Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1776
Views
0
Helpful
2
Replies

FlexVPN AnyConnect-EAP: the certificate on the secure gateway is invalid

tiendungk48bk@gmail.com
Level 1
Level 1

‎11-28-2018 07:39 PM - edited ‎11-28-2018 08:02 PM

I did configuration FlexVPN AnyConnect-Eap as following guide:

FlexVPN: AnyConnect IKEv2 Remote Access with AnyConnect-EAP

I did configuration on 3 routers ASR 1001 IOS XE 3.16S.

I enable BypassDownloader  and Disable Captive Portal Detection on the Profile and AnyConnectLocalPolicy.xml. But when i try to connect Anyconnect  Secure Mobility Client, Router 1 okie, but Router 2 and Router 3 has problem: "The certificate on the secured gateway is invalid. A VPN connection will not be established"

I debuged on 2 routers and the configuration not problem but the client tried to connect to the router through http and https ( router 1 not see that)

 4534 97.712816 192.168.1.21 10.10.10.21 TCP 66 [TCP Out-Of-Order] 50548 → 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1260 WS=4 SACK_PERM=1

 

Any help would be appreciated.

 Thanks,

Phan

 

Labels:
Preview file
10 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎11-29-2018 09:42 AM

Hi,
The FlexVPN server needs to authenticate itself against the clients, so you are getting invalid certificate errors I'd look there.
I assume the routers have a valid identity certificate and root certificate authenticated and enrolled?
What is the output of "show crypto pki certificates" on the router it does not work on?
0 Helpful

faxudu
Level 1
Level 1
In response to Rob Ingram

‎11-29-2018 06:43 PM - edited ‎11-29-2018 07:07 PM

Hi RJI, Thanks for reply,
I used my colleague account for this discussion. This is my account
So all router I did the command as you said, I created CA server on my router and the trustpoint, I do command crypto pki authentication trustpoint and crypto pki enrol trustpoint. It's ok, I think that my CA server and trustpoint has problem so, i do it again, and again.I think no problem with CA beacause you can see i IKEv2 debug file, it passed, after IKEv2 done, the client try to connect to https and http to the router, the same case I choose enable Captive Portal Detection in the profile. I guessed i had problem with multi profile and anyconnect policy in the client not effect. But I test on the mobile and another PC, it's still there
Phan.

0 Helpful
Customers Also Viewed These Support Documents