cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2324
Views
5
Helpful
6
Replies

Anyconnect with FlexVPN

Hi,

I have been trying to configure the Anyconnect IPSEC on the ISR4000 router with latest IOS-XE-16.9.4.

Im facing issue with a debug message saying "IKEv2:(SESSION ID = 24,SA ID = 1):Auth exchange failed" and drop the negotiations.

Complete configuration and debugs are as attached. Please assist.

 

Saif

1 Accepted Solution

Accepted Solutions

Correct, you are.....but the server has to authenticate (authentication local rsa-sig) itself to the client using certificates as required by the IKEv2 RFC.

 

Refer to this guide here.

 

Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.

 

You have a trustpoint that is using a self signed certificate.

 

HTH

View solution in original post

6 Replies 6

Hi,

Try removing the anyconnect profile configuration as it's only supported on CSR1K

flexvpn any download.PNG

HTH

Thanks for your prompt reply but it does not help. Still the same error in the debugs.

 

Mar 2 14:28:23.659: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
Mar 2 14:28:23.660: IKEv2:(SESSION ID = 24,SA ID = 1):Verification of peer's authentication data FAILED

Does the WIndows computer trust the certificate in use by the hub router?

The remote authentication is set to anyconnect-eap only so the certificate should not matter.

Correct, you are.....but the server has to authenticate (authentication local rsa-sig) itself to the client using certificates as required by the IKEv2 RFC.

 

Refer to this guide here.

 

Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.

 

You have a trustpoint that is using a self signed certificate.

 

HTH

Thanks for the expert advise. It works.

 

Correct, you are.....but the server has to authenticate (authentication local rsa-sig) itself to the client using certificates as required by the IKEv2 RFC.

- I didnt do anything special for this.

 

Refer to this guide here.

- I have been configuring according to this guide but just overlooked EAP note.

 

Note: In order to authenticate users against the local database on the router, EAP needs to be used. However, in order to use EAP, the local authentication method has to be rsa-sig, so the router needs a proper certificate installed on it, and it can't be a self-signed certificate.

You have a trustpoint that is using a self signed certificate.

- Yes now I made a proper certificate and NOT self signed certificate and it works.

 

Thanks