cn=MYCN ,o=MyOrganisation,st=Mystate,c=CountryCode
Remote id: RemotePublicIP
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 1 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Error code: 108
thanks in advanced
03-30-2024 03:01 AM
Local id: cn=MYCN ,o=MyOrganisation,st=Mystate,c=CountryCode
Remote id: RemotePublicIP <- why the remote ID is public IP not Cert.?
MHM
04-16-2024 10:21 AM
hello and sorry for the late aswer ,
i don't know why to be honest do you have any suggestions please ?
04-16-2024 10:32 AM
Don't worry
In vpn topolgy advanced ike
Change the peer identity to be peer IP instead of cert
MHM
04-17-2024 02:27 AM
i changed the peer identity to peer ip but still get the same error
03-30-2024 04:24 AM
It appears you've followed the recommended steps and explored various options to resolve the issue with VPN configuration. If the CA authority cannot alter the EKU, consider collaborating with Cisco support to explore alternative solutions or workarounds for bypassing the EKU check. For additional assistance, you may also consider consulting reputable attestation services in Dubai for expert guidance on navigating complex certification issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide