12-19-2023 09:03 AM
Hello all,
I'm trying to set up my ISR4321 running IOS XE 17.03.05 as a FlexVPN-server for Remote Access (RA) with various clients (Windows 10, Apple's iOS, Android, no AnyConnect), based on ikev2, without using client-side certificates. My current production-setup is based on a 1921, acting as a L2TP/IPSec-server, which I would like to upgrade. Unfortunately, I'm running into quite some issues.
My first issue is with the certification-side of things. If I understood correctly, a certificate is required on at least the VPN-server side. I'm struggeling with creating and/or importing the certificate.
Can someone please point me in the right direction regarding the certification-side of things?
Thank you!
Kind regards,
Johan
12-19-2023 09:20 AM
@johankrug yes you need a certificate configured for "local" authentication on the router. Which CA certificate signed that certificate on the router then needs to be imported into the certificate store on the computers.
What is your CA that has signed the router's certificate?
You could use these guides - https://www.cisco.com/c/en/us/support/docs/security/flexvpn/220471-configure-flexvpn-ikev2-for-windows-buil.html
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115755-flexvpn-ike-eap-00.html
12-19-2023 10:28 AM
Hello Rob,
Thank you for your swift reply!
I followed this guide for the creation of a certificate. I guess that makes my certificate not signed by a CA.
Since on the clients (Windows, Apple iOS, etc), there's an option for authentication using username/password, I figured that it would be possible to use FlexVPN without client certificates, is that a wrong assumption?
I used snippets from that guides to configure my ikev2profile. However, the Windows 10 built-in client (based on username/password sign-in) tells me "IKE authtentication credentials are unacceptable", which points to an error in the certificate used if I understood correctly. The log, however, tells me " Getting of cert chain for the trustpoint PASSED". However, it also tells me "Verification of peer's authentication data FAILED".
Any idea where this goes wrong?
Thanks!
12-19-2023 10:35 AM - edited 01-01-2024 12:13 PM
MHM
12-19-2023 10:36 AM
@johankrug if you followed that guide, then that provides instructions on how to create the root certificate and an identity certificate for the router. That same root certificate that must be imported to the router (as well as the signed client certificate) must be imported into the client devices. The client devices can be configured to use EAP (username and password). Provide your configuration if you require further assistance.
12-19-2023 11:21 AM - edited 12-19-2023 11:22 AM
If you can shed some light on my config, that'd be great!
!
! Last configuration change at 19:19:04 UTC Tue Dec 19 2023
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput level boost
!
hostname Diamond
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
aaa new-model
!
!
aaa authentication login AAA_AUTHENTICATION_LOGIN local
aaa authorization network AAA_AUTHORIZATION_NETWORK local
!
!
aaa attribute list attr-list1
attribute type interface-config "ip mtu 1100"
attribute type interface-config "tunnel key 10"
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name cinderella.local
ip dhcp excluded-address 10.17.123.0 10.17.123.100
!
ip dhcp pool LAN
network 10.17.123.0 255.255.255.0
default-router 10.17.123.1
dns-server 10.0.10.10
lease 20
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki server CA
no database archive
grant auto
hash sha1
eku server-auth client-auth
!
crypto pki trustpoint ecdh
enrollment terminal
revocation-check none
eckeypair Diamond.cinderella.local
!
crypto pki trustpoint TP-self-signed-1843133077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1843133077
revocation-check none
rsakeypair TP-self-signed-1843133077
!
crypto pki trustpoint VPN_TP
enrollment terminal
serial-number none
fqdn CSR2.lab.net
ip-address none
subject-name cn=CSR2.lab.net,o=Default Company Ltd,ou=HQ,st=Zuid-Holland,c=NL
subject-alt-name CSR2.lab.net
revocation-check none
rsakeypair VPN_KEY
!
!
!
crypto pki certificate map certmap1 1
subject-name co cisco
!
crypto pki certificate map CERT_MAP 5
issuer-name co lab-pki-ca
!
crypto pki certificate chain ecdh
crypto pki certificate chain TP-self-signed-1843133077
crypto pki certificate chain VPN_TP
certificate 1002
308204F0 308202D8 A0030201 02020210 02300D06 092A8648 86F70D01 010B0500
30819231 0B300906 03550406 13024E4C 31153013 06035504 080C0C5A 7569642D
486F6C6C 616E6431 12301006 03550407 0C094D61 6173736C 75697331 1C301A06
0355040A 0C134465 6661756C 7420436F 6D70616E 79204C74 64310B30 09060355
040B0C02 48513110 300E0603 5504030C 07446961 6D6F6E64 311B3019 06092A86
4886F70D 01090116 0C726F6F 74406469 616D6F6E 64301E17 0D323331 32313931
38303735 365A170D 32383132 31373138 30373536 5A306631 0B300906 03550406
13024E4C 31153013 06035504 08130C5A 7569642D 486F6C6C 616E6431 1C301A06
0355040A 13134465 6661756C 7420436F 6D70616E 79204C74 64310B30 09060355
040B1302 48513115 30130603 55040313 0C435352 322E6C61 622E6E65 74308201
22300D06 092A8648 86F70D01 01010500 0382010F 00308201 0A028201 01009D98
D84CE9AB 7646F204 8BED5BB0 3C558830 B78DAE8D AC225B11 1BDA44FC FCD455AA
38692EEB 6F7D7163 9B18D738 F05E992E 6AA321C1 E938A19E BAC19419 93FE237C
EB85A557 17F31738 1EFE084D 27465E81 9D24BE24 AD67A7F0 D1E9BB81 DBA98FBD
FA040203 91DA37BC B0F13000 2A699520 0C8A0DE7 F9A05448 3C5CF516 09A95C3E
0BF2C09C 23C261C1 32B3928A DDC916AA BAC6A59F 21A1A777 A54D3E0C 4922B6A0
A5A92BD7 4F4FC0B5 07A2DB96 363DBBB8 10EEB895 38A9A29C 629A75C5 BE5F2B2B
6F05D2CC 517F96CE 303224B0 8C4824A2 3CE587B9 55D7B800 CB1CD188 BFA92F7C
BD3769E0 E9A18DD3 9F965868 C513EC56 36DEFAE0 5CC182B0 F8DF0731 6B0B0203
010001A3 7B307930 09060355 1D130402 3000302C 06096086 480186F8 42010D04
1F161D4F 70656E53 534C2047 656E6572 61746564 20436572 74696669 63617465
301D0603 551D0E04 1604147B D93B4ECB 4D13DD5D 995E29F8 E0DB0B4D 2B240130
1F060355 1D230418 30168014 AE989795 FA3AF490 EB45CBA4 95F76B53 24EEEEAF
300D0609 2A864886 F70D0101 0B050003 82020100 956C4229 2277C5FC 16E7FF2C
72BFAFF0 75F16CC3 F2579371 0BBE00C5 CB5A4690 1A9F60B3 BD91E5AE 93CD9C77
47EEAB2B D36FD178 20CFD70E 46D70C33 8A2BC60B A78D568C 1BC32695 9063DBF3
869A178C 693C6BD0 55D0BA5E B1F36764 37E9CB83 E6BF0863 15722129 B8DEB20D
A736821B 1800F020 9A55AAFD A75EDC06 5C444251 057603D4 0BF8A15A F8C5F2F9
F09DBBD8 2FACA162 28081221 E4043690 A278D4F9 25789845 073D26C7 B55EA882
E21C0F51 4A9D064A FD002570 32A77E88 B68A89DB 9CFCB7B2 1A1F957E 2154D512
327C6256 FCFB630A CD73AB70 B24853F5 E90C0828 DDF082A6 D3D8D1E7 D38A9A02
A7575026 6B46C059 D957E3D6 FECD059D C6BD1D4C 26DAA15F 7A2DF386 8319B1C5
DDA4088E 6966134C BD2D5E01 65C245D7 F37A8BED BC35377D 3D7B3270 EC279537
F76D0E28 524BC5D2 934FB6C3 04BDBEB2 6D9475DE 1DC06972 7E5C0C88 9C52A34D
BC610B68 A104A047 36E82401 884BC756 AF906FD0 85BC8B93 846B0F99 CB3CED5A
43EBDEAB AF3DD69B 7D39223B C33CBE8A E67CDC78 06D558B2 339EC8B6 74C232C9
450FDFA4 E4576667 ED4B3249 14D68A0E 1F90A2F0 FFB6F9DB D2E029C0 2D1187E9
E507CCD8 514BCD0A 94DC22A2 1AAC02C4 7B7F72BB 611DAFD4 7E0B590C 1EC88648
019181B8 1FBBD081 4A3F6166 08BD1B63 52C70C2D BCB3856E F4BFAD5A 97BA1511
6B7B2464 464BA3F4 977BDF6F 83AE5C20 20259BBB
quit
certificate ca 00
308205F4 308203DC A0030201 02020100 300D0609 2A864886 F70D0101 0B050030
8192310B 30090603 55040613 024E4C31 15301306 03550408 0C0C5A75 69642D48
6F6C6C61 6E643112 30100603 5504070C 094D6161 73736C75 6973311C 301A0603
55040A0C 13446566 61756C74 20436F6D 70616E79 204C7464 310B3009 06035504
0B0C0248 51311030 0E060355 04030C07 4469616D 6F6E6431 1B301906 092A8648
86F70D01 0901160C 726F6F74 40646961 6D6F6E64 301E170D 32333132 31393137
34343534 5A170D34 33313231 34313734 3435345A 30819231 0B300906 03550406
13024E4C 31153013 06035504 080C0C5A 7569642D 486F6C6C 616E6431 12301006
03550407 0C094D61 6173736C 75697331 1C301A06 0355040A 0C134465 6661756C
7420436F 6D70616E 79204C74 64310B30 09060355 040B0C02 48513110 300E0603
5504030C 07446961 6D6F6E64 311B3019 06092A86 4886F70D 01090116 0C726F6F
74406469 616D6F6E 64308202 22300D06 092A8648 86F70D01 01010500 0382020F
00308202 0A028202 0100ABDE 2F6D7798 1716438E 8C90C8E4 2619ACDC 2D411145
1997389C 7B93C0E8 00F8E6C6 FEDBEC3C 0EF246B0 4620EBA4 731E112D 593D40A8
3398C037 93C839D6 865D011D DD5DFC99 B9870BBA 564BED90 B8BD36BE 6CBA6BD6
D800627C B5F7C5EB A18C2ECA CC3C467E 7F689FDC 989AF76C 6CA0208A C67FB08E
E66AE641 9FB17061 EE6DC0A1 1FAAF57A 4E756848 CCBEA7D1 B8ED8647 9E843B24
941962CB E2C27EA1 00433C64 A3FD5B70 9F0121C0 FAFB471F CFE49D5F 6CCD1DBE
49AF1C50 A12876E0 B12EE7EE E046776F 209F0558 E337D2E8 2211059D B5133A30
1ED327CC 12AEA70B BFD99186 DF8EB174 8390F85F A7D1C96B A232FE2B 95F682B6
E4CF24C6 089C3A79 DD9F8538 F4171DBB 9C96E3AF A1D661DB 27450A86 48C8E8E0
36A4D0B3 B8EBB301 E9E100BC 37CEC936 77AE21B8 D40BC7D5 CD0701DF FAD83C00
9DEA31E1 D9A225C7 BE57F564 3520E933 4FC3ED81 CD90CF8C D9B6392F 7909843B
EC30FC07 1D1BA257 BB7239CC E48703ED A31441DB 05FC88F1 7279066E 80051F8B
99FE7270 A954591F 57725359 9B9874D9 A67AE477 62663477 83A7B4CB 152CE73F
4CE3CC9C 8E806DF5 45BE403B F3CD1604 112264B6 FB4F5483 FFC5A1A4 31FE2702
29EDEEE1 52953BF0 4EB7BDB7 A3A3EDC2 A3441276 740EC395 1804097F 3753C434
799ED181 F54880D8 FEF4AB44 AF1AE305 CD595F65 F6F23C05 C2EC7C55 A4E311AA
8FDBA4AC CF0B9601 67410203 010001A3 53305130 1D060355 1D0E0416 0414AE98
9795FA3A F490EB45 CBA495F7 6B5324EE EEAF301F 0603551D 23041830 168014AE
989795FA 3AF490EB 45CBA495 F76B5324 EEEEAF30 0F060355 1D130101 FF040530
030101FF 300D0609 2A864886 F70D0101 0B050003 82020100 536B8272 1E983D69
26A31C72 D21379D3 DA92422F DEA3EC2A 865CB2E7 29414E3A 2D84BDD1 C345B90B
BDFC26C3 9CC346A4 A32CE382 B060B457 E34CB688 F2A3597C 9F53117C 962B4A42
862596FF BFFC4B9D 76289195 37E80058 5DF5FA73 62337D46 1EFBF91A 4E8ECEB3
C243C1A2 24FACCB3 B720476A E371BECA 40F8D8D7 774D5A3F 62B154B1 216E7D69
1FCA7EFE 79A3DCE1 A8D06019 BF1D5C1B 1793A340 D68B0867 C4ADD2BC 1DE383F7
489CC085 824CF307 BEC9FA4C 87E67C32 2DEE0713 2C4D4430 F9FC8326 EB2BC4BC
3FAF2626 F7B80386 9316F260 78EBA093 23244AD6 184445EA 99602545 FE0CD381
5F9338AE 42BA7BCB 4AB4E7D7 01BE0C46 38F7D9A4 59FB6758 A4A68404 C7394680
1F82ABA0 0330EA60 24527D69 915E5082 F56477FC D0FF407B DD873D18 BDBF16D6
429190C7 10B8238F FE832C94 A33A596C 5B25C3E4 96AD5C3A 1DC0DC7A 486C069A
FA2C0696 4D8132D0 0590E9FA F6E780A1 FBDD61B0 794D51D0 616A78FF BFBE9335
18E1536A C4A3B2AE 038D83B2 8BF797A6 C0C13881 1B2C5ABC 7641B7FB BF26C5BB
8DC6035D AF4BA362 166BF75C 6E40BF7E 7D8F6CD0 004D5105 86354311 1CE22843
8BD636EA 571FE95D F7AB2A11 8908CAAB C067064C 58E758E9 83056099 B062AE6A
4492F488 14D7984A 02BA6467 FD4DAE25 7C6A552B 46AD0124 719F9382 A40746D6
31D05C60 D0E34B37 AFCD73D2 4B0118A9 F4E967B5 6347F9B9
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid ISR4321/K9 sn FDO193916ND
license boot suite AdvUCSuiteK9
memory free low-watermark processor 69063
!
!
!
!
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
et-analytics
!
username cisco123 password 0 cisco123
username johan privilege 15 secret 9 <secret>
!
redundancy
mode none
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 10.0.1.1
!
crypto ikev2 authorization policy windows-authorisation
ipv6 pool VPN-2
pool default
dns 192.168.100.20 192.168.102.133
def-domain my-domain.local
pfs
route set interface
!
crypto ikev2 authorization policy author-policy1
pool pool1
dhcp server 192.168.4.1
dhcp giaddr 192.168.1.1
dhcp timeout 10
dns 10.1.1.1 10.1.1.2
wins 192.168.1.2 192.168.1.3
netmask 255.0.0.0
banner C flexvpn server
configuration url http://www.abc.com
configuration version 10
def-domain abc.com
split-dns dns1
split-dns dns2
split-dns dns3
backup-gateway gw1
backup-gateway gw2
backup-gateway gw3
smartcard-removal-disconnect
include-local-lan
pfs
aaa attribute list attr-list1
route set access-list acl1
!
crypto ikev2 proposal FlexVPN
encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
integrity sha256
group 19
crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-128
prf sha256
integrity sha1
group 19
!
crypto ikev2 policy ikev2policy
match fvrf any
proposal HIGH
proposal MEDIUM
proposal LOW
!
crypto ikev2 keyring WTI
peer cisco
description example.com
address 0.0.0.0 0.0.0.0
pre-shared-key xyz-key
!
!
!
crypto ikev2 profile ikev2profile
match identity remote address 10.0.10.0 255.255.255.0
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN_TP
aaa authentication anyconnect-eap a-eap-authen-local
aaa authorization group cert list winclient winclient_author
virtual-template 1
!
!
!
!
!
class-map type inspect match-any accept
description Default, match-all
match access-group name accept4
class-map type inspect match-any outbound
description Traffic bound for Internet
match access-group name internet4
class-map type inspect match-all dns-inbound
match access-group name dns-in
class-map type inspect match-all ICMP-cmap
match access-group name ICMP
class-map type inspect match-all WAN-WWWaccess
match access-group name WAN-WWWAccess
class-map type inspect match-all DHCP-outbound
match access-group name dhcp-out
class-map type inspect match-all DHCP-inbound
match access-group name dhcp-in
class-map type inspect match-all IPSEC-cmap
match access-group name ISAKMP_IPSEC
!
policy-map type inspect router-services
class type inspect ICMP-cmap
pass
class type inspect IPSEC-cmap
inspect
class type inspect DHCP-inbound
pass
class type inspect dns-inbound
inspect
class class-default
drop
policy-map type inspect accept
description Accept all (pass)
class type inspect accept
pass
class class-default
drop log
policy-map type inspect router
description Traffic originating from the router
class type inspect DHCP-outbound
pass
class type inspect accept
inspect
class class-default
drop
policy-map type inspect outbound
description Traffic bound for Internet
class type inspect outbound
inspect
class class-default
drop
policy-map type inspect LAN-services
class type inspect ICMP-cmap
inspect
class type inspect WAN-WWWaccess
inspect
class class-default
drop log
!
zone security LAN
description Local Area Network
zone security WAN
description Wide Area Network (Internet)
zone security VPN
description VPN remote
zone security DMZ
description DMZ services
zone-pair security LAN-Router source LAN destination self
service-policy type inspect accept
zone-pair security LAN-VPN source LAN destination VPN
service-policy type inspect accept
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect outbound
zone-pair security Router-LAN source self destination LAN
service-policy type inspect accept
zone-pair security Router-VPN source self destination VPN
service-policy type inspect accept
zone-pair security Router-WAN source self destination WAN
service-policy type inspect router
zone-pair security VPN-LAN source VPN destination LAN
service-policy type inspect accept
zone-pair security VPN-Router source VPN destination self
service-policy type inspect accept
zone-pair security VPN-WAN source VPN destination WAN
service-policy type inspect outbound
zone-pair security WAN-LAN source WAN destination LAN
service-policy type inspect LAN-services
zone-pair security WAN-Router source WAN destination self
service-policy type inspect router-services
zone-pair security WAN-VPN source WAN destination VPN
service-policy type inspect router-services
!
!
!
!
!
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group1
key cisco123
pool group1pool
save-password
crypto isakmp profile vpn1-ra
match identity group group1
client authentication list local_list
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
crypto ipsec profile test-vti1
set transform-set VTI-TS
!
!
crypto map cmap 10 ipsec-isakmp
set peer 166.130.98.152
set security-association lifetime seconds 86400
set transform-set TS
set ikev2-profile ikev2profile
match address SITE1-SITE2-CACL
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 10.0.10.60 255.255.255.0
ip nat outside
negotiation auto
crypto map cmap
!
interface GigabitEthernet0/0/1
ip address 10.17.123.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
ip local pool group1pool 192.168.1.1 192.168.1.4
ip local pool ACPOOL 192.168.10.5 192.168.10.10
ip http server
ip http authentication local
no ip http secure-server
ip http secure-trustpoint Diamond-CA
ip forward-protocol nd
ip tftp source-interface GigabitEthernet0/0/0
ip nat inside source static tcp 10.17.123.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source static udp 10.17.123.10 3389 interface GigabitEthernet0/0/0 3389
ip nat inside source static tcp 10.17.123.10 5001 interface GigabitEthernet0/0/0 5001
ip nat inside source list DYNAMIC-NAT interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.10.10
ip route 0.0.0.0 0.0.0.0 172.18.143.1
!
!
ip access-list extended DYNAMIC-NAT
10 permit ip 10.17.123.0 0.0.0.255 any
ip access-list extended ICMP
10 permit icmp any any echo
20 permit icmp any any echo-reply
30 permit icmp any any traceroute
ip access-list extended ISAKMP_IPSEC
10 permit udp any any eq isakmp
20 permit ahp any any
30 permit esp any any
40 permit udp any any eq non500-isakmp
50 permit udp any any eq 1701
ip access-list extended SITE1-SITE2-CACL
10 permit ip 192.168.50.0 0.0.0.255 172.19.0.0 0.0.0.255
ip access-list extended WAN-WWWAccess
10 permit tcp any host 10.17.123.10 eq 3389
20 permit udp any host 10.17.123.10 eq 3389
30 permit tcp any host 10.17.123.10 eq 5001
ip access-list extended accept4
10 remark 0**************************0
10 remark 0* Default IPv4 allow all *1
10 remark 0**************************2
10 permit ip any any
ip access-list extended dhcp-in
10 permit udp any any eq bootpc
20 permit udp any any eq bootps
ip access-list extended dhcp-out
10 permit udp any any eq bootps
ip access-list extended dns-in
10 permit tcp any any eq domain
ip access-list extended internet4
10 remark 0************************0
10 remark 0* Allowed IPv4 traffic *1
10 remark 0************************2
10 permit ip 10.17.0.0 0.0.255.255 any
20 deny ip any any
!
!
!
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
transport input ssh
line vty 5 30
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
ntp master 7
ntp server 185.51.192.61 prefer source GigabitEthernet0/0/0
!
!
!
!
!
!
end
Thanks again,
Johan
12-19-2023 11:56 AM - edited 12-20-2023 12:54 AM
<double post>
12-19-2023 11:59 AM
Where is "virtual-template 1" configuration?
You have configured your IKEV2 profile to reference a method list called "winclient" and an authorisation policy called "winclient_author", neither exist in your configuration.
And the IKEV2 profile is configured for rsa (cert) remote authentication, I though you wanted to use un/pwd authentication?
I would look to start again and reconfigure from scratch and confirm you haven't missed anything else.
12-19-2023 12:20 PM
Yes, things got messy with trying out various configurations. Indeed it would be good to start from scratch.
I have to say that I'm still somewhat vague on the certificate-side of things. As MHM replied, I only need a certificate on the router-side. However, you stated that I need to import them on the clients as well. Am I right in stating that this depends on the configuration of the "authentication local" and "authentication remote" settings? When set "authentication remote rsa-sig", the VPN-server expects a signed certificate?
12-19-2023 12:30 PM
@johankrug you should import only the root certificate to the client machines to ensure mutual trust and avoid errors, this is so the server (router) authenticates itself to the client. This is "authentication local rsa" under the IKEv2 profile.
For the client authentication then this refers to "authentication remote eap....." under the IKEv2 profile.
Here are all the cisco FlexVPN guides - https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html
12-20-2023 05:56 AM - edited 12-20-2023 05:56 AM
Thank you. A bit less vague now.
Following your advice, I started from scratch. Imported the p12-certificate which I created using the tutorial I linked earlier, and applied various bits and pieces to my config:
aaa new-model
!
!
aaa authentication login a-eap-authen-local local
aaa authorization network a-eap-author-grp local
!
crypto pki trustpoint IKEv2-TP
enrollment pkcs12
revocation-check crl
rsakeypair IKEv2-TP
!
crypto pki certificate chain IKEv2-TP
certificate 1001
<certificate here>
quit
!
username test password 0 cisco123
!
crypto ikev2 authorization policy ikev2-auth-policy
pool ACPOOL
dns 10.0.1.1
route set access-list split_tunnel
!
crypto ikev2 proposal HIGH
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 proposal LOW
encryption aes-cbc-128 3des
integrity sha1 md5
group 5 2
crypto ikev2 proposal MEDIUM
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha256 sha1
group 16 14
!
crypto ikev2 policy IKEv2-pol
proposal IKEv2-prop1
proposal HIGH
proposal MEDIUM
proposal LOW
!
!
crypto ikev2 profile AnyConnect-EAP
match identity remote address 10.0.10.0 255.255.255.0
authentication local rsa-sig
authentication remote eap query-identity
pki trustpoint IKEv2-TP
aaa authentication eap a-eap-authen-local
aaa authorization group eap list a-eap-author-grp ikev2-auth-policy
aaa authorization user eap cached
virtual-template 100
!
crypto ipsec transform-set TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile AnyConnect-EAP
set transform-set TS
set ikev2-profile AnyConnect-EAP
!
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
ip nat inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile AnyConnect-EAP
!
I got a bit more luck now when connecting:
*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):Get my authentication method
*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):My authentication method is 'RSA'
*Dec 20 13:45:07.038: IKEv2:(SESSION ID = 38,SA ID = 11):Sign authentication data
*Dec 20 13:45:07.038: IKEv2:(SA ID = 11):[IKEv2 -> PKI] Getting private key
*Dec 20 13:45:07.039: IKEv2:(SA ID = 11):[PKI -> IKEv2] Getting of private key PASSED
*Dec 20 13:45:07.039: IKEv2:(SA ID = 11):[IKEv2 -> Crypto Engine] Sign authentication data
*Dec 20 13:45:07.075: IKEv2:(SA ID = 11):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
*Dec 20 13:45:07.075: IKEv2:(SESSION ID = 38,SA ID = 11):Authentication material has been sucessfully signed
Unfortunately, no luck with authentication:
*Dec 20 13:45:07.075: IKEv2:(SESSION ID = 38,SA ID = 11):Asking the authenticator to send EAP request
*Dec 20 13:45:07.076: IKEv2-ERROR:Address type 2147516386 not supported
*Dec 20 13:45:07.076: IKEv2:Received response from authenticator
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Generating EAP request
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Constructing IDr payload: '10.0.10.60' of type 'IPv4 address'
*Dec 20 13:45:07.076: IKEv2:(SESSION ID = 38,SA ID = 11):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
*Dec 20 13:45:07.077: IKEv2:(SESSION ID = 38,SA ID = 11):Sending Packet [To 10.0.10.120:4500/From 10.0.10.60:4500/VRF i0:f0]
Initiator SPI : 53E45F01EC2C9E19 - Responder SPI : AABF97489360DD96 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Dec 20 13:45:07.078: IKEv2:(SESSION ID = 38,SA ID = 11):Starting timer (90 sec) to wait for auth message
*Dec 20 13:45:16.865: IKEv2-ERROR:(SESSION ID = 37,SA ID = 10):: Failed to receive the AUTH msg before the timer expired
*Dec 20 13:45:16.865: IKEv2:(SESSION ID = 37,SA ID = 10):Verification of peer's authentication data FAILED
*Dec 20 13:45:16.865: IKEv2:(SESSION ID = 37,SA ID = 10):Sending authentication failure notify
*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Sending Packet [To 10.0.10.120:4500/From 10.0.10.60:4500/VRF i0:f0]
Initiator SPI : A4AAD3E0B72A538A - Responder SPI : 4AF2ED494B9811EE Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Dec 20 13:45:16.866: IKEv2:(SESSION ID = 37,SA ID = 10):Auth exchange failed
*Dec 20 13:45:16.866: IKEv2-ERROR:(SESSION ID = 37,SA ID = 10):: Auth exchange failed
It seems like this has something to do with the line "authentication remote eap..." in my profile. I tried "authentication remote eap query-identity" and "authentication remote eap", but the latter gives me errors on "Cannot use IP address as EAP identity".
I'm really struggling with finding guides/tutorials/configuration examples online. It seems like this is quite an unusual configuration, am I right?
Thanks again!
12-20-2023 06:06 AM
@johankrug from memory local database authentication on older IOS versions was not initially supported, you might need 16.x, which your 1921 won't support. If not using local database authentication you can use RADIUS or local certificates.
Better still use an ASA or FTD for remote access VPN, there is much better support and community knowledge than FlexVPN RAVPN.
12-20-2023 06:15 AM
I'm trying to make this config work on my ISR4321 running IOS XE 17.03.05. Should be relatively new in terms of supported features, hence my wish to move to a IKEv2 VPN-server-config.
Plan B would be to move to ASA but I was hoping to make it work on the router...
12-20-2023 06:22 AM
@johankrug as you are using the windows native supplicant read the section on the windows client https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-flex-serv-0.html
12-21-2023 01:42 AM
Alright. So, if I understand correctly, "query-identity" is to be set, which queries the identity of the client. However, Windows replies with its IP-address and this is not a valid identity, so the authentication fails. When "query-identity" is not set, the identity won't be sent by Windows so the server will never know the identity and authentication fails. This is indeed the behaviour I'm experiencing.
Is there no way around this? Does that mean that IOS-XE 17.x is simply not compatible with the Windows ikev2-client?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide