Re: FlexVPN - RAS Anyconnect with Certificates

Andreas Gruber · ‎05-07-2015

Hello,

I´m having trouble to get certificate based FlexVPN with Anyconnect running.

In the debugs of IKEv2 I see the following outputs:

*May 6 06:31:58.411: IKEv2:(SESSION ID = 42,SA ID = 1):Verify peer's authentication data
*May 6 06:31:58.411: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 6 06:31:58.411: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 6 06:31:58.411: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton data
*May 6 06:31:58.412: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSED
*May 6 06:31:58.412: IKEv2:(SESSION ID = 42,SA ID = 1):Processing INITIAL_CONTACT
*May 6 06:31:58.413: IKEv2:(SESSION ID = 42,SA ID = 1):Received valid config mode data
*May 6 06:31:58.413: IKEv2:Config data recieved:
*May 6 06:31:58.413: Config-type: Config-request
*May 6 06:31:58.413: Attrib type: ipv4-addr, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-netmask, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-dns, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-nbns, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: app-version, length: 28, data: AnyConnect Windows 3.1.05187
*May 6 06:31:58.413: Attrib type: ipv6-addr, length: 0
*May 6 06:31:58.413: Attrib type: ipv4-subnet, length: 0
*May 6 06:31:58.413: Attrib type: ipv6-dns, length: 0
*May 6 06:31:58.413: Attrib type: ipv6-subnet, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 6, data: 0x540x650x730x740x500x43
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: banner, length: 0
*May 6 06:31:58.413: Attrib type: smartcard-removal-disconnect, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 2, data: 0x5 0x66
*May 6 06:31:58.413: Attrib type: def-domain, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: split-dns, length: 0
*May 6 06:31:58.413: Attrib type: pfs, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 4, data: 0xFFFFFFC00xFFFFFFA80x5E0xFFFFFF80
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 4, data: 0xFFFFFFC00xFFFFFFA80x5E0xFFFFFF8B
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 0
*May 6 06:31:58.413: Attrib type: unknown, length: 2, data: 0x5 0xFFFFFFBC
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.413: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):Error in settig received config mode data
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):Auth exchange failed
*May 6 06:31:58.414: IKEv2:(SESSION ID = 42,SA ID = 1):: Auth exchange failed

Config is as follows:

crypto pki certificate map CMAP 10
issuer-name co xyz.lab
!
crypto pki certificate chain CLIENT
certificate 02
certificate ca 01
!
username cisco password 0 cisco
!
crypto ikev2 name-mangler AC
dn organization
!
!
crypto ikev2 authorization policy AC
pool AC
!
crypto ikev2 proposal AC
encryption aes-cbc-128 aes-cbc-192 aes-cbc-256
integrity sha1
group 5 2
!
crypto ikev2 policy AC
match fvrf any
proposal AC
!
!
crypto ikev2 profile AC
match certificate CMAP
identity local address a.b.c.d
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CLIENT
aaa authorization group eap list RA-AUTHZ-LIST-1 AC
virtual-template 1
!
no crypto ikev2 http-url cert
!
!
ip ssh source-interface Ethernet0/1
ip ssh version 1
!
!
!
crypto ipsec transform-set AC esp-3des esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AC
set transform-set AC
set ikev2-profile AC

Co4chSummEr · ‎02-03-2021

Did you solve this one?