cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7212
Views
15
Helpful
7
Replies

ASA IKEv2 L2L VPN Cert Auth failing

Hi guys,

How does an ASA verify/validate the certificate used for authentication of the remote end of an IKEv2 tunnel?

I'm having some problems with setting up a. L2L IKEv2 VPN using certificate auth. The VPN is between 2 ASAs, but I only control 1 side.

When I send 'interesting traffic', my ASA initiates IKE and the IKEv2 settings get passed, agreed and then auth is attempted. The only message I am getting back is:

IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

What could be the cause of this? I presume the other end doesn't like my cert. The question is why?

I've created a trustpoint on my end with my cert and my publishing CAs intermediate CA certificate. The identity cert I have is a general usage certificate, but the subject of my identity cert is a hostname, not my IP address and is not in the SAN of the certificate. I know that both ends are using the same CA, so the intermediate CA at my end should be OK to validate the remote end.

Should that be OK or do I need a cert with my IP address.

Thanks.

1 Accepted Solution

Accepted Solutions

ASA uses the IKE ID to match the tunnel-groups. So, if your peer is sending the DN as the IKE ID, you would have to create a tunnel-group with that DN to match it automatically.

You can also use tunnel-group-map to match based on certificate attributes, like CN or issuer CN. This is a more recommended approach when you have dynamic tunnels using cert authentication. This would work well in your case too as you know the cert parameters before hand. Some more info on how to configure tunnel-group-map is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html

View solution in original post