Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1770
Views
0
Helpful
4
Replies

Cert CA VPN

hainhtetaung
Community Member

‎07-03-2018 09:50 PM - edited ‎03-12-2019 05:26 AM

Hi 

 

I am using cert for VPN. but fail.

any suggestion please ??

 

 

Thanks

Hain

 

 

 

 

Jul 4 04:02:09.199 UTC: IKEv2:Received Packet [From 10.0.0.2:500/To 10.0.0.1:500/VRF i0:f0]
Initiator SPI : FBF6415B28B2DAF5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Verify SA init message
Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Insert SA
Jul 4 04:02:09.203 UTC: IKEv2:Searching Policy with fvrf 0, local address 10.0.0.1
Jul 4 04:02:09.203 UTC: IKEv2:Found Policy 'IKEV2-POLICY'
Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Processing IKE_SA_INIT message
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'root-1'
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Start PKI Session
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Starting of PKI Session PASSED
Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
Jul 4 04:02:09.203 UTC: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Request queued for computation of DH key
Jul 4 04:02:09.203 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
Jul 4 04:02:09.283 UTC: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
Jul 4 04:02:09.283 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Request queued for computation of DH secret
Jul 4 04:02:09.283 UTC: IKEv2:(SA ID = 2):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Jul 4 04:02:09.287 UTC: IKEv2:(SA ID = 2):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Jul 4 04:02:09.287 UTC: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Generating IKE_SA_INIT message
Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
Jul 4 04:02:09.287 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Jul 4 04:02:09.287 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Retrieved trustpoint(s): 'root-1'
Jul 4 04:02:09.287 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Jul 4 04:02:09.287 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Sending Packet [To 10.0.0.2:500/From 10.0.0.1:500/VRF i0:f0]
Initiator SPI : FBF6415B28B2DAF5 - Responder SPI : 2C716EB660F2CEF0 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Completed SA init exchange
Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Starting timer (30 sec) to wait for auth message


Jul 4 04:02:09.287 UTC: IKEv2-ERROR:(SESSION ID = 5,SA ID = 3):: Failed to receive the AUTH msg before the timer expired


Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 5,SA ID = 3):Auth exchange failed
Jul 4 04:02:09.287 UTC: IKEv2-ERROR:(SESSION ID = 5,SA ID = 3):: Auth exchange failed
Jul 4 04:02:09.291 UTC: IKEv2:(SESSION ID = 5,SA ID = 3):Abort exchange
Jul 4 04:02:09.291 UTC: IKEv2:(SESSION ID = 5,SA ID = 3):Deleting SA
Jul 4 04:02:09.291 UTC: IKEv2:(SA ID = 3):[IKEv2 -> PKI] Close PKI Session
Jul 4 04:02:09.291 UTC: IKEv2:(SA ID = 3):[PKI -> IKEv2] Closing of PKI Session PASSED
Jul 4 04:02:39.287 UTC: IKEv2-ERROR:(SESSION ID = 6,SA ID = 2):: Failed to receive the AUTH msg before the timer expired
Jul 4 04:02:39.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Auth exchange failed
Jul 4 04:02:39.287 UTC: IKEv2-ERROR:(SESSION ID = 6,SA ID = 2):: Auth exchange failed
Jul 4 04:02:39.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Abort exchange
Jul 4 04:02:39.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Deleting SA
Jul 4 04:02:39.287 UTC: IKEv2:(SA ID = 2):[IKEv2 -> PKI] Close PKI Session
Jul 4 04:02:39.287 UTC: IKEv2:(SA ID = 2):[PKI -> IKEv2] Closing of PKI Session PASSED

 

 

 

Labels:
0 Helpful
4 Replies 4

asaa
Visitor

‎07-04-2018 07:02 AM

You've got several session IDs:

 

(SESSION ID = 5,SA ID = 3)

(SESSION ID = 6,SA ID = 2)

 

we should just look at the second one (ID = 6)

 

it starts with an IKE_SA_INIT which negotiates sucessfully:

 

Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Completed SA init exchange
Jul 4 04:02:09.287 UTC: IKEv2:(SESSION ID = 6,SA ID = 2):Starting timer (30 sec) to wait for auth message

 

the local host then waits for the IKE_AUTH message from the peer, which it never receives (30 second timer, look at the timestamp):

 

Jul 4 04:02:39.287 UTC: IKEv2-ERROR:(SESSION ID = 6,SA ID = 2):: Failed to receive the AUTH msg before the timer expired

 

This could be due to several things:

 

the packet is not getting back to the remote peer

the remote peer is receiving the packet but is dropping it as it has no authentication credentials

 

either way you need to get some logs/config off the peer.

 

Gareth

0 Helpful

hainhtetaung
Community Member
In response to asaa

‎07-04-2018 11:53 PM

Thanks for reply. Below is the config.
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎07-04-2018 04:06 PM

are you able to get configs at both ends?  also what device  is at the other end?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

hainhtetaung
Community Member
In response to Dennis Mink

‎07-04-2018 11:49 PM - edited ‎07-04-2018 11:51 PM

Router 1

 

Building configuration...

Current configuration : 5058 bytes
!
! Last configuration change at 11:49:20 SGT Wed Jul 4 2018
! NVRAM config last updated at 11:52:14 SGT Wed Jul 4 2018
!
version 15.6
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash flash:c1900-universalk9-mz.SPA.156-3.M4.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone SGT 8 0
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint root-1
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain root-1
certificate ca 7A000003D77C473CB6B1B7CEA20000000003D7
308204B7 3082029F A0030201 0202137A 000003D7 7C473CB6 B1B7CEA2 00000000
03D7300D 06092A86 4886F70D 01010B05 00301231 10300E06 03550403 13075350
46204341 34301E17 0D313830 34313230 32323335 305A170D 32313038 30343037
31373233 5A301F31 1D301B06 03550403 13147063 63726F75 7465722E 70637363
2E6C6F63 616C3082 0122300D 06092A86 4886F70D 01010105 00038201 0F003082
010A0282 0101009F F31D9519 A9007386 F83180A0 D1AECACE 442837E0 98D617FD
6D985BE5 EA4BC4E8 348C5C60 F6F564B2 94471E88 C17C9547 B5D68249 666622F4
5843F2A7 31BEE3B0 B7A6F5C9 01C92D79 F0C00139 EBC07CF8 735C340A C9F36DB5
C1E78E98 815D3EDA 0667CB54 5458C896 A57FF757 22C02021 56D5FCD8 DDDCC098
F48B3171 E8251E6A AA56B84A 696AB02B FC06C9C9 C12A2F33 99B9F660 0225B6C5
1501E62A 53D1492C 5EB8F6DB 1B7D2587 0E270214 22720DBE 12ED38A5 B76A4738
BC1CCC58 B1D65EF2 3E872286 D25A2B16 9DFE9719 405B8B44 3CA2B16A 6C47BE76
721DC71A EF3B035F A8578E14 BB4D6020 EFF2EDB2 B5F2A01E EF1D6ECD FE202107
645A9BD1 CEFAAB02 03010001 A381F830 81F5300E 0603551D 0F0101FF 04040302
05A0301D 0603551D 0E041604 1488F7C3 9F55882D 998F82BE 1D5685C3 6EFA48DF
75301F06 03551D23 04183016 80146217 AC8771E9 4405B22B 2E2DEEBA 75E3046D
BFC2303E 0603551D 1F043730 353033A0 31A02F86 2D66696C 653A2F2F 2F2F5050
48514D53 50464341 342F4365 7274456E 726F6C6C 2F535046 25323043 41342E63
726C3055 06082B06 01050507 01010449 30473045 06082B06 01050507 30028639
66696C65 3A2F2F2F 2F505048 514D5350 46434134 2F436572 74456E72 6F6C6C2F
50504851 4D535046 4341345F 53504625 32304341 342E6372 74300C06 03551D13
0101FF04 02300030 0D06092A 864886F7 0D01010B 05000382 02010092 CAD7A9C4
88041B86 7C55E496 7EDF6E84 C2ACDB04 7E376929 96EAF186 DC6DEC17 CD8534D5
8CA0200B 7AE40A8A 1C77ECF1 E7F16464 AE357989 A17BEC63 A993DB15 1F5A1587
58AD8135 875B7FED AFE6A7FD 2D9E1CDF 00258A35 D33D48E6 A6200834 D4A60BA2
4B7735E4 462FED88 5C54F44D 325C04BB 43847668 108FCECF 93B89674 AC742C53
9DAE1674 97F66BE6 B8C097A8 280F2049 33CE1C76 E522FB2D 3A9E5623 90265A18
FF352857 18C1C4BE 438B307E 40D3F41B FFE6C76B DFA58701 A462BECE 59043E63
7EE83085 B8A965C9 D96F3D64 975B3A1A 5799EDBB 167E90B7 13417634 7C6120F9
E871DADA FEBE1E10 02B387F7 A673CE81 C13DAAC7 CD2BAB40 F72FD938 C7DF3463
9D8769E5 535DC0DC DCCA32F5 C22A6C43 515EFDD5 B64060D4 093E8072 796A5884
C5BFE4D0 EE4144F4 EB6D2936 92AA8DD6 183A01AA DC09CA3E 18DCDD9F 46024515
76800D56 CD160380 399CBC86 6F7598E7 DA3FA5FD 397C6D0B 9B6DF3D6 41608F77
5088DA76 7FB2DFF0 2DC0D67C A46A317C E7B0A77C 54CE2488 76799A84 BA2E9DCB
E54E07AE 8746F485 268F297B FC37559F E060FB42 9781194A 5D6BB137 4E53D385
DB6076D4 0D1E7D4B 294A4DF7 AB70BD82 82AEB0EF B326F4DC 86B3BF11 C60DEAD6
F8F33E09 C04B7812 03A9C772 5C8E2019 C931B3CC B4EC3FA7 6F23EFF3 7F339680
2AE1E73D 6B227501 7EE7FD13 FF968BE8 61B5E24F 3B05184B 74330F
quit
license udi pid CISCO1941/K9 sn FGL155220D6
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring KEYRING
peer 10.0.0.2
address 10.0.0.2
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 10.0.0.2 255.255.255.255
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint root-1
!
!
!
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map MAPA 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set TS
set ikev2-profile IKEV2-PROFILE
match address 101
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
crypto map MAPA
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
!
!
access-list 101 permit ip host 1.1.1.1 host 2.2.2.2
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input none
!
scheduler allocate 20000 1000
!
end

 

_______________________________________________________________________________

 

 

 

Router 2 

 

Router#sh running-config
Building configuration...

Current configuration : 5045 bytes
!
! Last configuration change at 11:48:59 SGT Wed Jul 4 2018
! NVRAM config last updated at 11:54:50 SGT Wed Jul 4 2018
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash flash:c1900-universalk9-mz.SPA.156-3.M4.bin
boot-end-marker
!
!
!
no aaa new-model
clock timezone SGT 8 0
!
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint root-1
enrollment terminal
revocation-check crl
!
!
crypto pki certificate chain root-1
certificate ca 7A000003D6301A2733D733C97B0000000003D6
308204B8 308202A0 A0030201 0202137A 000003D6 301A2733 D733C97B 00000000
03D6300D 06092A86 4886F70D 01010B05 00301231 10300E06 03550403 13075350
46204341 34301E17 0D313830 34313230 32323230 315A170D 32313038 30343037
31373233 5A302031 1E301C06 03550403 13156E70 706B726F 75746572 2E706373
632E6C6F 63616C30 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 9B9267AD BA2CC426 453223E1 7C98BFEF BDD1E006 950566D7
653B298D 99770827 8B316F3B E84A27EF 10B07527 7DF701BD DAD115BA 5636B7C5
B8DD29AC 9F5109AB 9973582E 218FEBEE 28AED99B DA0725D3 AA2AA21F 29B4AB59
EE00EEAC 8278F19D 1602120D 6132769B C69332A4 4A052657 AA18A5EA 627A63C5
0055E2C8 010B57C4 03F90DC3 21F78CD8 3F2C6BDD 790A1C8B 95C9C0DA 97068282
926BFA19 EC5B5705 0A7A0503 924B07FF 9435A9D6 FB05E1E9 B900B774 D7DCDC68
28B378AD 0B7EC091 D02A370D 56931B49 13D613A4 BEAF48A9 BBDDA0F0 78E506DF
660C5CEA 380095EF A7887F63 9B7D54C8 7C36D638 80DE7C20 CDCEB2E6 38B467A1
5A2979EF B2F932AD 02030100 01A381F8 3081F530 0E060355 1D0F0101 FF040403
0205A030 1D060355 1D0E0416 0414F2F0 38CF43AE 595A1073 1EACC31B 406705A8
2EED301F 0603551D 23041830 16801462 17AC8771 E94405B2 2B2E2DEE BA75E304
6DBFC230 3E060355 1D1F0437 30353033 A031A02F 862D6669 6C653A2F 2F2F2F50
5048514D 53504643 41342F43 65727445 6E726F6C 6C2F5350 46253230 4341342E
63726C30 5506082B 06010505 07010104 49304730 4506082B 06010505 07300286
3966696C 653A2F2F 2F2F5050 48514D53 50464341 342F4365 7274456E 726F6C6C
2F505048 514D5350 46434134 5F535046 25323043 41342E63 7274300C 0603551D
130101FF 04023000 300D0609 2A864886 F70D0101 0B050003 82020100 81C1B9CC
D6E0C882 596897F1 5D00D78D 7C8DCA43 E360B539 0A981456 F3C22AC2 CCA9A234
140CC48E B3CE9611 4594AA4A AA186340 B04E7D36 D484D3F7 FEEF05DC B94CE73F
3BD5DC8E 4FDDB162 14949E13 521E4751 8EBE8339 0BD25866 726DD62E 8F30052F
E3CE0FDA 60C05BD6 2ED14A06 0F448D57 9A164EC5 E787F01D 8B527656 B799E18E
38D35770 45038CCF 7388E7FA 32429E6F 75B99025 86F716FB 0D95DA7A CF37A5E3
6DB168E3 3CD07D7B 364F46A7 DC3D62B0 8FB2A6D2 E1549E08 DC317247 8F0E3635
D3080FE4 E3B1941B C7E59368 58B59CDD 43A1CED6 5B4C4A09 67DA4811 5E122968
FDCBBCA9 4838BC7C 129D0A84 B8B5AB83 39BBBFFB 80B863D4 14C8135C 557CC2B3
ADD44DE8 229552C5 E59BD58A 0E4DB562 FAD89E81 7187C5D8 5AE9CF5A C84F10E1
65F009DD B9273F90 D35356B9 ADD1903E E5412E01 AAAACA27 FD1084FD 56CDEAF0
98813364 DCCBBB45 1337CDAA 13EF77E3 1E3AA80F 2926AE63 319DD34A 779CE6BE
A011CC4F F29929CD C5062464 8E7C5848 95329F9A F75DDBCC 875C36ED D09046AD
C024DA6C 1C78B9D9 40DB1F36 DE1359DD DD46D9AE A8BEE2B9 B3657C71 8830BF22
02544503 BA0B904F 0C8254A6 46994B42 46563B84 721AE072 6091711F E227D568
F3704A86 F26E61F3 02797E49 44F9AA6A 1C5BD4FD 0F239877 F35D4B70 49C5EDE6
A1FC6165 9B3A6BB3 BF35F8C4 4E8B0F92 7926A538 4B99F9EA 3E0D44C6
quit
license udi pid CISCO1941/K9 sn FGL181225AW
license boot module c1900 technology-package securityk9
!
!
!
redundancy
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto ikev2 keyring KEYRING
peer 10.0.0.1
address 10.0.0.1
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 10.0.0.1 255.255.255.255
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint root-1
!
!
!
!
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto map MAPA 10 ipsec-isakmp
set peer 10.0.0.1
set transform-set TS
set ikev2-profile IKEV2-PROFILE
match address 101
!
!
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 10.0.0.2 255.255.255.0
duplex auto
speed auto
crypto map MAPA
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
!
!
access-list 101 permit ip host 2.2.2.2 host 1.1.1.1
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
!
end

 

 

0 Helpful
Customers Also Viewed These Support Documents