Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
908
Views
0
Helpful
6
Replies

Help with ISR4431 / L2TP / certificates / Windows native client

mick
Level 1
Level 1

‎05-24-2023 09:37 AM

Looking for help with an L2TP VPN config using certificates along with a Windows 10 native client. I have been using a Windows native L2TP setup with pre-shared keys for a long while and so that part works. The Windows machines are domain joined and have computer/machine certificates issued by my Windows CA. The cisco is enrolled to the Windows CA.
 
As best I can tell, the processing gets to the point that the client certificate has been authenticated by the cisco and it has created the ISAKMP SA. The cisco's cert is then sent to the windows client and thats when things break down. The cert on the cisco has a Key Usage of "Digital Signature, Key Encipherment (a0)" and a EKU of Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
 
On the windows machine I see the following logged to the security event log:
 
Failure Information:
Failure Point: Local computer
Failure Reason: New policy invalidated SAs formed with old policy
 
Despite many hours of searching, I've not been able to find a good L2TP/Certificates/Windows config example - happy to be pointed to one or any relevant doc. My cisco: ISR4431 running 16.12.07. 
 
-mick
 
The failure part of my logs:
 
736348: May 24 08:46:50.780 PDT: ISAKMP: (23049):Choosing trustpoint xxxxxx.com as issuer
736349: May 24 08:46:50.780 PDT: ISAKMP: (23049):IKE->PKI Get self CertificateChain state (R) MM_KEY_EXCH (peer 192.168.120.45)
736350: May 24 08:46:50.781 PDT: ISAKMP: (23049):PKI->IKE Got self CertificateChain state (R) MM_KEY_EXCH (peer 192.168.120.45)
736351: May 24 08:46:50.781 PDT: ISAKMP: (23049):IKE->PKI Get SubjectName state (R) MM_KEY_EXCH (peer 192.168.120.45)
736352: May 24 08:46:50.782 PDT: ISAKMP: (23049):PKI->IKE Got SubjectName state (R) MM_KEY_EXCH (peer 192.168.120.45)
736353: May 24 08:46:50.782 PDT: ISAKMP-ERROR: (23049):My ID configured as IPv4 Addr, but Addr not in Cert!
736354: May 24 08:46:50.782 PDT: ISAKMP-ERROR: (23049):Using FQDN as My ID
736355: May 24 08:46:50.783 PDT: ISAKMP: (23049):SA is doing
736356: May 24 08:46:50.783 PDT: ISAKMP: (23049):RSA signature authentication using id type ID_FQDN
736357: May 24 08:46:50.783 PDT: ISAKMP: (23049):ID payload
        next-payload : 6
        type         : 2
736358: May 24 08:46:50.783 PDT: ISAKMP: (23049):       FQDN name    : cisco.xxxxx.com
736359: May 24 08:46:50.783 PDT: ISAKMP: (23049):       protocol     : 17
        port         : 500
        length       : 27
736360: May 24 08:46:50.783 PDT: ISAKMP: (23049):Total payload length: 27
736361: May 24 08:46:50.783 PDT: ISAKMP: (23049):IKE->PKI Get CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 192.168.120.45)
736362: May 24 08:46:50.785 PDT: ISAKMP: (23049):PKI->IKE Got CertificateChain to be sent to peer state (R) MM_KEY_EXCH (peer 192.168.120.45)
736363: May 24 08:46:50.786 PDT: ISAKMP: (23049):constructing CERT payload for hostname=cisco.xxxxx.com
736364: May 24 08:46:50.786 PDT: ISAKMP: (0):growing send buffer from 1024 to 3072
736365: May 24 08:46:50.786 PDT: ISAKMP: (23049):using the xxxxxx.com trustpoint's keypair to sign
736366: May 24 08:46:50.790 PDT: ISAKMP-PAK: (23049):sending packet to 192.168.120.45 my_port 500 peer_port 500 (R) MM_KEY_EXCH
736367: May 24 08:46:50.790 PDT: ISAKMP: (23049):Sending an IKE IPv4 Packet.
736368: May 24 08:46:50.790 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
736369: May 24 08:46:50.790 PDT: ISAKMP: (23049):Old State = IKE_R_MM5  New State = IKE_R_MM5
 
736370: May 24 08:46:50.791 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_FETCH_USER_ATTR
736371: May 24 08:46:50.791 PDT: ISAKMP: (23049):Old State = IKE_R_MM5  New State = IKE_P1_COMPLETE
 
736372: May 24 08:46:50.791 PDT: ISAKMP: (23049):IKE->PKI End PKI Session state (R) QM_IDLE       (peer 192.168.120.45)
736373: May 24 08:46:50.791 PDT: ISAKMP: (23049):PKI->IKE Ended PKI session state (R) QM_IDLE       (peer 192.168.120.45)
736374: May 24 08:46:50.791 PDT: ISAKMP: (23049):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
736375: May 24 08:46:50.791 PDT: ISAKMP: (23049):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
 
736376: May 24 08:46:51.764 PDT: ISAKMP-PAK: (23049):received packet from 192.168.120.45 dport 500 sport 500 Global (R) QM_IDLE
736377: May 24 08:46:51.765 PDT: ISAKMP: (23049):phase 1 packet is a duplicate of a previous packet.
 
And things repeat from this point.
Labels:
0 Helpful
6 Replies 6

mick
Level 1
Level 1

‎06-09-2023 11:36 AM

To answer my own question, it turns out the one peice of remote equipment I was using to test this has a problem with the handling of this initial exchange. I have now deployed to a dozen remote users (both windows domain joined and non joined) with much varying remote setups and all is working just great.

0 Helpful

b.jikidze@gmail.com
Level 1
Level 1

‎06-21-2023 02:08 AM

Hello Mick,

can you please provide configuration example for l2tp over ipsec on 4331???

i'm new on cisco and i'm trying to configure l2tp over ipsec with preshared key and authentication via NPS,

with my configuration im able to connect via l2tp but with any password!!! 

please if you have some time share your knowladge 

thanks

0 Helpful

mick
Level 1
Level 1
In response to b.jikidze@gmail.com

‎10-19-2023 11:18 AM

Pretty sure I'm too late with my reply but I dont see how anything on the cisco can be involved here. Its going to be up to the NPS server to approve or reject the request and it sounds like its approving anything? Has to be a NPS config issue. If you really want the cisco config, let me know. I have moved past PSK and are now using certificates with my L2TP / 4431 setup. I might be able to find an old config file backup if needed.

 

 

0 Helpful

gajownik
Cisco Employee
Cisco Employee

‎06-29-2023 06:15 AM

L2TP over IPsec is not supported on IOS-XE platforms:

CSCur76833 ENH: Add L2TP over IPSec support on platforms using IOS-XE

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCur76833

0 Helpful

mick
Level 1
Level 1
In response to gajownik

‎10-19-2023 11:14 AM

L2TP over IPsec IS supported on IOS-XE platforms and works well..

The article you reference describes a very limited case scenario that has an issue - specifically "This feature may work in many scenarios,"

0 Helpful

gajownik
Cisco Employee
Cisco Employee
In response to mick

‎10-20-2023 12:29 AM

Above enhancement request clearly states that L2TP over IPsec is not officially supported. Not supported does not mean it does not work at all. It might break in some cases and you will just not get any support from Cisco TAC and developers if you open a service request.

If you run a lab or configure a service for a few users it's up to you to take a risk. But for some network admins working for a big enterprise lack of vendor support is a showstopper.

0 Helpful
Customers Also Viewed These Support Documents