05-07-2015 04:37 AM - edited 02-21-2020 08:13 PM
Hello,
I´m having trouble to get certificate based FlexVPN with Anyconnect running.
In the debugs of IKEv2 I see the following outputs:
*May 6 06:31:58.411: IKEv2:(SESSION ID = 42,SA ID = 1):Verify peer's authentication data
*May 6 06:31:58.411: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 6 06:31:58.411: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 6 06:31:58.411: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data
*May 6 06:31:58.412: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED
*May 6 06:31:58.412: IKEv2:(SESSION ID = 42,SA ID = 1):Processing INITIAL_CONTACT
*May 6 06:31:58.413: IKEv2:(SESSION ID = 42,SA ID = 1):Received valid config mode data
*May 6 06:31:58.413: IKEv2:Config data recieved:
*May 6 06:31:58.413: Config-type: Config-request
*May 6 06:31:58.413: Attrib type: ipv4-addr, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-netmask, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-dns, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-nbns, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: app-version, length: 28, data: AnyConnect Windows 3.1.05187
*May 6 06:31:58.413: Attrib type: ipv6-addr, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-subnet, length: 0
*May 6 06:31:58.413: Attrib type: ipv6-dns, length: 0
*May 6 06:31:58.413: Attrib type: ipv6-subnet, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 6, data: 0x540x650x730x740x500x43
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: banner, length: 0
*May 6 06:31:58.413: Attrib type: smartcard-removal-disconnect, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 2, data: 0x5 0x66
*May 6 06:31:58.413: Attrib type: def-domain, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: split-dns, length: 0
*May 6 06:31:58.413: Attrib type: pfs, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 4, data: 0xFFFFFFC00xFFFFFFA80x5E0xFFFFFF80
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 4, data: 0xFFFFFFC00xFFFFFFA80x5E0xFFFFFF8B
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFBC
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):Error in settig received config mode data
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):Auth exchange failed
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):: Auth exchange failed
Config is as follows:
crypto pki certificate map CMAP 10
issuer-name co xyz.lab
!
crypto pki certificate chain CLIENT
certificate 02
certificate ca 01
!
username cisco password 0 cisco
!
crypto ikev2 name-mangler AC
dn organization
!
!
crypto ikev2 authorization policy AC
pool AC
!
crypto ikev2 proposal AC
encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
integrity sha1
group 5 2
!
crypto ikev2 policy AC
match fvrf any
proposal AC
!
!
crypto ikev2 profile AC
match certificate CMAP
identity local address a.b.c.d
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CLIENT
aaa authorization group eap list RA-AUTHZ-LIST-1 AC
virtual-template 1
!
no crypto ikev2 http-url cert
!
!
ip ssh source-interface Ethernet0/1
ip ssh version 1
!
!
!
crypto ipsec transform-set AC esp-3des esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AC
set transform-set AC
set ikev2-profile AC
02-03-2021 05:45 AM
Did you solve this one?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: