01-15-2024 02:43 AM
Hi there,
I am trying to make a FlexVPN AnyConnect-EAP with local authentication using both user and certificate working. However if I use only local user authentication it works but I am not able to make the certification part working. I am still getting error:
IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
I am using CSR 1100 and on the client side CiscoAnyconnect
Here is my crypto config:
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
crypto pki trustpoint tp
enrollment terminal
fqdn vpn-cert.home
subject-name cn=vpn-cert.home,OU=IT
subject-alt-name vpn-cert.home
revocation-check crl
!
!
!
crypto pki certificate map cisco 1
subject-name co desktop-j6mo89s
!
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 172.16.1.1
netmask 255.255.255.0
!
!
!
!
crypto ikev2 profile default
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy
virtual-template 100
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip local pool ACPOOL 172.16.10.10 172.16.10.20
Client cert attached. Output of show crypto pki cert:
Certificate
Status: Available
Certificate Serial Number (hex): 1A148C52941C61EC
Certificate Usage: General Purpose
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
Name: vpn-cert.home
hostname=vpn-cert.home
cn=vpn-cert.home
ou=IT
Validity Date:
start date: 11:00:00 CET Jan 15 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
CA Certificate
Status: Available
Certificate Serial Number (hex): 7428A90B015D3E82
Certificate Usage: Signature
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
cn=CA.home
ou=CA
o=home
Validity Date:
start date: 14:01:00 CET Jan 8 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
Storage: nvram:CAhome#3E82CA.cer
And the debug crypto ikev2:
*Jan 15 10:31:41.516: IKEv2:Received Packet [From 172.30.1.166:49395/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Verify SA init message
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Insert SA
*Jan 15 10:31:41.517: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.517: IKEv2:Using the Default Policy for Proposal
*Jan 15 10:31:41.517: IKEv2:Found Policy 'default'
*Jan 15 10:31:41.517: IKEv2:(SESSION ID = 17,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Received valid config mode data
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config data recieved:
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config-type: Config-request
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 10:31:41.519: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Set received config mode data
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 10:31:41.520: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 10:31:41.520: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH key
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH secret
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 10:31:41.525: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.526: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Completed SA init exchange
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.528: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.529: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.529: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.543: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Checking NAT discovery
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT OUTSIDE found
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT detected float to init port 49396, resp port 4500
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 10:31:41.544: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Found Policy 'default'
*Jan 15 10:31:41.545: IKEv2:not a VPN-SIP session
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's policy
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Peer's policy verified
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 10:31:41.545: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Generate my authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Get my authentication method
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):My authentication method is 'RSA'
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Sign authentication data
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
*Jan 15 10:31:41.572: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Jan 15 10:31:41.572: IKEv2-ERROR:Address type 2850704323 not supported
*Jan 15 10:31:41.573: IKEv2-ERROR:: Negotiation context locked currently in use
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Authentication material has been sucessfully signed
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'hello' request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Constructing IDr payload: 'hostname=vpn-cert.home,cn=vpn-cert.home,ou=IT' of type 'DER ASN1 DN'
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
*Jan 15 10:31:41.574: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.575: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.585: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP response
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Checking for Dual Auth
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP CERT request
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'cert-request'
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
*Jan 15 10:31:41.587: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Restarting timer for 90 seconds to wait for auth message
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.589: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.589: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP CERT response
*Jan 15 10:31:41.591: IKEv2:AnyConnect EAP received type : 0 and length : 845, outof : 849
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending authentication failure notify
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Auth exchange failed
*Jan 15 10:31:41.592: IKEv2-ERROR:(SESSION ID = 17,SA ID = 1):: Auth exchange failed
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Abort exchange
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Deleting SA
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 10:31:41.594: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:: A supplied parameter is incorrect
Any suggestion what is wrong?
Solved! Go to Solution.
01-15-2024 08:24 AM
This is the last one - cert only
crypto pki trustpoint tp
enrollment terminal
fqdn vpn-cert.home
subject-name cn=vpn-cert.home,OU=IT
subject-alt-name vpn-cert.home
revocation-check crl none
crypto pki certificate map cisco 1
subject-name co desktop-j6mo89s
!
crypto ikev2 profile default
match identity remote key-id *$AnyConnectClient$*
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint tp
aaa authorization group cert list AUTHOR ikev2-auth-policy
virtual-template 100
01-15-2024 08:28 AM
match identity remote key-id *$AnyConnectClient$*
Remove this no need it
MHM
01-15-2024 08:31 AM
Seems like it is needed as it is default key-id for AnyConnect. Without it I am getting:
*Jan 15 16:29:50.211: IKEv2:(SESSION ID = 48,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 16:29:50.211: IKEv2-ERROR:% IKEv2 profile not found
01-15-2024 08:40 AM
@HermanAkv you need the remote key ID if using AnyConnect-EAP authentication method, you don't need it if you are just doing certificate authentication - your AnyConnect XML profile would need changing to reflect which authentication method you are using.
When you are attempting to perform AnyConnect-EAP have you configured the XML profile to use "EAP-AnyConnect"? Your previous XML configuration is using "IKE-RSA", although I am not sure if you changed that when you were testing certificate only authentication.
01-15-2024 08:51 AM
Sorry my mistake, you are right. I did change the anyconnect profile but in the wrong folder. So here is the new error:
*Jan 15 16:49:41.471: IKEv2:Received Packet [From 172.30.1.166:57764/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 142DAECE15DB7591 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 16:49:41.472: IKEv2:(SESSION ID = 51,SA ID = 1):Verify SA init message
*Jan 15 16:49:41.472: IKEv2:(SESSION ID = 51,SA ID = 1):Insert SA
*Jan 15 16:49:41.472: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 16:49:41.472: IKEv2:Using the Default Policy for Proposal
*Jan 15 16:49:41.472: IKEv2:Found Policy 'default'
*Jan 15 16:49:41.472: IKEv2:(SESSION ID = 51,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 16:49:41.474: IKEv2:(SESSION ID = 51,SA ID = 1):Received valid config mode data
*Jan 15 16:49:41.474: IKEv2:(SESSION ID = 51,SA ID = 1):Config data recieved:
*Jan 15 16:49:41.474: IKEv2:(SESSION ID = 51,SA ID = 1):Config-type: Config-request
*Jan 15 16:49:41.474: IKEv2:(SESSION ID = 51,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 16:49:41.474: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 16:49:41.474: IKEv2:(SESSION ID = 51,SA ID = 1):Set received config mode data
*Jan 15 16:49:41.474: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:49:41.474: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:49:41.474: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:49:41.474: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:49:41.474: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 16:49:41.475: CRYPTO_PKI: (A0036) Session started - identity not specified
*Jan 15 16:49:41.475: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 16:49:41.475: IKEv2:(SESSION ID = 51,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 16:49:41.475: IKEv2:(SESSION ID = 51,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:49:41.475: IKEv2:(SESSION ID = 51,SA ID = 1):Request queued for computation of DH key
*Jan 15 16:49:41.475: IKEv2:(SESSION ID = 51,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):Request queued for computation of DH secret
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 16:49:41.479: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 16:49:41.479: IKEv2:(SESSION ID = 51,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 16:49:41.479: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 16:49:41.479: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp-ec' 'tp2' 'tp' 'SLA-TrustPoint'
*Jan 15 16:49:41.480: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 16:49:41.480: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 16:49:41.480: IKEv2:(SESSION ID = 51,SA ID = 1):Sending Packet [To 172.30.1.166:57764/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 142DAECE15DB7591 - Responder SPI : D70042C5E0E5AB15 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:49:41.481: IKEv2:(SESSION ID = 51,SA ID = 1):Completed SA init exchange
*Jan 15 16:49:41.481: IKEv2:(SESSION ID = 51,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 16:49:41.481: IKEv2:(SESSION ID = 51,SA ID = 1):Retransmitting packet
*Jan 15 16:49:41.481: IKEv2:(SESSION ID = 51,SA ID = 1):Sending Packet [To 172.30.1.166:57764/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 142DAECE15DB7591 - Responder SPI : D70042C5E0E5AB15 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 16:49:41.482: IKEv2:(SESSION ID = 51,SA ID = 1):Packet is a retransmission
*Jan 15 16:49:41.483: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 16:49:41.483: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 16:50:11.481: IKEv2-ERROR:(SESSION ID = 51,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
*Jan 15 16:50:11.481: IKEv2:(SESSION ID = 51,SA ID = 1):Auth exchange failed
*Jan 15 16:50:11.481: IKEv2-ERROR:(SESSION ID = 51,SA ID = 1):: Auth exchange failed
*Jan 15 16:50:11.481: IKEv2:(SESSION ID = 51,SA ID = 1):Abort exchange
*Jan 15 16:50:11.481: IKEv2:(SESSION ID = 51,SA ID = 1):Deleting SA
*Jan 15 16:50:11.481: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 16:50:11.482: CRYPTO_PKI: Rcvd request to end PKI session A0036.
*Jan 15 16:50:11.482: CRYPTO_PKI: PKI session A0036 has ended. Freeing all resources.
*Jan 15 16:50:11.482: CRYPTO_PKI: PKI session A0000 has ended. Freeing all resources completed
*Jan 15 16:50:11.482: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
01-15-2024 08:40 AM
I would enable debug instead of following multiple requests to modify configuration which was good from the very beginning, because in both cases, with or without aggregate-auth, client certificate authentication failed for some unknown reason. Something like:
debug crypto pki validation
debug crypto pki transactions
HTH
01-15-2024 08:48 AM
we remove the Key and make profile selection only via Cert. and it failed
let for now make map match eq CN=<your PC CN name>
then check again
MHM
01-15-2024 09:04 AM
Yes, right. Config is without any key-id and with
crypto pki certificate map cisco 1
subject-name co cn = desktop-j6mo89s
but no luck.
01-15-2024 09:12 AM
subject-name eq cn = desktop-j6mo89s
this need
thanks
MHM
01-15-2024 09:20 AM
same error
01-15-2024 09:27 AM
#show crypto pki certificate verbose
did you use EKU for the router cert. ?
MHM
01-15-2024 09:39 AM
Yes correct
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 220FE9085181200E
Certificate Usage: General Purpose
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
Name: vpn-cert.home
IP Address: 10.3.3.2
hostname=vpn-cert.home
cn=vpn-cert.home
ou=IT
o=vpn-cert.home
Validity Date:
start date: 18:32:00 CET Jan 15 2024
end date: 18:32:00 CET Jan 1 2025
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: B43A7329 EEA94F7E 416F7C4A 6E00D3B7
Fingerprint SHA1: C9BFC35B E5FFA0E1 4235750D 2800E564 34E87BD4
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Alternative Name:
IP Address : 10.3.3.2
OtherNames :
Authority Info Access:
Extended Key Usage:
Server Auth
Cert install time: 17:34:06 CET Jan 15 2024
Associated Trustpoints: tp
Key Label: vpn-cert.home
Key storage device: private config
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 7428A90B015D3E82
Certificate Usage: Signature
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
cn=CA.home
ou=CA
o=home
Validity Date:
start date: 14:01:00 CET Jan 8 2024
end date: 08:19:00 CET Jan 4 2025
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Signature Algorithm: SHA384 with RSA Encryption
Fingerprint MD5: B0014A83 9B71623B D9306634 5F43DFD2
Fingerprint SHA1: A5748573 0F0A08AB FAFC4E74 75CF342F C3D9953B
X509v3 extensions:
X509v3 Key Usage: 8C000000
Digital Signature
Key Agreement
Key Cert Sign
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Cert install time: 17:01:39 CET Jan 15 2024
Associated Trustpoints: tp
Storage: nvram:CAhome#3E82CA.cer
01-15-2024 10:28 PM
maybe I am wrong, but did you add tp CA to client ?
from log the VPN Server (router) send request ask for client cert. AFTER it send it cert.
so can you check this point
thanks
MHM
01-15-2024 11:38 PM
Yes I do. I have it under Trusted Root Certification Authorities.
01-17-2024 05:09 AM
Problem solved. Issue was with the desktop cert which doesn't have private keys available. Now everything is working as it should - user is authenticated locally and with cert as well.
@MHM Cisco World and @Rob Ingram thank you so so much for your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide