Help with ISR4431 / L2TP / certificates / Windows native client

mick · ‎05-24-2023

Looking for help with an L2TP VPN config using certificates along with a Windows 10 native client. I have been using a Windows native L2TP setup with pre-shared keys for a long while and so that part works. The Windows machines are domain joined and have computer/machine certificates issued by my Windows CA. The cisco is enrolled to the Windows CA.

As best I can tell, the processing gets to the point that the client certificate has been authenticated by the cisco and it has created the ISAKMP SA. The cisco's cert is then sent to the windows client and thats when things break down. The cert on the cisco has a Key Usage of "Digital Signature, Key Encipherment (a0)" and a EKU of Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2)

On the windows machine I see the following logged to the security event log:

Failure Information:

Failure Point: Local computer

Failure Reason: New policy invalidated SAs formed with old policy

Despite many hours of searching, I've not been able to find a good L2TP/Certificates/Windows config example - happy to be pointed to one or any relevant doc. My cisco: ISR4431 running 16.12.07.

-mick

The failure part of my logs:

736348: May 24 08:46:50.780 PDT: ISAKMP: (23049):Choosing trustpoint xxxxxx.com as issuer

736349: May 24 08:46:50.780 PDT: ISAKMP: (23049):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 192.168.120.45)

736350: May 24 08:46:50.781 PDT: ISAKMP: (23049):PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 192.168.120.45)

736351: May 24 08:46:50.781 PDT: ISAKMP: (23049):IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 192.168.120.45)

736352: May 24 08:46:50.782 PDT: ISAKMP: (23049):PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 192.168.120.45)

736353: May 24 08:46:50.782 PDT: ISAKMP-ERROR: (23049):My ID configured as IPv4 Addr, but Addr not in Cert!

736354: May 24 08:46:50.782 PDT: ISAKMP-ERROR: (23049):Using FQDN as My ID

736355: May 24 08:46:50.783 PDT: ISAKMP: (23049):SA is doing

736356: May 24 08:46:50.783 PDT: ISAKMP: (23049):RSA signature authentication using id type ID_FQDN

736357: May 24 08:46:50.783 PDT: ISAKMP: (23049):ID payload

next-payload : 6

type : 2

736358: May 24 08:46:50.783 PDT: ISAKMP: (23049): FQDN name : cisco.xxxxx.com

736359: May 24 08:46:50.783 PDT: ISAKMP: (23049): protocol : 17

port : 500

length : 27

736360: May 24 08:46:50.783 PDT: ISAKMP: (23049):Total payload length: 27

736361: May 24 08:46:50.783 PDT: ISAKMP: (23049):IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 192.168.120.45)

736362: May 24 08:46:50.785 PDT: ISAKMP: (23049):PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 192.168.120.45)

736363: May 24 08:46:50.786 PDT: ISAKMP: (23049):constructing CERT payload for hostname=cisco.xxxxx.com

736364: May 24 08:46:50.786 PDT: ISAKMP: (0):growing send buffer from 1024 to 3072

736365: May 24 08:46:50.786 PDT: ISAKMP: (23049):using the xxxxxx.com trustpoint's keypair to sign

736366: May 24 08:46:50.790 PDT: ISAKMP-PAK: (23049):sending packet to 192.168.120.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH

736367: May 24 08:46:50.790 PDT: ISAKMP: (23049):Sending an IKE IPv4 Packet.

736368: May 24 08:46:50.790 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

736369: May 24 08:46:50.790 PDT: ISAKMP: (23049):Old State = IKE_R_MM5 New State = IKE_R_MM5

736370: May 24 08:46:50.791 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR

736371: May 24 08:46:50.791 PDT: ISAKMP: (23049):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE

736372: May 24 08:46:50.791 PDT: ISAKMP: (23049):IKE->PKI End PKI Session state (R) QM_IDLE (peer 192.168.120.45)

736373: May 24 08:46:50.791 PDT: ISAKMP: (23049):PKI->IKE Ended PKI session state (R) QM_IDLE (peer 192.168.120.45)

736374: May 24 08:46:50.791 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

736375: May 24 08:46:50.791 PDT: ISAKMP: (23049):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

736376: May 24 08:46:51.764 PDT: ISAKMP-PAK: (23049):received packet from 192.168.120.45 dport 500 sport 500 Global (R) QM_IDLE

736377: May 24 08:46:51.765 PDT: ISAKMP: (23049):phase 1 packet is a duplicate of a previous packet.

And things repeat from this point.

mick · ‎06-09-2023

To answer my own question, it turns out the one peice of remote equipment I was using to test this has a problem with the handling of this initial exchange. I have now deployed to a dozen remote users (both windows domain joined and non joined) with much varying remote setups and all is working just great.

b.jikidze@gmail.com · ‎06-21-2023

Hello Mick,

can you please provide configuration example for l2tp over ipsec on 4331???

i'm new on cisco and i'm trying to configure l2tp over ipsec with preshared key and authentication via NPS,

with my configuration im able to connect via l2tp but with any password!!!

please if you have some time share your knowladge

thanks

gajownik · ‎06-29-2023

L2TP over IPsec is not supported on IOS-XE platforms:

CSCur76833 ENH: Add L2TP over IPSec support on platforms using IOS-XE

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur76833