cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2590
Views
5
Helpful
7
Replies

3925 VPN with ECDSA Authentication

Jimmy Copeland
Level 1
Level 1

I am trying to configure a 3925 router (C3900-SPE100/K9) running 15.4(2)T as a VPN gateway for end users running Cisco AnyConnect 3.1.05160 with FIPS enabled.  I am working on this using Suite B compliant algorithms for the authentication and encryption.  Both the router and the client computer have Suite B compliant certificates that are version 3 with sha384ECDSA as the signature algorithm and the public key is based on ECC (384 bits) and ECDH_P384. 

If I set the router to use rsa-sig as the remote and local authentication method and the client to use the RSA_Sigs Anyconnect profile, the client connects.  If I set the router to use ecdsa-sig and the client to use the ECDSA_Sigs profile, the client comes back with an error message that states “The IPSec VPN connection was terminated due to an authentication failure or timeout.  Please contact your network administrator.”

I enabled debugging on the router for both methods (output attached), and saw that for the RSA method that the router gets the client’s CN from the certificate and seems to accept it.  When using the ECDSA method, the router comes back with “'*$AnyConnectClient$*' of type 'Group name'” and then says that it failed to locate an item in the database subsequently failing the connection.

If anyone has any ideas on how to get ECDSA authentication to work, I would appreciate it.  I have attached the AnyConnect profiles, the debugs, and the crypto commands on the router.  If anyone needs anything else to help with this, please let me know.


Thanks.

Jimmy

1 Accepted Solution

Accepted Solutions

Also have a try with the latest AnyConnect - 3.1.05170 (released June 16 2014) has a resolved caveat as follows:

CSCuo75389

anyconnect

AnyConnect is sending incorrect auth method for IKEv2 ECDSA based auth

View solution in original post

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

James, 

 

Can you also attach a sanitized profile before (RSA) and after (EDCSA)?

I'm just curious, you seem to be causing AC to send the default identity of $AnyConnectClient$

vide:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/apxAvpnxmlref.html

 

This in turn is causing your cert maps to fail and IKEv2 profile is not matched. 

 

M. 

Marcin,

The AC profiles were already attached.  Sorry.  I should have been a little more clear about all the attached files.  The rsa_sigs.xml_.txt is the profile for when RSA worked.  The ecdsa_sigs.txt file is the profile that I am using for ECDSA authentication.  Both are pretty basic since I used the profile from http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html as a template.

Thanks.

Jimmy

Jimmy, 

 

In the EDCSA profile for AC you're using IPsec only, which will essentially cause it to try ASA-style connection. The "odd" identity and EAP-Anyconnect as auth method will be used. 

 

I _believe_ that even for ECDSA signed certs you should be using IKE-RSA as authentication method. However I left VPN team more than a year ago things could have changed. 

 

Anyway there's quite a few different moving parts, open up a TAC case if you want fastest answer. 

You might point out there's a gap in knowledge base about example showing this type of config. 

 

M.

Marcin,

 

I appreciate you looking over this.  I had a feeling I was going to have to open a TAC case but wanted to see if the community had seen this first. 

 

Also I did try the IKE-RSA method in the profile and got no joy.

 

Thanks again and when I get an answer I will make sure to post it.

 

Jimmy

So I got an answer to the problem...somewhat.  The problem is a bug in the ISRG2 code and how it handles ECDSA certs.  There is a fix coming out and that should resolve this issue. 

Cool.

Do you have the bug id? Let's punt it here so people are aware.

M.

Also have a try with the latest AnyConnect - 3.1.05170 (released June 16 2014) has a resolved caveat as follows:

CSCuo75389

anyconnect

AnyConnect is sending incorrect auth method for IKEv2 ECDSA based auth