Cisco AnyConnect to ASA using client certificate authentication and IPSec

jamesholley · ‎04-30-2020

Hello all

I am struggling to get something working, and need a bit of a hand to get me across the line.

I have a Linux laptop that needs to connect to a ASA using AnyConnect.

Both the laptop and the ASA have trusted certificates, and I have had no issues getting it working using SSL as the configured protocol.

But I need to use IPSec as the protocol due to security constraints. But as soon as I untick SSL on the client profile and use only IPSec, the connection is not working.

I have done lots of research around extended key usage that needs to be applied whilst using IPSec, but it is not going in (my head).

When using the Anyconnect client in Linux, and using only IPSec as the transport protocol, I am receiving a Cetifcate validation failure and the ipsec vpn connection was terminated due to an authentication failure or timeout.

So clearly something is amiss in the profile to accept a trusted valid certificate that is not an issue if i use SSL.

Hence, I have to bow to your superior knowledge and ask for some help.

Thanks

James

balaji.bandi · ‎04-30-2020

here is some example guide for reference :

https://community.cisco.com/t5/security-blogs/anyconnect-certificate-based-authentication/ba-p/3105546

also provide what License and version and any Logs ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jamesholley · ‎04-30-2020

Thanks, I have seen that guide, but I am not sure it is strictly relevant, as it refers to SSL and Microsft PKI. I can get this working using SSL, no problem at all, it is only on IPSec where it fails.
I will update with some logs from the laptop in a bit.

Thanks for your help so far.

James

Rob Ingram · ‎04-30-2020

Hi,
Make sure the correct trustpoint is configured under the command "crypto ikev2 remote-access trustpoint <TP_NAME>". If SSL is working without an error, I assume a different trustpoint has been defined, as the SSL trustpoint is configured using another command.

HTH

jamesholley · ‎04-30-2020

Hello, yes, I have checked and the ASA trusted cert is configured for both SSL and IKE.

That command is in place on the ASA ok.

Thanks

James

Rob Ingram · ‎04-30-2020

With the IKEv2 certificate you can have 2 defined, check you don't have multiple defined by mistake.
Please provide the output of the following:-

"show crypto ca certificates"
"show run ssl | inc trust"
"show run crypto ikev2 | inc remote"

jamesholley · ‎04-30-2020

Hi, here are my connection logs from a couple of failed attempts today.

The linux version of Anyconnect is 4.6.03049.

ASA IOS version is 9.6(4) 8.

The licence on the ASA is just a basic licence with only 4 premium Anyconnect peers allowed. This is a test box, so currently no other users are connected.

Regards

James

jamesholley · ‎04-30-2020

OK, good news.

After pasting in the logs, I had a good trawl through them and it was easier than I thought to fix.

Could not acquire any X509 certificates in the /home/u2/.cisco/certificates/client/ directory.

I had my directory in the wrong place, which is a bit of a **bleep** up.

In Linux, you have to create these folders, and a simple slip of the finger placed them not in the home directory....DOH!

Thanks for all your comments thus far!

James