Issue with AnyConnect and IOS Headend Over IPsec with IKEv2 and Certificates

Justin Dart · ‎08-17-2015

Hello,

I have been working on getting IKEv2 with AnyConnect working with my Cisco 881-k9, but have been encountering some difficulties. I followed the following documentation which initially made things seem easy:

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

I have set up a Microsoft Active directory server with the CA role installed to generate my certs, and have ensured that EKU client-auth and server-auth has been enabled. Looking at the router, a "show crypto pki certificates verbose" verifies that EKU is working, and I also verified that the Windows 7 system I am running AnyConnect 3.1.09013 on also has the client authentication and server authentication showing in the generated certificate. I utilized the XML profile listed on the link above which is saved to 'C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile' folder, and changed the values in the profile appropriately for the FQDN of the router.

The issue is that the client fails to connect, and when looking through the debug logs I see the following:

Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Stopping timer to wait for auth message
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Checking NAT discovery
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):NAT OUTSIDE found
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):NAT detected float to init port 53984, resp port 4500
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'Group name'
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):: Failed to locate an item in the database
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Verification of peer's authentication data FAILED
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Sending authentication failure notify
Aug 17 2015 15:29:10 PDT: IKEv2:(SESSION ID = 4,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

I have no idea what "database" it is referring to in this context. I have noticed that through trying different AnyConnect XML profile examples with the <IKEIdentity></IKEIdentity> value filled in with something else, such as "bob," that the error message changes to:

IKEv2:(SESSION ID = 4,SA ID = 1):Searching policy based on peer's identity 'bob' of type 'Group name'
IKEv2:(SESSION ID = 4,SA ID = 1):: Failed to locate an item in the database

My goal is to get AnyConnect working with just IKEv2 and certificates without the need for setting up RADIUS. Based on the example in the link I provided, I assumed this was possible. Can anyone enlighten me on what might be going on here?

Thanks,

Justin

m.kafka · ‎08-19-2015

When using certificates the vpn tunnel group name should be encoded as OU of the identity.

daniel.petrino · ‎10-23-2015

Justin. Did you ever figure this out? I'm running into the same exact problem. I know how to change the peer's identity, but not sure which group name it is referring to or if i can change it.

m.kafka · ‎10-25-2015

Daniel,

"Database" is the local database for VPN tunnels, more specifically vpn-goups.

If your connection has the same issue, please look at this:

(debug):

:Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'Group name'

and (debug):

IKEv2:(SESSION ID = 4,SA ID = 1):Searching policy based on peer's identity 'bob' of type 'Group name'

Shows, that the <IKEIdentity></IKEIdentity> is used to select a VPN-group. By default the IKE-identity is taken directly from the certificate's OU (Organizational Unit) field.

A successful config should look something like:

(debug):
Searching policy based on peer's identity 'bob' of type 'Group name'

(config):

tunnel-group bob type remote-access
tunnel-group bob general-attributes
  default-group-policy GroupPolicy_bob
  address-pool  vpn-pool-bob

group-policy GroupPolicy_bob attributes
  dns-server value 192.168.1.1
  wins-server none
  default-domain value bob.example.com

I hope this helpful.

Rgds, MiKa

daniel.petrino · ‎10-26-2015

Hey Mika,

That was very informative and helpful. Unfortunately for me I am going to be using the IPSEC / IKE-RSA (For Certificate Authorization / Authentication) with iOS 15.3 software on a ISR router 891 model. I believe the identity of the Anyconnect client is set inside of the OU of the certificate.

I'm working with the CISCO TAC team to get me up and running with a successful VPN for remote access. It's definitely been like pulling teeth though with the ISR / IPSEC / Anyconnect. Not a lot of documentation out there for the ISRs with Cert Auth.

Graham Bartlett · ‎10-26-2015

Hi

Have you seen this ??

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

cheers

daniel.petrino · ‎10-26-2015

Hello Graham,

Yes I have seen that. I've done extensive research on this and am getting stuck on it for some reason. My AnyConnect client is set to ipsec / IKE-RSA

This is my config:

http://pastebin.com/hVeWYk6s

This is my error:

I believe it shows timing out, but Anyconnect fails way before that.

http://pastebin.com/mZS13bn7

Any help would be much appreciated.

Thanks

Graham Bartlett · ‎10-26-2015

Hi

Here's the issue;

*Oct 26 16:36:46.286: IKEv2:(SESSION ID = 13,SA ID = 1):Completed SA init exchange

*Oct 26 16:36:46.286: IKEv2:(SESSION ID = 13,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Oct 26 16:37:16.286: IKEv2:(SESSION ID = 13,SA ID = 1):: Failed to receive the AUTH msg before the timer expired

So basically you're completing the initial handshake (SA_INIT), then you send your reply and you don't receive the IKE_AUTH from the client.

Can you check that you have 2-way comms between the client and the headend and that the client is receiving the SA_INIT reply. (you might need to enable a DART on the client - or use something like wireshark to see the SA_INIT reply which will be in the clear).

cheers

daniel.petrino · ‎10-26-2015

Hey Graham,

I've attached a screen shot of WireShark on that interface.

Graham Bartlett · ‎10-26-2015

packets 7 and 8 are the IKEv2, so you receive the SA_INIT reply from the headend, but then don't move to IKE_AUTH (or there's none sent).

Actually - i noticed that your client then sends a HTTPS over 443, do you have your any connect setting configured for IPSEC IOS ?

You might want to enable a DART bundle on the AnyConnect to work out why,

cheers

daniel.petrino · ‎10-26-2015

Hey Graham,

I've never used DART before. Not really sure where to look inside of it. I've attached the original ZIP file here though that I ran. It has General Information and the Security client on it.

daniel.petrino · ‎10-26-2015

After looking through the event logs I'm guessing that it has to do with the certs not authenticating or agreeing on something.

daniel.petrino · ‎10-26-2015

Mika,

I don't believe that syntax is used anymore in the current OS in which I'm using. Maybe for a ASA?