Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- FlexVPN AnyConnect-EAP certificate
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
3308
Views
4
Helpful
31
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 02:43 AM
Hi there,
I am trying to make a FlexVPN AnyConnect-EAP with local authentication using both user and certificate working. However if I use only local user authentication it works but I am not able to make the certification part working. I am still getting error:
IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
I am using CSR 1100 and on the client side CiscoAnyconnect
Here is my crypto config:
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
crypto pki trustpoint tp
enrollment terminal
fqdn vpn-cert.home
subject-name cn=vpn-cert.home,OU=IT
subject-alt-name vpn-cert.home
revocation-check crl
!
!
!
crypto pki certificate map cisco 1
subject-name co desktop-j6mo89s
!
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 172.16.1.1
netmask 255.255.255.0
!
!
!
!
crypto ikev2 profile default
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy
virtual-template 100
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip local pool ACPOOL 172.16.10.10 172.16.10.20
Client cert attached. Output of show crypto pki cert:
Certificate
Status: Available
Certificate Serial Number (hex): 1A148C52941C61EC
Certificate Usage: General Purpose
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
Name: vpn-cert.home
hostname=vpn-cert.home
cn=vpn-cert.home
ou=IT
Validity Date:
start date: 11:00:00 CET Jan 15 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
CA Certificate
Status: Available
Certificate Serial Number (hex): 7428A90B015D3E82
Certificate Usage: Signature
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
cn=CA.home
ou=CA
o=home
Validity Date:
start date: 14:01:00 CET Jan 8 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
Storage: nvram:CAhome#3E82CA.cer
And the debug crypto ikev2:
*Jan 15 10:31:41.516: IKEv2:Received Packet [From 172.30.1.166:49395/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Verify SA init message
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Insert SA
*Jan 15 10:31:41.517: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.517: IKEv2:Using the Default Policy for Proposal
*Jan 15 10:31:41.517: IKEv2:Found Policy 'default'
*Jan 15 10:31:41.517: IKEv2:(SESSION ID = 17,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Received valid config mode data
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config data recieved:
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config-type: Config-request
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 10:31:41.519: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Set received config mode data
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 10:31:41.520: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 10:31:41.520: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH key
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH secret
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 10:31:41.525: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.526: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Completed SA init exchange
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.528: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.529: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.529: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.543: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Checking NAT discovery
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT OUTSIDE found
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT detected float to init port 49396, resp port 4500
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 10:31:41.544: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Found Policy 'default'
*Jan 15 10:31:41.545: IKEv2:not a VPN-SIP session
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's policy
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Peer's policy verified
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 10:31:41.545: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Generate my authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Get my authentication method
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):My authentication method is 'RSA'
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Sign authentication data
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
*Jan 15 10:31:41.572: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Jan 15 10:31:41.572: IKEv2-ERROR:Address type 2850704323 not supported
*Jan 15 10:31:41.573: IKEv2-ERROR:: Negotiation context locked currently in use
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Authentication material has been sucessfully signed
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'hello' request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Constructing IDr payload: 'hostname=vpn-cert.home,cn=vpn-cert.home,ou=IT' of type 'DER ASN1 DN'
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
*Jan 15 10:31:41.574: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.575: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.585: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP response
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Checking for Dual Auth
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP CERT request
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'cert-request'
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
*Jan 15 10:31:41.587: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Restarting timer for 90 seconds to wait for auth message
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.589: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.589: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP CERT response
*Jan 15 10:31:41.591: IKEv2:AnyConnect EAP received type : 0 and length : 845, outof : 849
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending authentication failure notify
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Auth exchange failed
*Jan 15 10:31:41.592: IKEv2-ERROR:(SESSION ID = 17,SA ID = 1):: Auth exchange failed
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Abort exchange
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Deleting SA
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 10:31:41.594: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:: A supplied parameter is incorrect
Any suggestion what is wrong?
Solved! Go to Solution.
Labels:
- Labels:
-
AnyConnect
-
FlexVPN
1 Accepted Solution
Accepted Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2024 05:09 AM
Problem solved. Issue was with the desktop cert which doesn't have private keys available. Now everything is working as it should - user is authenticated locally and with cert as well.
@MHM Cisco World and @Rob Ingram thank you so so much for your help!
31 Replies 31
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 06:33 AM
try add EKU in your Cert. for client and router if you can enrolment new cert. from CA
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 06:49 AM
crypto ikev2 profile default
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy
virtual-template 100
anyconnect profile acvpncrypto ikev2 profile PRO
match certificate CMAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CISCO2
aaa authorization group cert list default AC
virtual-template 1
the upper is what you config and lower is from cisco Doc.
why you use AnyConnect-EAP if you use Cert. for auth ?
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:11 AM
I am using AnyConnect-EAP to do the both: local user and certificate for authentication.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:14 AM
OK, so can you use only Cert. then we check using EAP+Cert.
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:07 AM
Any particular?
With the client I am using: Client Authentication (1.3.6.1.5.5.7.3.2)
On the router side: Server Authentication (1.3.6.1.5.5.7.3.1). Here I also have SAN set to IP=10.3.3.2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:15 AM
EKU extended Key Usage
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:24 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:32 AM
it perfect,
now just try auth using cert. ONLY
I will check EAP+Cert auth for IKEv2
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:45 AM - edited 01-15-2024 07:51 AM
I've changed it but the result is the same:
*Jan 15 15:43:24.537: IKEv2:Received Packet [From 172.30.1.166:55382/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 15:43:24.537: IKEv2:(SESSION ID = 40,SA ID = 1):Verify SA init message
*Jan 15 15:43:24.537: IKEv2:(SESSION ID = 40,SA ID = 1):Insert SA
*Jan 15 15:43:24.537: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 15:43:24.537: IKEv2:Using the Default Policy for Proposal
*Jan 15 15:43:24.537: IKEv2:Found Policy 'default'
*Jan 15 15:43:24.537: IKEv2:(SESSION ID = 40,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 15:43:24.539: IKEv2:(SESSION ID = 40,SA ID = 1):Received valid config mode data
*Jan 15 15:43:24.539: IKEv2:(SESSION ID = 40,SA ID = 1):Config data recieved:
*Jan 15 15:43:24.539: IKEv2:(SESSION ID = 40,SA ID = 1):Config-type: Config-request
*Jan 15 15:43:24.539: IKEv2:(SESSION ID = 40,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 15:43:24.540: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 15:43:24.540: IKEv2:(SESSION ID = 40,SA ID = 1):Set received config mode data
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 15:43:24.540: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 15:43:24.540: IKEv2:(SESSION ID = 40,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 15:43:24.541: IKEv2:(SESSION ID = 40,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 15:43:24.541: IKEv2:(SESSION ID = 40,SA ID = 1):Request queued for computation of DH key
*Jan 15 15:43:24.541: IKEv2:(SESSION ID = 40,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):Request queued for computation of DH secret
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 15:43:24.545: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 15:43:24.545: IKEv2:(SESSION ID = 40,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 15:43:24.546: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 15:43:24.546: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 15:43:24.546: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 15:43:24.546: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 15:43:24.546: IKEv2:(SESSION ID = 40,SA ID = 1):Sending Packet [To 172.30.1.166:55382/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : DE970B6CD7282E21 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 15:43:24.547: IKEv2:(SESSION ID = 40,SA ID = 1):Completed SA init exchange
*Jan 15 15:43:24.547: IKEv2:(SESSION ID = 40,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 15:43:24.547: IKEv2:(SESSION ID = 40,SA ID = 1):Retransmitting packet
*Jan 15 15:43:24.547: IKEv2:(SESSION ID = 40,SA ID = 1):Sending Packet [To 172.30.1.166:55382/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : DE970B6CD7282E21 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 15:43:24.548: IKEv2:(SESSION ID = 40,SA ID = 1):Packet is a retransmission
*Jan 15 15:43:24.549: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 15:43:24.549: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 15:43:24.645: IKEv2:(SESSION ID = 40,SA ID = 1):Received Packet [From 172.30.1.166:55383/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : DE970B6CD7282E21 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 15:43:24.645: IKEv2:(SESSION ID = 40,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Checking NAT discovery
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):NAT OUTSIDE found
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):NAT detected float to init port 55383, resp port 4500
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 15:43:24.646: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Found Policy 'default'
*Jan 15 15:43:24.646: IKEv2:not a VPN-SIP session
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Verify peer's policy
*Jan 15 15:43:24.646: IKEv2:(SESSION ID = 40,SA ID = 1):Peer's policy verified
*Jan 15 15:43:24.646: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 15:43:24.646: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 15:43:24.646: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 15:43:24.646: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 15:43:24.647: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Check for EAP exchange
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Check for EAP exchange
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Sending authentication failure notify
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 15:43:24.647: IKEv2:(SESSION ID = 40,SA ID = 1):Sending Packet [To 172.30.1.166:55383/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : DE970B6CD7282E21 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 15:43:24.648: IKEv2:(SESSION ID = 40,SA ID = 1):Auth exchange failed
*Jan 15 15:43:24.648: IKEv2-ERROR:(SESSION ID = 40,SA ID = 1):: Auth exchange failed
*Jan 15 15:43:24.648: IKEv2:(SESSION ID = 40,SA ID = 1):Abort exchange
*Jan 15 15:43:24.648: IKEv2:(SESSION ID = 40,SA ID = 1):Deleting SA
*Jan 15 15:43:24.648: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 15:43:24.648: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 15:43:24.650: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 15:43:24.650: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 15:43:24.650: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:55383/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : AFCBFFE25D78BE93 - Responder SPI : DE970B6CD7282E21 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 15:43:24.650: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 15:43:24.650: IKEv2-ERROR:: A supplied parameter is incorrect
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 08:06 AM
revocation-check crlMake revocation-check none
Then check again
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 08:14 AM
added but no change:
*Jan 15 16:13:01.142: IKEv2:Received Packet [From 172.30.1.166:55914/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 16:13:01.143: IKEv2:(SESSION ID = 45,SA ID = 1):Verify SA init message
*Jan 15 16:13:01.143: IKEv2:(SESSION ID = 45,SA ID = 1):Insert SA
*Jan 15 16:13:01.143: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 16:13:01.143: IKEv2:Using the Default Policy for Proposal
*Jan 15 16:13:01.143: IKEv2:Found Policy 'default'
*Jan 15 16:13:01.143: IKEv2:(SESSION ID = 45,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):Received valid config mode data
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):Config data recieved:
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):Config-type: Config-request
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 16:13:01.145: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):Set received config mode data
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 16:13:01.145: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 16:13:01.145: IKEv2:(SESSION ID = 45,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 16:13:01.147: IKEv2:(SESSION ID = 45,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:13:01.147: IKEv2:(SESSION ID = 45,SA ID = 1):Request queued for computation of DH key
*Jan 15 16:13:01.147: IKEv2:(SESSION ID = 45,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 16:13:01.150: IKEv2:(SESSION ID = 45,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:13:01.150: IKEv2:(SESSION ID = 45,SA ID = 1):Request queued for computation of DH secret
*Jan 15 16:13:01.150: IKEv2:(SESSION ID = 45,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 16:13:01.151: IKEv2:(SESSION ID = 45,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 16:13:01.151: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 16:13:01.151: IKEv2:(SESSION ID = 45,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 16:13:01.151: IKEv2:(SESSION ID = 45,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 16:13:01.151: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:13:01.151: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:13:01.151: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:13:01.151: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:13:01.151: IKEv2:(SESSION ID = 45,SA ID = 1):Sending Packet [To 172.30.1.166:55914/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : D35CE8C17DE79532 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:13:01.152: IKEv2:(SESSION ID = 45,SA ID = 1):Completed SA init exchange
*Jan 15 16:13:01.152: IKEv2:(SESSION ID = 45,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 16:13:01.152: IKEv2:(SESSION ID = 45,SA ID = 1):Retransmitting packet
*Jan 15 16:13:01.153: IKEv2:(SESSION ID = 45,SA ID = 1):Sending Packet [To 172.30.1.166:55914/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : D35CE8C17DE79532 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:13:01.154: IKEv2:(SESSION ID = 45,SA ID = 1):Packet is a retransmission
*Jan 15 16:13:01.154: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 16:13:01.154: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 16:13:01.167: IKEv2:(SESSION ID = 45,SA ID = 1):Received Packet [From 172.30.1.166:55915/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : D35CE8C17DE79532 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Checking NAT discovery
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):NAT OUTSIDE found
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):NAT detected float to init port 55915, resp port 4500
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 16:13:01.168: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Found Policy 'default'
*Jan 15 16:13:01.168: IKEv2:not a VPN-SIP session
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Verify peer's policy
*Jan 15 16:13:01.168: IKEv2:(SESSION ID = 45,SA ID = 1):Peer's policy verified
*Jan 15 16:13:01.168: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 16:13:01.168: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 16:13:01.168: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 16:13:01.168: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 16:13:01.169: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Check for EAP exchange
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Check for EAP exchange
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Sending authentication failure notify
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 16:13:01.169: IKEv2:(SESSION ID = 45,SA ID = 1):Sending Packet [To 172.30.1.166:55915/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : D35CE8C17DE79532 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 16:13:01.170: IKEv2:(SESSION ID = 45,SA ID = 1):Auth exchange failed
*Jan 15 16:13:01.170: IKEv2-ERROR:(SESSION ID = 45,SA ID = 1):: Auth exchange failed
*Jan 15 16:13:01.170: IKEv2:(SESSION ID = 45,SA ID = 1):Abort exchange
*Jan 15 16:13:01.170: IKEv2:(SESSION ID = 45,SA ID = 1):Deleting SA
*Jan 15 16:13:01.170: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 16:13:01.170: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 16:13:01.171: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 16:13:01.171: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 16:13:01.171: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:55915/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 3F9BDA767B5B948F - Responder SPI : D35CE8C17DE79532 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 16:13:01.172: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 16:13:01.172: IKEv2-ERROR:: A supplied parameter is incorrectOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 07:54 AM
@HermanAkv the error in the logs "Failed to locate an item in the database" usual indicates the certificate map did not match the configured value. Is the subject name of the client certificate definately desktop-j6mo89s?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 08:11 AM
Yes, it is. It was with the capital so I've generated new cert with lower case but same error:
*Jan 15 16:09:56.302: IKEv2:Received Packet [From 172.30.1.166:61885/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 16:09:56.303: IKEv2:(SESSION ID = 44,SA ID = 1):Verify SA init message
*Jan 15 16:09:56.303: IKEv2:(SESSION ID = 44,SA ID = 1):Insert SA
*Jan 15 16:09:56.303: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 16:09:56.303: IKEv2:Using the Default Policy for Proposal
*Jan 15 16:09:56.303: IKEv2:Found Policy 'default'
*Jan 15 16:09:56.304: IKEv2:(SESSION ID = 44,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 16:09:56.305: IKEv2:(SESSION ID = 44,SA ID = 1):Received valid config mode data
*Jan 15 16:09:56.305: IKEv2:(SESSION ID = 44,SA ID = 1):Config data recieved:
*Jan 15 16:09:56.305: IKEv2:(SESSION ID = 44,SA ID = 1):Config-type: Config-request
*Jan 15 16:09:56.305: IKEv2:(SESSION ID = 44,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 16:09:56.305: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 16:09:56.306: IKEv2:(SESSION ID = 44,SA ID = 1):Set received config mode data
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 16:09:56.306: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 16:09:56.306: IKEv2:(SESSION ID = 44,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 16:09:56.307: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:09:56.307: IKEv2:(SESSION ID = 44,SA ID = 1):Request queued for computation of DH key
*Jan 15 16:09:56.307: IKEv2:(SESSION ID = 44,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 16:09:56.311: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:09:56.311: IKEv2:(SESSION ID = 44,SA ID = 1):Request queued for computation of DH secret
*Jan 15 16:09:56.311: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 16:09:56.312: IKEv2:(SESSION ID = 44,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 16:09:56.312: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 16:09:56.312: IKEv2:(SESSION ID = 44,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 16:09:56.312: IKEv2:(SESSION ID = 44,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 16:09:56.312: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:09:56.312: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:09:56.312: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:09:56.312: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:09:56.312: IKEv2:(SESSION ID = 44,SA ID = 1):Sending Packet [To 172.30.1.166:61885/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : E29B1113398AFFE8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:09:56.313: IKEv2:(SESSION ID = 44,SA ID = 1):Completed SA init exchange
*Jan 15 16:09:56.314: IKEv2:(SESSION ID = 44,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 16:09:56.314: IKEv2:(SESSION ID = 44,SA ID = 1):Retransmitting packet
*Jan 15 16:09:56.314: IKEv2:(SESSION ID = 44,SA ID = 1):Sending Packet [To 172.30.1.166:61885/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : E29B1113398AFFE8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:09:56.315: IKEv2:(SESSION ID = 44,SA ID = 1):Packet is a retransmission
*Jan 15 16:09:56.315: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 16:09:56.316: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 16:09:56.325: IKEv2:(SESSION ID = 44,SA ID = 1):Received Packet [From 172.30.1.166:61886/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : E29B1113398AFFE8 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 16:09:56.326: IKEv2:(SESSION ID = 44,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 16:09:56.326: IKEv2:(SESSION ID = 44,SA ID = 1):Checking NAT discovery
*Jan 15 16:09:56.326: IKEv2:(SESSION ID = 44,SA ID = 1):NAT OUTSIDE found
*Jan 15 16:09:56.326: IKEv2:(SESSION ID = 44,SA ID = 1):NAT detected float to init port 61886, resp port 4500
*Jan 15 16:09:56.326: IKEv2:(SESSION ID = 44,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 16:09:56.327: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 16:09:56.327: IKEv2:(SESSION ID = 44,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 16:09:56.327: IKEv2:(SESSION ID = 44,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 16:09:56.327: IKEv2:(SESSION ID = 44,SA ID = 1):Found Policy 'default'
*Jan 15 16:09:56.327: IKEv2:not a VPN-SIP session
*Jan 15 16:09:56.327: IKEv2:(SESSION ID = 44,SA ID = 1):Verify peer's policy
*Jan 15 16:09:56.327: IKEv2:(SESSION ID = 44,SA ID = 1):Peer's policy verified
*Jan 15 16:09:56.327: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 16:09:56.327: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 16:09:56.327: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 16:09:56.327: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 16:09:56.327: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Check for EAP exchange
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Check for EAP exchange
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Sending authentication failure notify
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Sending Packet [To 172.30.1.166:61886/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : E29B1113398AFFE8 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 16:09:56.328: IKEv2:(SESSION ID = 44,SA ID = 1):Auth exchange failed
*Jan 15 16:09:56.328: IKEv2-ERROR:(SESSION ID = 44,SA ID = 1):: Auth exchange failed
*Jan 15 16:09:56.329: IKEv2:(SESSION ID = 44,SA ID = 1):Abort exchange
*Jan 15 16:09:56.329: IKEv2:(SESSION ID = 44,SA ID = 1):Deleting SA
*Jan 15 16:09:56.329: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 16:09:56.329: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 16:09:56.330: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 16:09:56.330: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 16:09:56.330: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:61886/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 0435426EE86E30A1 - Responder SPI : E29B1113398AFFE8 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 16:09:56.330: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 16:09:56.331: IKEv2-ERROR:: A supplied parameter is incorrectand here is my anyconnect xml:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectProfile.xsd">
<ClientInitialization>
<UseStartBeforeLogon UserControllable="true">true</UseStartBeforeLogon>
<AutomaticCertSelection UserControllable="false">true</AutomaticCertSelection>
<ShowPreConnectMessage>false</ShowPreConnectMessage>
<CertificateStore>All</CertificateStore>
<CertificateStoreMac>All</CertificateStoreMac>
<CertificateStoreLinux>All</CertificateStoreLinux>
<CertificateStoreOverride>false</CertificateStoreOverride>
<ProxySettings>Native</ProxySettings>
<AllowLocalProxyConnections>false</AllowLocalProxyConnections>
<AuthenticationTimeout>30</AuthenticationTimeout>
<AutoConnectOnStart UserControllable="false">false</AutoConnectOnStart>
<MinimizeOnConnect UserControllable="false">true</MinimizeOnConnect>
<LocalLanAccess UserControllable="false">false</LocalLanAccess>
<DisableCaptivePortalDetection UserControllable="false">false</DisableCaptivePortalDetection>
<ClearSmartcardPin UserControllable="false">false</ClearSmartcardPin>
<IPProtocolSupport>IPv4</IPProtocolSupport>
<AutoReconnect UserControllable="false">true
<AutoReconnectBehavior UserControllable="false">ReconnectAfterResume</AutoReconnectBehavior>
</AutoReconnect>
<SuspendOnConnectedStandby>false</SuspendOnConnectedStandby>
<AutoUpdate UserControllable="false">true</AutoUpdate>
<RSASecurIDIntegration UserControllable="false">Automatic</RSASecurIDIntegration>
<WindowsLogonEnforcement>SingleLocalLogon</WindowsLogonEnforcement>
<LinuxLogonEnforcement>SingleLocalLogon</LinuxLogonEnforcement>
<WindowsVPNEstablishment>LocalUsersOnly</WindowsVPNEstablishment>
<LinuxVPNEstablishment>LocalUsersOnly</LinuxVPNEstablishment>
<AutomaticVPNPolicy>false</AutomaticVPNPolicy>
<PPPExclusion UserControllable="false">Disable
<PPPExclusionServerIP UserControllable="false"></PPPExclusionServerIP>
</PPPExclusion>
<EnableScripting UserControllable="false">false</EnableScripting>
<CertificateMatch>
<MatchOnlyCertsWithKU>false</MatchOnlyCertsWithKU>
<DistinguishedName>
<DistinguishedNameDefinition Operator="Equal" Wildcard="Disabled" MatchCase="Disabled">
<Name>ISSUER-CN</Name>
<Pattern>CA.home</Pattern>
</DistinguishedNameDefinition>
</DistinguishedName>
</CertificateMatch>
<EnableAutomaticServerSelection UserControllable="false">false
<AutoServerSelectionImprovement>20</AutoServerSelectionImprovement>
<AutoServerSelectionSuspendTime>4</AutoServerSelectionSuspendTime>
</EnableAutomaticServerSelection>
<RetainVpnOnLogoff>false
</RetainVpnOnLogoff>
<CaptivePortalRemediationBrowserFailover>false</CaptivePortalRemediationBrowserFailover>
<AllowManualHostInput>true</AllowManualHostInput>
</ClientInitialization>
<ServerList>
<HostEntry>
<HostName>vpn-cert.home</HostName>
<HostAddress>vpn-cert.home</HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2024 08:17 AM
make revocation none
share LAST ikev2 profile config with cert. map
MHM
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents