Re: Anyconnect IKEv2 Windows 10

martinbuffleo · ‎10-10-2018

Im trying to configure IKEv2 on a 2921.

I followed this guide: http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

I can see my Windows Client selects a certificate:

Function: ConnectMgr::nextClientCert
File: ConnectMgr.cpp
Line: 5276
Subject Name: CN=mbsurface
Issuer Name : CN=ca-server
Store : Microsoft Machine

But the I see not Trust points retrieved.

2723466: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Stopping timer to wait for auth message
2723467: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Checking NAT discovery
2723468: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT OUTSIDE found
2723469: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT detected float to init port 62595, resp port 4500
2723470: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
2723471: Oct 10 17:56:29.922 BST: IKEv2:found matching IKEv2 profile 'staff'
2723472: Oct 10 17:56:29.922 BST: IKEv2:Searching Policy with fvrf 0, local address 37.0.96.35
2723473: Oct 10 17:56:29.922 BST: IKEv2:Using the Default Policy for Proposal
2723474: Oct 10 17:56:29.922 BST: IKEv2:Found Policy 'default'
2723475: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verify peer's policy
2723476: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Peer's policy verified
2723477: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
2723478: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
2723479: Oct 10 17:56:29.922 BST: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

2723480: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint routerCA
2723481: Oct 10 17:56:29.926 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
2723482: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723483: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723484: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verification of peer's authentication data FAILED
2723485: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending authentication failure notify
2723486: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

2723487: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending Packet [To 86.163.103.98:62595/From 37.0.96.35:4500/VRF i0:f0]
Initiator SPI : D40DA6AA4153E3AC - Responder SPI : 9470A3FD78E6DCE5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

2723488: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Auth exchange failed
2723489: Oct 10 17:56:29.930 BST: IKEv2-ERROR:(SESSION ID = 1149,SA ID = 1):: Auth exchange failed
2723490: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Abort exchange
2723491: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Deleting SA
2723492: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
2723493: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

Is this a known issue?

Rob Ingram · ‎10-10-2018

Hi, can you upload your router configuration please? Also provide the output of the command "show crypto pki certificates" from the router

martinbuffleo · ‎10-10-2018

ip local pool vpnusers 10.168.255.1 10.168.255.254

crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface

crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14

crypto ikev2 policy default
match fvrf any
proposal default

crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server

crypto ikev2 profile staff
match identity remote key-id *$AnyConnectClient$*
match certificate staff-certificate-map
no identity local dn
identity local fqdn 3709635.spectra-group.co.uk
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint routerCA
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 3

no crypto ikev2 http-url cert

crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel

crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff

interface Virtual-Template3 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff

martinbuffleo · ‎10-10-2018

Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
    cn=ca-server
Subject:
    Name: igsurface
    cn=igsurface
Validity Date:
    start date: 17:22:39 BST Oct 10 2018
    end   date: 17:22:39 BST Oct 7 2028
Associated Trustpoints: igsurface

Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
    cn=ca-server
Subject:
    Name: vpn.spectra-group.co.uk
    IP Address: 10.0.1.1
    ipaddress=10.0.1.1+hostname=vpn.spectra-group.co.uk
    cn=BCB
    ou=user-vpn
    o=SpectraGroup
Validity Date:
    start date: 14:42:30 BST Oct 10 2018
    end   date: 14:42:30 BST Oct 7 2028
Associated Trustpoints: routerCA

CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
    cn=ca-server
Subject:
    cn=ca-server
Validity Date:
    start date: 14:34:07 BST Oct 10 2018
    end   date: 08:04:51 BST Sep 5 1902
Associated Trustpoints: igsurface routerCA ca-server

Rob Ingram · ‎10-10-2018

end date: 08:04:51 BST Sep 5 1902

The end date of your CA certificate is in the distance past, that might cause issues!

martinbuffleo · ‎10-10-2018

How has that happened??

crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit

Is 7305 too large?

Rob Ingram · ‎10-10-2018

Well that's what is used in that example. Did you delete the certificate key pair off the router after you created it?
Is the clock on the router accurate now and when you created the certificate?

martinbuffleo · ‎10-10-2018

Clock is good.

Did i need to delete the key pair?

For the client i have

Rob Ingram · ‎10-10-2018

Why not using "identity local dn" ?
I assume you've created an AnyConnect profile with the correct configuration?

martinbuffleo · ‎10-10-2018

I did have that but that didnt work.

Im using the following on my client:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>true</CertificateStoreOverride>
</ClientInitialization>
<ServerList>
    <HostEntry>
      <HostName>SpectraIKE</HostName>
      <HostAddress>vpn.spectra-group.co.uk</HostAddress>
      <PrimaryProtocol>IPsec
                <StandardAuthenticationOnly>false
                    <AuthMethodDuringIKENegotiation>
                     IKE-RSA
                    </AuthMethodDuringIKENegotiation>
                </StandardAuthenticationOnly>
            </PrimaryProtocol>
    </HostEntry>
</ServerList>
</AnyConnectProfile>