cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2524
Views
0
Helpful
9
Replies

Anyconnect IKEv2 Windows 10

martinbuffleo
Level 1
Level 1

Im trying to configure IKEv2 on a 2921.

 

I followed this guide: http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

 

I can see my Windows Client selects a certificate:

Function: ConnectMgr::nextClientCert
File: ConnectMgr.cpp
Line: 5276
Subject Name: CN=mbsurface
Issuer Name : CN=ca-server
Store : Microsoft Machine

 

But the I see not Trust points retrieved.

 

2723466: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Stopping timer to wait for auth message
2723467: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Checking NAT discovery
2723468: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT OUTSIDE found
2723469: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT detected float to init port 62595, resp port 4500
2723470: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
2723471: Oct 10 17:56:29.922 BST: IKEv2:found matching IKEv2 profile 'staff'
2723472: Oct 10 17:56:29.922 BST: IKEv2:Searching Policy with fvrf 0, local address 37.0.96.35
2723473: Oct 10 17:56:29.922 BST: IKEv2:Using the Default Policy for Proposal
2723474: Oct 10 17:56:29.922 BST: IKEv2:Found Policy 'default'
2723475: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verify peer's policy
2723476: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Peer's policy verified
2723477: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
2723478: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
2723479: Oct 10 17:56:29.922 BST: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

2723480: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint routerCA
2723481: Oct 10 17:56:29.926 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
2723482: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723483: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723484: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verification of peer's authentication data FAILED
2723485: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending authentication failure notify
2723486: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Building packet for encryption.
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

2723487: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending Packet [To 86.163.103.98:62595/From 37.0.96.35:4500/VRF i0:f0]
Initiator SPI : D40DA6AA4153E3AC - Responder SPI : 9470A3FD78E6DCE5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

2723488: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Auth exchange failed
2723489: Oct 10 17:56:29.930 BST: IKEv2-ERROR:(SESSION ID = 1149,SA ID = 1):: Auth exchange failed
2723490: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Abort exchange
2723491: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Deleting SA
2723492: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
2723493: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

 

Is this a known issue?

 

9 Replies 9

Hi, can you upload your router configuration please? Also provide the output of the command "show crypto pki certificates" from the router

ip local pool vpnusers 10.168.255.1 10.168.255.254

crypto ikev2 authorization policy ap-staff
 pool vpnusers
 route set interface

crypto ikev2 proposal default
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 14

crypto ikev2 policy default
 match fvrf any
 proposal default

crypto pki certificate map staff-certificate-map 10
 issuer-name co cn = ca-server

crypto ikev2 profile staff
match identity remote key-id *$AnyConnectClient$*
 match certificate staff-certificate-map
 no identity local dn
identity local fqdn 3709635.spectra-group.co.uk
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint routerCA
 dpd 60 2 on-demand
 aaa authorization group cert list grouplist ap-staff
 virtual-template 3

no crypto ikev2 http-url cert

crypto ipsec transform-set tr-gsm256 esp-gcm 256
 mode tunnel

crypto ipsec profile staff
 set transform-set tr-gsm256
 set pfs group21
 set ikev2-profile staff

interface Virtual-Template3 type tunnel
 description Cisco AnyConnect IKEv2
 ip unnumbered GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile staff

Certificate
  Status: Available
  Certificate Serial Number (hex): 06
  Certificate Usage: General Purpose
  Issuer:
    cn=ca-server
  Subject:
    Name: igsurface
    cn=igsurface
  Validity Date:
    start date: 17:22:39 BST Oct 10 2018
    end   date: 17:22:39 BST Oct 7 2028
  Associated Trustpoints: igsurface

Certificate
  Status: Available
  Certificate Serial Number (hex): 02
  Certificate Usage: General Purpose
  Issuer:
    cn=ca-server
  Subject:
    Name: vpn.spectra-group.co.uk
    IP Address: 10.0.1.1
    ipaddress=10.0.1.1+hostname=vpn.spectra-group.co.uk
    cn=BCB
    ou=user-vpn
    o=SpectraGroup
  Validity Date:
    start date: 14:42:30 BST Oct 10 2018
    end   date: 14:42:30 BST Oct 7 2028
  Associated Trustpoints: routerCA

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=ca-server
  Subject:
    cn=ca-server
  Validity Date:
    start date: 14:34:07 BST Oct 10 2018
    end   date: 08:04:51 BST Sep 5 1902
  Associated Trustpoints: igsurface routerCA ca-server

end date: 08:04:51 BST Sep 5 1902

The end date of your CA certificate is in the distance past, that might cause issues!

How has that happened??

 

crypto pki server ca-server
 database level names
 no database archive
 hash sha512
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 eku server-auth client-auth
 auto-rollover 365
 database url flash:ca
 exit

 

Is 7305 too large?

Well that's what is used in that example. Did you delete the certificate key pair off the router after you created it?
Is the clock on the router accurate now and when you created the certificate?

Clock is good.

 

Did i need to delete the key pair?

For the client i have

Why not using "identity local dn" ?
I assume you've created an AnyConnect profile with the correct configuration?

I did have that but that didnt work.

 

Im using the following on my client:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
<ClientInitialization>
 <UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
 <AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
 <CertificateStore>All</CertificateStore>
 <CertificateStoreOverride>true</CertificateStoreOverride>  
</ClientInitialization>
<ServerList>
    <HostEntry>
      <HostName>SpectraIKE</HostName>
      <HostAddress>vpn.spectra-group.co.uk</HostAddress>
      <PrimaryProtocol>IPsec
                <StandardAuthenticationOnly>false
                    <AuthMethodDuringIKENegotiation>
                     IKE-RSA
                    </AuthMethodDuringIKENegotiation>
                </StandardAuthenticationOnly>
            </PrimaryProtocol>
    </HostEntry>
  </ServerList>
</AnyConnectProfile>