Thanks Karsten,

good article.

Issue is, I'm not too experienced with managing certificates, also I got only one router on site...

Is there something more similar to having local user authentication on the router and pre-shared keys?

Thanks,

Alex

well,

I was doing some research and I came across this article, which describes how you can make Anyconnect work on a single router being CA and Headend:

http://www.ifm.net.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-Crypto.html

...but I'm not able to progress to much further, as I hit the issue with 

RTR(config)#crypto pki authenticate ROUTER
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

then

RTR(config)#crypto pki enroll ROUTER
% You must authenticate the Certificate Authority before
you can enroll with it.

RTR#show crypto pki server
Certificate Server CA-SERVER:
Status: disabled, Storage not accessible
State: check failed
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=CA-SERVER
CA cert fingerprint: A3232C42 D7C6252A 51ABBBD3 B81D2BBE
Granting mode is: manual
Last certificate issued serial number (hex): 0
CA certificate expiration timer: 10:00:00 AEST Jan 1 1970
CRL not present.
Current primary storage dir: flash:ca
Database Level: Names - subject name data written as <serialnum>.cnm
Auto-Rollover configured, overlap period 365 days

ntp is synchronized etc...

What do you suggest looking at next?

Thanks,

Alex

Hi Alex,

Did you manage to have a fully working config?

I have running now in my lab but the problem is that i cannot "kick out" users that connect with cert, i can revoke the cert but connection still working.

Regards,

Did you manage to get this working? I have the same requirement, to use Anyconnect client with an IPSec connection.

I found the same document on ifm.net referred to above, and magaed to get a bit furthur than Alex, my CA server on the router was running:

R1#sh crypto pki server
Certificate Server CA_SERVER:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=CA_SERVER

But I fail at the next step, creating a trustpoint on the router:

crypto key generate rsa general modulus 2048 exportable label ROUTER_KEY

crypto pki trustpoint ROUTER
 enrollment url http://<my ip addr>:80
 ip-address <my ip addr>
 subject-name CN=Hut,OU=user-vpn,O=UWRFA
 revocation-check crl
 rsakeypair ROUTER_KEY
 auto-enroll regenerate
 hash sha512
 exit

sh crypto pki trustpoints

Trustpoint CA_SERVER:
    Subject Name:
    cn=CA_SERVER
          Serial Number (hex): 01
    Certificate configured.


Trustpoint ROUTER:

This section is empty, so I assume something is missing when I tried to configure the trustpoint!

And therefore the authenticate step fails:

crypto pki authenticate ROUTER
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0

I'm still working on this, currently I cannot establish where I've gone wrong.

The error message seems to be generic - but a couple of things to check, it could be the http server is not enabled (ip http server) on the PKI server or the client router enrolling for the certificate cannot establish connectivity to the PKI server.

Your trustpoint configuration looks good enough to enrol for a certificate. Can you provide the configuration for the PKI Server?

Is there any more output from the command sh crypto pki server?

Can you ping the PKI server?

Any ACLs?

Is http server enabled?

Hi Rob,

Following your reply I realised that the router has zone based Firewall configured, and that was preventing the router communicating with the server on the same router.

Now I'm getting furthur.

I've run the crypto pki authernicate ROUTER comand, which was succesfull as far as I can tell.

But when I get to the enrollment stage, crypto pki enroll ROUTER, I'm seeing

Error: There is an auto enrollment transaction in progress.
Please wait until the current auto enrollment to finish before
starting a new enrollment transaction.

A quick check on Google reveals:

CSCuo50815 IOS PKI: auto-renewal fails if the first renewal attempt is inturrupted

Workaround is a reboot, which I've tried, made no difference, got the same error message.

I'm not sure if I've hit this bug, as the reload made no difference.

My server config is:

crypto pki server CA_SERVER
 database level names
 no database archive
 hash sha512
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 auto-rollover 365
 eku server-auth client-auth
 database url flash:ca

Any more thoughts?

I think there might be an pending certificate request on the CA Server for that router.

On the PKI server if you run the command show crypto pki server CA_SERVER requests does it show any pending requests?
If yes, run crypto pki server CA_SERVER grant X - where X is the ID of the pending request.

It may take up to 30 seconds to send the certificate to the client router.

You can automatically grant certificates by adding the command grant auto under the CA_SERVER, which I noted you don't currently have.

I checked this earlier, and have just had another look:

sh crypto pki server CA_SERVER req
 The Enrollment Request Database is empty.
R1#

Here is my complete crypto config:

crypto pki server CA_SERVER
 database level names
 no database archive
 hash sha512
 lifetime certificate 3650
 lifetime ca-certificate 7305 23 59
 auto-rollover 365
 eku server-auth client-auth
 database url flash:ca
!
crypto pki trustpoint CA_SERVER
 revocation-check crl
 rsakeypair CA_SERVER
!
crypto pki trustpoint ROUTER
 enrollment url http://<my pub ip>:80
 ip-address <my pub ip>
 subject-name CN=Hut,OU=user-vpn,O=UWRFA
 revocation-check crl
 rsakeypair ROUTER_KEY
 auto-enroll regenerate
 hash sha512

crypto pki certificate chain CA_SERVER
 certificate ca 01
  30820506 308202EE A0030201 02020101.......

crypto pki certificate chain ROUTER
 certificate ca 01
  30820506 308202EE A0030201 02020101........

The trustpoints are:

sh crypto pki trustpoints
Trustpoint CA_SERVER:
    Subject Name:
    cn=CA_SERVER
          Serial Number (hex): 01
    Certificate configured.


Trustpoint ROUTER:
    Subject Name:
    cn=CA_SERVER
          Serial Number (hex): 01
    Certificate configured.
    SCEP URL: http://<my pub ip>:80/cgi-bin


Trustpoint TP-self-signed-2069616539:
    Subject Name:
    cn=IOS-Self-Signed-Certificate-2069616539
          Serial Number (hex): 01
    Persistent self-signed certificate trust point
    Using key label TP-self-signed-2069616539

What is the output from the command show crypto pki certificates? I assume just 1 certificate - the CA certificate?

I can see no obvious issues with your CA configuration, it's similar to what I have in the lab.

What IOS version are you using?

Hi Rob,

The output of show crypto pki certificates, I'm not sure why there are 3, and/or if they are all relevant to my current setup, or hangovers from previous configuration attempts:

Router Self-Signed Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: General Purpose
  Issuer:
    cn=IOS-Self-Signed-Certificate-2069616539
  Subject:
    Name: IOS-Self-Signed-Certificate-2069616539
    cn=IOS-Self-Signed-Certificate-2069616539
  Validity Date:
    start date: 14:30:27 BST Aug 15 2017
    end   date: 00:00:00 UTC Jan 1 2020
  Associated Trustpoints: TP-self-signed-2069616539
  Storage: nvram:IOS-Self-Sig#2.cer

CA Certificate
  Status: Available
  Certificate Serial Number (hex): 01
  Certificate Usage: Signature
  Issuer:
    cn=CA_SERVER
  Subject:
    cn=CA_SERVER
  Validity Date:
    start date: 07:08:13 BST Aug 15 2017
    end   date: 00:38:57 BST Jul 11 1901
  Associated Trustpoints: ROUTER CA_SERVER
  Storage: nvram:CA_SERVER#1CA.cer


Certificate
  Subject:
    Name: R1.uwfra.org.uk
    IP Address: <my public IP>
   Status: Pending
   Key Usage: General Purpose
   Certificate Request Fingerprint MD5: AA4A383C 2C6B21E3 19D6D1CF 589665C6
   Certificate Request Fingerprint SHA1: E401C1C1 8B1C263A CCF976D2 A0B4D402 BA43E9FB
   Associated Trustpoint: ROUTER 

The image is:

System image file is "flash:c860vae-advsecurityk9-mz.155-3.M.bin"

The router is an old c860:

Cisco 867VAE-K9 (revision 0.3)

I'm thinking of going for an ASA instead for my RA termination, have you got Anyconnect working over IPSec to a router? I'm sure this should work!

I notice the certificate status is pending, yet there is no pending request on the PKI server. How about you remove the certificates (crypto key zeroize rsa) and recreate from scratch? I assume nothing else uses the other certificiate and there will not be an issue in removing?

Once the certificates have been removed, run show crypto pki certificates and confirm no certificates are present and then start again and generate a rsa keypair, authenticate and enrol.

I certainly don't have a self signed certificate on my routers, as you do.

Yes, I use FlexVPN IKEv2 on a 1921 router with AnyConnect - although I am using a certificate issued by a Windows PKI server on the router and windows laptop. I don't see any reason why this should not work.