11-20-2020 06:02 AM - edited 11-22-2020 10:51 AM
Hi,
I have been trying to setup AnyConnect IPSEC with IKEv2 without external RADIUS but without success.
ISR4221 will be acting as GW for users as well IOS-CA (to enroll certs).
Cert has been imported under personal cert on client.
EKU is activated.
Config in attached file + debug.
Thanks for your help.
Solved! Go to Solution.
11-20-2020 06:26 AM
Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.
HTH
11-20-2020 06:26 AM
Authentication is failing, it looks like your computer has another user certificate (with what looks to be your real name and fqdn) this is sent to the router, which is why it's failing, as it is issued by another untrusted CA. Trying configuring the AnyConnect profile, use the profile editor to specify the certificate or disable automatic certificate selection.
HTH
11-20-2020 06:37 AM
Hi Rob, thanks for quick reply!
Cert for PC was issued by internal IOS-CA and was exported as .pfx file.
Regarding AnyConnect profile - I don't have AnyConnect profile but I used following template:
?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
<ServerList>
<HostEntry>
<HostName>Router-Hostname</HostName>
<HostAddress>PUBLIC_IP_ADDRESS </HostAddress>
<PrimaryProtocol>IPsec
<StandardAuthenticationOnly>true
<AuthMethodDuringIKENegotiation>IKE-RSA</AuthMethodDuringIKENegotiation>
</StandardAuthenticationOnly>
</PrimaryProtocol>
</HostEntry>
</ServerList>
</AnyConnectProfile>
11-20-2020 06:42 AM
Sure I understand that, have a look in your debug for the line starting - "Nov 19 10:43:15.562: CRYPTO_PKI: found UPN as .........." - your machine is attempting to use that certificate to authenticate with rather than the one you want.
11-20-2020 06:55 AM
You're right - I have tested multiple certs and that's why this line appeared.
How to force using only one certificate under XML profile?
11-22-2020 10:52 AM
Issue was with my PC. I used other computer and client was able to connect.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide