10-10-2018 10:19 AM
Im trying to configure IKEv2 on a 2921.
I followed this guide: http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html
I can see my Windows Client selects a certificate:
Function: ConnectMgr::nextClientCert
File: ConnectMgr.cpp
Line: 5276
Subject Name: CN=mbsurface
Issuer Name : CN=ca-server
Store : Microsoft Machine
But the I see not Trust points retrieved.
2723466: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Stopping timer to wait for auth message
2723467: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Checking NAT discovery
2723468: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT OUTSIDE found
2723469: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):NAT detected float to init port 62595, resp port 4500
2723470: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
2723471: Oct 10 17:56:29.922 BST: IKEv2:found matching IKEv2 profile 'staff'
2723472: Oct 10 17:56:29.922 BST: IKEv2:Searching Policy with fvrf 0, local address 37.0.96.35
2723473: Oct 10 17:56:29.922 BST: IKEv2:Using the Default Policy for Proposal
2723474: Oct 10 17:56:29.922 BST: IKEv2:Found Policy 'default'
2723475: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verify peer's policy
2723476: Oct 10 17:56:29.922 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Peer's policy verified
2723477: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
2723478: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
2723479: Oct 10 17:56:29.922 BST: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
2723480: Oct 10 17:56:29.922 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint routerCA
2723481: Oct 10 17:56:29.926 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
2723482: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723483: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Check for EAP exchange
2723484: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Verification of peer's authentication data FAILED
2723485: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending authentication failure notify
2723486: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
2723487: Oct 10 17:56:29.926 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Sending Packet [To 86.163.103.98:62595/From 37.0.96.35:4500/VRF i0:f0]
Initiator SPI : D40DA6AA4153E3AC - Responder SPI : 9470A3FD78E6DCE5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
2723488: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Auth exchange failed
2723489: Oct 10 17:56:29.930 BST: IKEv2-ERROR:(SESSION ID = 1149,SA ID = 1):: Auth exchange failed
2723490: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Abort exchange
2723491: Oct 10 17:56:29.930 BST: IKEv2:(SESSION ID = 1149,SA ID = 1):Deleting SA
2723492: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
2723493: Oct 10 17:56:29.930 BST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Is this a known issue?
10-10-2018 10:24 AM
10-10-2018 10:25 AM
ip local pool vpnusers 10.168.255.1 10.168.255.254
crypto ikev2 authorization policy ap-staff
pool vpnusers
route set interface
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14
crypto ikev2 policy default
match fvrf any
proposal default
crypto pki certificate map staff-certificate-map 10
issuer-name co cn = ca-server
crypto ikev2 profile staff
match identity remote key-id *$AnyConnectClient$*
match certificate staff-certificate-map
no identity local dn
identity local fqdn 3709635.spectra-group.co.uk
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint routerCA
dpd 60 2 on-demand
aaa authorization group cert list grouplist ap-staff
virtual-template 3
no crypto ikev2 http-url cert
crypto ipsec transform-set tr-gsm256 esp-gcm 256
mode tunnel
crypto ipsec profile staff
set transform-set tr-gsm256
set pfs group21
set ikev2-profile staff
interface Virtual-Template3 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile staff
10-10-2018 10:27 AM
Certificate
Status: Available
Certificate Serial Number (hex): 06
Certificate Usage: General Purpose
Issuer:
cn=ca-server
Subject:
Name: igsurface
cn=igsurface
Validity Date:
start date: 17:22:39 BST Oct 10 2018
end date: 17:22:39 BST Oct 7 2028
Associated Trustpoints: igsurface
Certificate
Status: Available
Certificate Serial Number (hex): 02
Certificate Usage: General Purpose
Issuer:
cn=ca-server
Subject:
Name: vpn.spectra-group.co.uk
IP Address: 10.0.1.1
ipaddress=10.0.1.1+hostname=vpn.spectra-group.co.uk
cn=BCB
ou=user-vpn
o=SpectraGroup
Validity Date:
start date: 14:42:30 BST Oct 10 2018
end date: 14:42:30 BST Oct 7 2028
Associated Trustpoints: routerCA
CA Certificate
Status: Available
Certificate Serial Number (hex): 01
Certificate Usage: Signature
Issuer:
cn=ca-server
Subject:
cn=ca-server
Validity Date:
start date: 14:34:07 BST Oct 10 2018
end date: 08:04:51 BST Sep 5 1902
Associated Trustpoints: igsurface routerCA ca-server
10-10-2018 10:32 AM
10-10-2018 10:43 AM
How has that happened??
crypto pki server ca-server
database level names
no database archive
hash sha512
lifetime certificate 3650
lifetime ca-certificate 7305 23 59
eku server-auth client-auth
auto-rollover 365
database url flash:ca
exit
Is 7305 too large?
10-10-2018 10:49 AM
10-10-2018 10:50 AM - edited 10-10-2018 10:50 AM
Clock is good.
Did i need to delete the key pair?
For the client i have
10-10-2018 10:31 AM
10-10-2018 10:44 AM
I did have that but that didnt work.
Im using the following on my client:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/">;
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">false</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="true">false</AutomaticCertSelection>
<CertificateStore>All</CertificateStore>
<CertificateStoreOverride>true</CertificateStoreOverride>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>SpectraIKE</HostName>
<HostAddress>vpn.spectra-group.co.uk</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>false
<AuthMethodDuringIKENegotiation>
IKE-RSA
</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide