Hi guys,
How does an ASA verify/validate the certificate used for authentication of the remote end of an IKEv2 tunnel?
I'm having some problems with setting up a. L2L IKEv2 VPN using certificate auth. The VPN is between 2 ASAs, but I only control 1 side.
When I send 'interesting traffic', my ASA initiates IKE and the IKEv2 settings get passed, agreed and then auth is attempted. The only message I am getting back is:
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
What could be the cause of this? I presume the other end doesn't like my cert. The question is why?
I've created a trustpoint on my end with my cert and my publishing CAs intermediate CA certificate. The identity cert I have is a general usage certificate, but the subject of my identity cert is a hostname, not my IP address and is not in the SAN of the certificate. I know that both ends are using the same CA, so the intermediate CA at my end should be OK to validate the remote end.
Should that be OK or do I need a cert with my IP address.
Thanks.