01-15-2024 02:43 AM
Hi there,
I am trying to make a FlexVPN AnyConnect-EAP with local authentication using both user and certificate working. However if I use only local user authentication it works but I am not able to make the certification part working. I am still getting error:
IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
I am using CSR 1100 and on the client side CiscoAnyconnect
Here is my crypto config:
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
crypto pki trustpoint tp
enrollment terminal
fqdn vpn-cert.home
subject-name cn=vpn-cert.home,OU=IT
subject-alt-name vpn-cert.home
revocation-check crl
!
!
!
crypto pki certificate map cisco 1
subject-name co desktop-j6mo89s
!
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 172.16.1.1
netmask 255.255.255.0
!
!
!
!
crypto ikev2 profile default
match identity remote key-id *$AnyConnectClient$*
match identity remote address 0.0.0.0
match certificate cisco
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint tp
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy
virtual-template 100
anyconnect profile acvpn
!
no crypto ikev2 http-url cert
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile default
!
ip local pool ACPOOL 172.16.10.10 172.16.10.20
Client cert attached. Output of show crypto pki cert:
Certificate
Status: Available
Certificate Serial Number (hex): 1A148C52941C61EC
Certificate Usage: General Purpose
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
Name: vpn-cert.home
hostname=vpn-cert.home
cn=vpn-cert.home
ou=IT
Validity Date:
start date: 11:00:00 CET Jan 15 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
CA Certificate
Status: Available
Certificate Serial Number (hex): 7428A90B015D3E82
Certificate Usage: Signature
Issuer:
cn=CA.home
ou=CA
o=home
Subject:
cn=CA.home
ou=CA
o=home
Validity Date:
start date: 14:01:00 CET Jan 8 2024
end date: 08:19:00 CET Jan 4 2025
Associated Trustpoints: tp
Storage: nvram:CAhome#3E82CA.cer
And the debug crypto ikev2:
*Jan 15 10:31:41.516: IKEv2:Received Packet [From 172.30.1.166:49395/To 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Verify SA init message
*Jan 15 10:31:41.516: IKEv2:(SESSION ID = 17,SA ID = 1):Insert SA
*Jan 15 10:31:41.517: IKEv2:Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.517: IKEv2:Using the Default Policy for Proposal
*Jan 15 10:31:41.517: IKEv2:Found Policy 'default'
*Jan 15 10:31:41.517: IKEv2:(SESSION ID = 17,SA ID = 1):Processing IKE_SA_INIT message
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Received valid config mode data
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config data recieved:
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Config-type: Config-request
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Attrib type: unknown, length: 2, data: 0x2 0x40
*Jan 15 10:31:41.519: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
*Jan 15 10:31:41.519: IKEv2:(SESSION ID = 17,SA ID = 1):Set received config mode data
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.519: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 15 10:31:41.520: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 15 10:31:41.520: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH key
*Jan 15 10:31:41.521: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Request queued for computation of DH secret
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 15 10:31:41.525: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):Generating IKE_SA_INIT message
*Jan 15 10:31:41.525: IKEv2:(SESSION ID = 17,SA ID = 1):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA384 SHA384 DH_GROUP_256_ECP/Group 19
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 15 10:31:41.525: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'tp' 'SLA-TrustPoint'
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 15 10:31:41.526: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 15 10:31:41.526: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Completed SA init exchange
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.527: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49395/From 10.3.3.2:500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 15 10:31:41.528: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.529: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.529: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.543: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) OA OA NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Checking NAT discovery
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT OUTSIDE found
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):NAT detected float to init port 49396, resp port 4500
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
*Jan 15 10:31:41.544: IKEv2:found matching IKEv2 profile 'default'
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Searching Policy with fvrf 0, local address 10.3.3.2
*Jan 15 10:31:41.544: IKEv2:(SESSION ID = 17,SA ID = 1):Using the Default Policy for Proposal
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Found Policy 'default'
*Jan 15 10:31:41.545: IKEv2:not a VPN-SIP session
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Verify peer's policy
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Peer's policy verified
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Jan 15 10:31:41.545: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint tp
*Jan 15 10:31:41.545: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 10:31:41.545: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Check for EAP exchange
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Generate my authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Get my authentication method
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):My authentication method is 'RSA'
*Jan 15 10:31:41.546: IKEv2:(SESSION ID = 17,SA ID = 1):Sign authentication data
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
*Jan 15 10:31:41.546: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
*Jan 15 10:31:41.572: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Jan 15 10:31:41.572: IKEv2-ERROR:Address type 2850704323 not supported
*Jan 15 10:31:41.573: IKEv2-ERROR:: Negotiation context locked currently in use
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Authentication material has been sucessfully signed
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'hello' request
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Constructing IDr payload: 'hostname=vpn-cert.home,cn=vpn-cert.home,ou=IT' of type 'DER ASN1 DN'
*Jan 15 10:31:41.573: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
*Jan 15 10:31:41.574: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.575: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.585: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP response
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Checking for Dual Auth
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Generating AnyConnect EAP CERT request
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Sending AnyConnect EAP 'cert-request'
*Jan 15 10:31:41.586: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
EAP
*Jan 15 10:31:41.587: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Starting timer (90 sec) to wait for auth message
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Retransmitting packet
*Jan 15 10:31:41.588: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Restarting timer for 90 seconds to wait for auth message
*Jan 15 10:31:41.589: IKEv2:(SESSION ID = 17,SA ID = 1):Packet is a retransmission
*Jan 15 10:31:41.589: IKEv2-ERROR:Address type 1979468739 not supported
*Jan 15 10:31:41.589: IKEv2-ERROR:: Packet is a retransmission
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Stopping timer to wait for auth message
*Jan 15 10:31:41.591: IKEv2:(SESSION ID = 17,SA ID = 1):Processing AnyConnect EAP CERT response
*Jan 15 10:31:41.591: IKEv2:AnyConnect EAP received type : 0 and length : 845, outof : 849
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Verification of peer's authentication data FAILED
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending authentication failure notify
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Sending Packet [To 172.30.1.166:49396/From 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Jan 15 10:31:41.592: IKEv2:(SESSION ID = 17,SA ID = 1):Auth exchange failed
*Jan 15 10:31:41.592: IKEv2-ERROR:(SESSION ID = 17,SA ID = 1):: Auth exchange failed
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Abort exchange
*Jan 15 10:31:41.593: IKEv2:(SESSION ID = 17,SA ID = 1):Deleting SA
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Jan 15 10:31:41.593: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 2147505527 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
*Jan 15 10:31:41.594: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 172.30.1.166:49396/To 10.3.3.2:4500/VRF i0:f0]
Initiator SPI : 6D81EBD51739F27D - Responder SPI : 036905425ED84FF9 Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
*Jan 15 10:31:41.594: IKEv2-ERROR:Address type 1122716611 not supported
*Jan 15 10:31:41.594: IKEv2-ERROR:: A supplied parameter is incorrect
Any suggestion what is wrong?
Solved! Go to Solution.
01-17-2024 06:08 AM
happy news in end
glad issue solve in end
and I hope my suggestion help you here
please can you share the last working confing
thanks again
have a nice day
MHM
01-18-2024 02:36 AM
@MHM Cisco World your suggestions were very useful, thank you once again. Working config is very same as the one I've posted at the beginning with just one line added in trustpoint config (your suggestion) :
revocation-check crl none
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide