cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7227
Views
15
Helpful
7
Replies

ASA IKEv2 L2L VPN Cert Auth failing

Hi guys,

How does an ASA verify/validate the certificate used for authentication of the remote end of an IKEv2 tunnel?

I'm having some problems with setting up a. L2L IKEv2 VPN using certificate auth. The VPN is between 2 ASAs, but I only control 1 side.

When I send 'interesting traffic', my ASA initiates IKE and the IKEv2 settings get passed, agreed and then auth is attempted. The only message I am getting back is:

IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

What could be the cause of this? I presume the other end doesn't like my cert. The question is why?

I've created a trustpoint on my end with my cert and my publishing CAs intermediate CA certificate. The identity cert I have is a general usage certificate, but the subject of my identity cert is a hostname, not my IP address and is not in the SAN of the certificate. I know that both ends are using the same CA, so the intermediate CA at my end should be OK to validate the remote end.

Should that be OK or do I need a cert with my IP address.

Thanks.

1 Accepted Solution

Accepted Solutions