Solved: Re: IKEv2 - L2L - IPSEC issue with Certificate

hnavi77 · ‎02-27-2022

Hello Team,

I am stucking since an entire week now to figure out what's wrong on my configuration.

I am using a Router (R3) with a ASAv firewall (ASA1) and would like to enable IKEV2 on a Site-to-Site VPN with Certificate authentication.

"The same configuration works perfectly fine between 2 Routers with certificates"

ERROR I am seeing from ASAv:

%ASA-7-717038: Tunnel group match found. Tunnel Group: 12.0.0.2, Peer certificate: serial number: 0C, subject name: serialNumber=9N6036MZI6CWCJXNKH99C+unstructuredName=R3.test.com,CN=R3.test.com, issuer_name: CN=R1-CA.
%ASA-4-750003: Local:11.0.0.1:500 Remote:12.0.0.2:500 Username:12.0.0.2 IKEv2 Negotiation aborted due to

ERROR: Auth exchange failed

**

*Beginning of Router config:

Using "default" proposal and policy

crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN

crypto pki certificate map CMAP1 10
subject-name co asa1.test.com

Certificate configuration of Router:
Status: Available
Certificate Serial Number (hex): 0C
Certificate Usage: General Purpose
Issuer:
cn=R1-CA
Subject:
Name: R3.test.com
Serial Number: 9N6036MZI6CWCJXNKH99C
hostname=R3.test.com+serialNumber=9N6036MZI6CWCJXNKH99C
cn=R3.test.com
Validity Date:
start date: 15:35:34 UTC Feb 25 2022
end date: 15:35:34 UTC Feb 25 2023
Associated Trustpoints: VPN
Storage: nvram:R1-CA#C.cer

crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel

crypto map MAP1 10 ipsec-isakmp
set peer 11.0.0.1
set transform-set SET1
set ikev2-profile Profile1
match address VPN-2
crypto map MAP1

Extended IP access list VPN-2
10 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 (707 matches)

*end of configuration for Router

***************

*Beginning of ASAv Configuration:

crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400

crypto ikev2 enable outisde

crypto ipsec ikev2 ipsec-proposal IPSEC_Proposal1
protocol esp encryption aes
protocol esp integrity sha-1

tunnel-group-map enable rules
tunnel-group-map CMAP1 10 12.0.0.2

crypto ca certificate map CMAP1 10
subject-name co r3.test.com

tunnel-group 12.0.0.2 type ipsec-l2l
tunnel-group 12.0.0.2 general-attributes
default-group-policy GPO
tunnel-group 12.0.0.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN

crypto map MAP1 10 match address VPN-2
crypto map MAP1 10 set peer 12.0.0.2
crypto map MAP1 10 set ikev2 ipsec-proposal IPSEC_Proposal1
crypto map MAP1 10 set trustpoint VPN
crypto map MAP1 interface outisde

access-list VPN-2 line 1 extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=8)

Certificate
Status: Available
Certificate Serial Number: 0b
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=R1-CA
Subject Name:
hostname=ASA1
serialNumber=9ARPJCBCUBS
cn=ASA1.test.com
Validity Date:
start date: 21:56:18 UTC Feb 17 2022
end date: 21:56:18 UTC Feb 17 2023
Storage: config
Associated Trustpoints: VPN

*end of configuration

I would appreciate your help to understand what I am doing wrong.

Also I am unable to find some documentation to configure ASA-Router with IKEV2 for L2L with certificate.

Thanks for your help!

hnavi77 · ‎03-03-2022

With your great help MHM, I finally figured out where the issue was coming from:

There is no way to match the certificate with "eq" on R3 to match ASA certificate field. Only "co" works as expected.

Thanks a lot for your time

Correct configuration from R3:

crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN
no crypto ikev2 http-url cert

crypto pki certificate map CMAP1 10
subject-name co asa1.test.com

Config on ASA:

ASA certificate:

Certificate
Status: Available
Certificate Serial Number: 0f
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=R1-CA
Subject Name:
serialNumber=9ARPJCBCUBS
hostname=ASA1.test.com
cn=asa1.test.com
ou=it
Validity Date:
start date: 21:39:45 UTC Feb 26 2022
end date: 21:39:45 UTC Feb 26 2023
Storage: config
Associated Trustpoints: VPN

crypto ca certificate map CMAP1 10
subject-name attr cn eq r3.test.com

View solution in original post

Rob Ingram · ‎02-27-2022

@hnavi77 can you provide the full output of "debug crypto ikev2" from the router please?

hnavi77 · ‎02-27-2022

Output provided Rob,

Thanks in advance for your help,

hnavi77 · ‎02-27-2022

Additional logs from Router R3:

it looks like the certificate from ASA has not been validated from R3 (Initiator)?

*******************************

ASA1 -> 11.0.0.1:500

R3 ->12.0.0.2:500

R3(config)#do ping 192.168.5.1 sour lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.1

Feb 26 00:49:00.772: IKEv2:Searching Policy with fvrf 0, local address 12.0.0.2
Feb 26 00:49:00.773: IKEv2:Using the Default Policy for Proposal
Feb 26 00:49:00.773: IKEv2:Found Policy 'default'
Feb 26 00:49:00.796: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Feb 26 00:49:00.797: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
Feb 26 00:49:00.797: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
Feb 26 00:49:00.797: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 15
AES-CBC AES-CBC AES-CBC SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 11.0.0.1:500/From 12.0.0.2:500/VRF i0:f0]
Initiator SPI : 98F80B5263482307 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Feb 26 00:49:00.797: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

Feb 26 00:49:00.815: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 11.0.0.1:500/To 12.0.0.2:500/VRF i0:f0]
Initiator SPI : 98F80B5263482307 - Responder SPI : 705D0BB7ED66340A Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

Feb 26 00:49:00.822: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
Feb 26 00:49:00.822: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
Feb 26 00:49:00.822: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
Feb 26 00:49:00.822: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Feb 26 00:49:00.822: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Feb 26 00:49:00.822: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
Feb 26 00:49:00.822: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'VPN'
Feb 26 00:49:00.822: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint VPN
Feb .26 00:49:00.822: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
Feb 26 00:49:00.834: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
Feb 26 00:49:00.835: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
Feb 26 00:49:00.835: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
Feb 26 00:49:00.847: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Feb 26 00:49:00.849: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
Feb 26 00:49:00.850: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Feb 26 00:49:00.851: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Feb 26 00:49:00.853: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
Feb 26 00:49:00.854: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
Feb 26 00:49:00.854: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
Feb 26 00:49:00.855: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Feb 26 00:49:00.856: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Feb 26 00:49:00.857: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
Feb 26 00:49:00.857: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'RSA'
Feb 26 00:49:00.858: IKEv2:(SESSION ID = 1,SA ID = 1):Sign authentication da.ta
Feb 26 00:49:00.859: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Feb 26 00:49:00.860: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
Feb 26 00:49:00.861: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
Feb 26 00:49:00.866: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Authentication material has been sucessfully signed
Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: 'hostname=R3.t.est.com+serialNumber=9N6036MZI6CWCJXNKH99C,cn=R3.test.com' of type 'DER ASN1 DN'
Feb 26 00:49:00.866: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Feb 26 00:49:00.866: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'VPN'
Feb 26 00:49:00.866: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Feb 26 00:49:00.866: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN

Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Feb 26 00:49:00.866: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 11.0.0.1:500/From 12.0.0.2:500/VRF i0:f0]
Initiator SPI : 98F80B5263482307 - Responder SPI : 705D0BB7ED66340A Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

Feb 26 00:49:00.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 11.0.0.1:500/To 12.0.0.2:500/VRF i0:f0]
Initiator SPI : 98F80B5263482307 - Responder SPI : 705D0BB7ED66340A Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAIL.ED)

Feb 26 00:49:00.897: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
Feb 26 00:49:00.897: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
Feb 26 00:49:00.897: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
Feb 26 00:49:00.897: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
Feb 26 00:49:00.897: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Feb 26 00:49:00.897: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
Feb 26 00:49:00.897: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Feb 26 00:49:00.897: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED.
Success rate is 0 percent (0/5)
R3(config)#do und all

MHM Cisco World · ‎02-27-2022

I think the Issue here the deal of Router and ASA with ID

ISAKMP ID Selection on Routers

When IKEv2 tunnels are used on routers, the local identity used in the negotiation is determined by the identity localcommand under the IKEv2 profile:
By default, the router uses the address as the local identity.
ISAKMP ID Validation on Routers
The expected peer ID is also configured manually in the same profile with the match identity remote command:

ISAKMP ID Selection on ASAs
On ASAs, the ISAKMP identity is selected globally with the crypto isakmp identity command:
By default, the command mode is set to auto, which means that the ASA determines ISAKMP negotiation by connection type:

IP address for pre-shared key.
Cert Distinguished Name for certificate authentication.

ISAKMP ID Validation on the ASA

Remote ID validation is done automatically (determined by the connection type) and cannot be changed. Validation can be enabled or disabled on a per-tunnel-group basis with the peer-id-validate command:

hnavi77 · ‎02-27-2022

Hello MHM,

Thank you for taking the time to help me there.

I fully understand your comment and I did follow it on my configuration.

Is there something I forgot on my configuration?

From the R3:

I am matching on the ASA certificate map.

I am also sending my identity as "DN" to ASA to match my certificate.

crypto pki certificate map CMAP1 10
subject-name co asa1.test.com

crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN

**

From ASA:

tunnel-group-map enable rules
tunnel-group-map CMAP1 10 12.0.0.2

crypto ca certificate map CMAP1 10
subject-name co r3.test.com

tunnel-group 12.0.0.2 type ipsec-l2l
tunnel-group 12.0.0.2 general-attributes
default-group-policy GPO
tunnel-group 12.0.0.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN

MHM Cisco World · ‎02-27-2022

for ASA we disable the peer-ID validate<-OK
if not work please send to me the full config of both R and ASA "hidden the public ip".

hnavi77 · ‎02-27-2022

Thanks MHM!

R3 Config:

R3#sh run
Building configuration...

Current configuration : 6903 bytes
!
! Last configuration change at 03:20:20 UTC Sat Feb 26 2022
! NVRAM config last updated at 00:26:28 UTC Sat Feb 26 2022
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
!
clock timezone UTC 1 0
clock summer-time CET recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name test.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint VPN
enrollment url http://1.1.1.1:80
serial-number
subject-name cn=R3.test.com
revocation-check crl
source interface Loopback1
rsakeypair VPN
hash sha256
!
!
!
crypto pki certificate map CMAP1 10
subject-name co asa1.test.com
!
crypto pki certificate chain VPN
certificate 0C
30820225 3082018E A0030201 0202010C 300D0609 2A864886 F70D0101 0B050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323230 32323531 34333533
345A170D 32333032 32353134 33353334 5A305031 14301206 03550403 130B5233
2E746573 742E636F 6D313830 1806092A 864886F7 0D010902 160B5233 2E746573
742E636F 6D301C06 03550405 1315394E 36303336 4D5A4936 4357434A 584E4B48
39394330 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
CB320635 4B4949A9 F2054949 284AAA7B 71BE6532 05123E80 42B8103E D178ABA9
B78F3CF0 0D54F43F E4247BDA F045F0BA 42E610C2 8C0A18E6 D7EA086C EFC1A4C6
89071F19 E38C16F6 1D129546 440EFE28 05974F9E 8C27170C 2066A356 852B2AC0
2BCA124C 1301B27C F803376D 68CDEF49 3521A878 AF679C90 FB13B11D 5593284F
02030100 01A34F30 4D300B06 03551D0F 04040302 05A0301F 0603551D 23041830
168014D7 0B40AE8F C0FF6532 08D4D933 58F6AF17 FB01C230 1D060355 1D0E0416
0414486B A088DE93 49E6C606 22583B5C C7FFCB65 C17D300D 06092A86 4886F70D
01010B05 00038181 0052D68D B044C9AA 08BB85F0 F279303D 27ACB9B6 361FCF28
04475982 617CAA93 F78FAAF4 8ED59B1B 5D3F1E9D 3237E590 C27390FB 6D2EBCA1
1B7E47BD BC9AB643 54597904 05DD1CF1 2E0F0D86 1B3AF5E6 BF6595EA F5A727C8
E316ED28 3A1AA7CD CA745346 305A1D76 1A63FDFE 4BCD3986 F3324648 FFCBF428
F7D17308 68D37542 B8
quit
certificate ca 01
308201F9 30820162 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
10310E30 0C060355 04031305 52312D43 41301E17 0D323230 32313431 34353235
385A170D 32353032 31333134 35323538 5A301031 0E300C06 03550403 13055231
2D434130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
8E36BED2 DC41374E 8492704E 4DA8A7FC 0403CF6B B4220949 0CB46C6C 5A1DC3DB
CC51E52F C3037D47 47788FBC 8F808887 3FF1549F 241E7C14 567A64A5 5C1748F7
41056CBA C9009E45 728953A7 1847C039 E4ECC468 D977EB04 A95E7CC3 B670AB2B
EB789560 989FC233 F95AFFCC F107235F 253C99C7 9379C782 C7BBAB28 EFACAF71
02030100 01A36330 61300F06 03551D13 0101FF04 05300301 01FF300E 0603551D
0F0101FF 04040302 0186301F 0603551D 23041830 168014D7 0B40AE8F C0FF6532
08D4D933 58F6AF17 FB01C230 1D060355 1D0E0416 0414D70B 40AE8FC0 FF653208
D4D93358 F6AF17FB 01C2300D 06092A86 4886F70D 01010B05 00038181 004B5085
72080402 3E3CFD43 86623FA1 EA5873AD F68D46C5 771482DF EFD915D2 F539760D
41754FD5 FA3A6CDC DCDDC3E0 72073CF0 D4931E37 94FF8068 5A0A5988 EBDD44B5
67BC5EE4 442E0B27 55AEF25D 31F7A9C0 6B0C896F 5C1CB045 6A37EC61 26C04209
8B8ECE1A 33A0E027 57985C0A FBE22947 01FF2F74 A4DBFC15 63A846B7 E5
quit
!
redundancy
!
!
!
!
!
!
crypto ikev2 keyring Keyring
peer ASA1
address 11.0.0.1
!
!
!
crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN
!
!
!
crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map MAP1 10 ipsec-isakmp
set peer 11.0.0.1
set transform-set SET1
set ikev2-profile Profile1
match address VPN-2
!
!
!
!
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/2
ip address 12.0.0.2 255.255.255.0
duplex auto
speed auto
media-type rj45
crypto map MAP1
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
!
router eigrp 100
network 12.0.0.0 0.0.0.255
network 192.168.2.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
!
ip access-list extended VPN
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN-2
permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
!
ipv6 ioam timestamp
!
!
!
control-plane
!
banner exec ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner incoming ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
banner login ^C
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS *
* education. IOSv is provided as-is and is not supported by Cisco's *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any *
* purposes is expressly prohibited except as otherwise authorized by *
* Cisco in writing. *
**************************************************************************^C
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login
transport input telnet ssh
!
no scheduler allocate
ntp authentication-key 1 md5 14141B180F0B 7
ntp authenticate
ntp trusted-key 1
ntp server 1.1.1.1 prefer source Loopback1
!
end

R3#

***************************************

ASA config:

ASA1(config)# sh run
: Saved

:
: Serial Number: 9ARPJCBCUBS
: Hardware: ASAv, 2048 MB RAM, CPU Xeon E5 series 3201 MHz
:
ASA Version 9.15(1)1
!
hostname ASA1
domain-name test.com
enable password ***** pbkdf2
service-module 0 keepalive-timeout 4
service-module 0 keepalive-counter 6
names
no mac-address auto

!
interface GigabitEthernet0/0
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
nameif outisde
security-level 0
ip address 11.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.4.1 255.255.255.0
!
interface Management0/0
no management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone UTC 1
clock summer-time CEST recurring
dns server-group DefaultDNS
domain-name test.com
access-list VPN extended permit ip 192.168.4.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list OUT_IN extended permit ip 192.168.1.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list OUT_IN extended permit icmp host 10.0.0.2 host 192.168.4.2
access-list OUT_IN extended permit esp host 10.0.0.2 host 192.168.4.2
access-list OUT_IN extended permit udp host 10.0.0.2 host 192.168.4.2 eq isakmp
access-list OUT_IN extended permit icmp host 1.1.1.1 host 4.4.4.4
access-list OUT_IN extended permit udp host 1.1.1.1 eq ntp any
access-list OUT_IN extended permit esp host 12.0.0.2 host 11.0.0.1
access-list OUT_IN extended permit udp host 12.0.0.2 host 11.0.0.1 eq isakmp
access-list VPN-2 extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 23
logging console debugging
mtu outisde 1500
mtu inside 1500
no failover
no failover wait-disable
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
access-group OUT_IN in interface outisde
router eigrp 100
no default-information in
no default-information out
network 11.0.0.0 255.255.255.0
redistribute static
!
route inside 0.0.0.0 0.0.0.0 192.168.4.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal IPSEC_Proposal1
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map MAP1 10 match address VPN-2
crypto map MAP1 10 set peer 12.0.0.2
crypto map MAP1 10 set ikev2 ipsec-proposal IPSEC_Proposal1
crypto map MAP1 10 set trustpoint VPN
crypto map MAP1 interface outisde
crypto ca certificate map CMAP1 10
subject-name co r3.test.com
crypto ca trustpoint VPN
enrollment protocol scep url http://1.1.1.1:80
subject-name cn=ASA1.test.com
serial-number
keypair VPN
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain VPN
certificate ca 01
308201f9 30820162 a0030201 02020101 300d0609 2a864886 f70d0101 0b050030
10310e30 0c060355 04031305 52312d43 41301e17 0d323230 32313431 34353235
385a170d 32353032 31333134 35323538 5a301031 0e300c06 03550403 13055231
2d434130 819f300d 06092a86 4886f70d 01010105 0003818d 00308189 02818100
8e36bed2 dc41374e 8492704e 4da8a7fc 0403cf6b b4220949 0cb46c6c 5a1dc3db
cc51e52f c3037d47 47788fbc 8f808887 3ff1549f 241e7c14 567a64a5 5c1748f7
41056cba c9009e45 728953a7 1847c039 e4ecc468 d977eb04 a95e7cc3 b670ab2b
eb789560 989fc233 f95affcc f107235f 253c99c7 9379c782 c7bbab28 efacaf71
02030100 01a36330 61300f06 03551d13 0101ff04 05300301 01ff300e 0603551d
0f0101ff 04040302 0186301f 0603551d 23041830 168014d7 0b40ae8f c0ff6532
08d4d933 58f6af17 fb01c230 1d060355 1d0e0416 0414d70b 40ae8fc0 ff653208
d4d93358 f6af17fb 01c2300d 06092a86 4886f70d 01010b05 00038181 004b5085
72080402 3e3cfd43 86623fa1 ea5873ad f68d46c5 771482df efd915d2 f539760d
41754fd5 fa3a6cdc dcddc3e0 72073cf0 d4931e37 94ff8068 5a0a5988 ebdd44b5
67bc5ee4 442e0b27 55aef25d 31f7a9c0 6b0c896f 5c1cb045 6a37ec61 26c04209
8b8ece1a 33a0e027 57985c0a fbe22947 01ff2f74 a4dbfc15 63a846b7 e5
quit
certificate 0b
3082022a 30820193 a0030201 0202010b 300d0609 2a864886 f70d0101 0b050030
10310e30 0c060355 04031305 52312d43 41301e17 0d323230 32313732 30353631
385a170d 32333032 31373230 35363138 5a304131 16301406 03550403 130d4153
41312e74 6573742e 636f6d31 27301106 092a8648 86f70d01 09021604 41534131
30120603 55040513 0b394152 504a4342 43554253 30819f30 0d06092a 864886f7
0d010101 05000381 8d003081 89028181 00d45f4b 9eb1db46 52cd0171 152705ea
78d8b5c7 d641bd97 f0049ca2 4389bc5c 885a0dac abdefbf9 7ad05d12 a3c8fae6
a0fa5b42 d876fc68 ca4654a2 d1c9c7f7 246a22c8 b171e087 4549c42d 13bc76e3
e7a996e2 e383e28b dc5d7fea 4828250a ce72b3ff 04212e74 dd4a70e8 e14fe29c
b89acb73 7ae081cd 1bfe1c5f 93fcb55e b1020301 0001a363 3061300f 0603551d
11040830 06820441 53413130 0e060355 1d0f0101 ff040403 0205a030 1f060355
1d230418 30168014 d70b40ae 8fc0ff65 3208d4d9 3358f6af 17fb01c2 301d0603
551d0e04 16041496 12bbd21b 0f4d2e75 a96d7840 1e10b4cb 6f72a230 0d06092a
864886f7 0d01010b 05000381 81003606 cce3ca5b 08fe0359 9d10629c f0dcbe82
d5e85705 da00d295 8f378ad3 f8c038e7 3237f157 c4f169be 3c1e163e 60e64771
5ae83e4b 5de52ce0 d188debb a52fa390 a1db2a21 b8773e35 eee2130f c8d64355
a41f226a d72781cb 0b66915b ed6873c5 22932268 6a4ebcfb 4afc893f 701ba48d
906f91eb ffc8f133 a856fe79 f950
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 0509
308205b7 3082039f a0030201 02020205 09300d06 092a8648 86f70d01 01050500
3045310b 30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164
6973204c 696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f
6f742043 41203230 1e170d30 36313132 34313832 3730305a 170d3331 31313234
31383233 33335a30 45310b30 09060355 04061302 424d3119 30170603 55040a13
1051756f 56616469 73204c69 6d697465 64311b30 19060355 04031312 51756f56
61646973 20526f6f 74204341 20323082 0222300d 06092a86 4886f70d 01010105
00038202 0f003082 020a0282 0201009a 18ca4b94 0d002daf 03298af0 0f81c8ae
4c19851d 089fab29 4485f32f 81ad321e 9046bfa3 86261a1e fe7e1c18 3a5c9c60
172a3a74 8333307d 615411cb edabe0e6 d2a27ef5 6b6f18b7 0a0b2dfd e93eef0a
c6b310e9 dcc24617 f85dfda4 daff9e49 5a9ce633 e62496f7 3fba5b2b 1c7a35c2
d667feab 66508b6d 28602bef d760c3c7 93bc8d36 91f37ff8 db1113c4 9c7776c1
aeb7026a 817aa945 83e205e6 b956c194 378f4871 6322ec17 6507958a 4bdf8fc6
5a0ae5b0 e35f5e6b 11ab0cf9 85eb44e9 f80473f2 e9fe5c98 8cf573af 6bb47ecd
d45c022b 4c39e1b2 95952d42 87d7d5b3 9043b76c 13f1dedd f6c4f889 3fd175f5
92c391d5 8a88d090 ecdc6dde 89c26571 968b0d03 fd9cbf5b 16ac92db eafe797c
adebaff7 16cbdbcd 252be51f fb9a9fe2 51cc3a53 0c48e60e bdc9b476 0652e611
13857263 0304e004 362b2019 02e874a7 1fb6c956 66f07525 dc67c10e 616088b3
3ed1a8fc a3da1db0 d1b12354 df44766d ed41d8c1 b222b653 1cdf351d dca1772a
31e42df5 e5e5dbc8 e0ffe580 d70b63a0 ff33a10f ba2c1515 ea97b3d2 a2b5bef2
8c961e1a 8f1d6ca4 6137b986 7333d797 969e237d 82a44c81 e2a1d1ba 675f9507
a32711ee 16107bbc 454a4cb2 04d2abef d5fd0c51 ce506a08 31f991da 0c8f645c
03c33a8b 203f6e8d 673d3ad6 fe7d5b88 c95efbcc 61dc8b33 77d34432 35096204
921610d8 9e2747fb 3b21e3f8 eb1d5b02 03010001 a381b030 81ad300f 0603551d
130101ff 04053003 0101ff30 0b060355 1d0f0404 03020106 301d0603 551d0e04
1604141a 8462bc48 4c332504 d4eed0f6 03c41946 d1946b30 6e060355 1d230467
30658014 1a8462bc 484c3325 04d4eed0 f603c419 46d1946b a149a447 3045310b
30090603 55040613 02424d31 19301706 0355040a 13105175 6f566164 6973204c
696d6974 6564311b 30190603 55040313 1251756f 56616469 7320526f 6f742043
41203282 02050930 0d06092a 864886f7 0d010105 05000382 0201003e 0a164d9f
065ba8ae 715d2f05 2f67e613 4583c436 f6f3c026 0c0db547 645df8b4 72c946a5
03182755 89787d76 ea963480 1720dce7 83f88dfc 07b8da5f 4d2e67b2 84fdd944
fc775081 e67cb4c9 0d0b7253 f8760707 4147960c fbe08226 93558cfe 221f6065
7c5fe726 b3f73290 9850d437 7155f692 2178f795 79faf82d 26876656 3077a637
78335210 58ae3f61 8ef26ab1 ef187e4a 5963ca8d a256d5a7 2fbc561f cf39c1e2
fb0aa815 2c7d4d7a 63c66c97 443cd26f c34a170a f890d257 a21951a5 2d9741da
074fa950 da908d94 46e13ef0 94fd1000 38f53be8 40e1b46e 561a20cc 6f588ded
2e458fd6 e9933fe7 b12cdf3a d6228cdc 84bb226f d0f8e4c6 39e90488 3cc3baeb
557a6d80 9924f56c 01fbf897 b0945beb fdd26ff1 77680d35 6423acb8 55a103d1
4d4219dc f8755956 a3f9a849 79f8af0e b911a07c b76aed34 d0b62662 381a870c
f8e8fd2e d3907f07 912a1dd6 7e5c8583 99b03808 3fe95ef9 3507e4c9 626e577f
a75095f7 bac89be6 8ea201c5 d666bf79 61f33c1c e1b9825c 5da0c3e9 d848bd19
a2111419 6eb2861b 683e4837 1a88b75d 965e9cc7 ef276208 e291195c d2f121dd
ba174282 97718153 31a99ff6 7d62bf72 e1a3931d cc8a265a 0938d0ce d70d8016
b478a53a 874c8d8a a5d54697 f22c10b9 bc5422c0 01506943 9ef4b2ef 6df8ecda
f1e3b1ef df918f54 2a0b25c1 2619c452 100565d5 8210eac2 31cd2e
quit
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outisde
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
console serial
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authentication-key 1 md5 *****
ntp authenticate
ntp trusted-key 1
ntp server 1.1.1.1 key 1 source outisde prefer
group-policy GPO internal
group-policy GPO attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 12.0.0.2 type ipsec-l2l
tunnel-group 12.0.0.2 general-attributes
default-group-policy GPO
tunnel-group 12.0.0.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN
tunnel-group-map enable rules
tunnel-group-map CMAP1 10 12.0.0.2
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
inspect snmp
inspect icmp
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:a3edcd65073766cd3f495fd3a953a512
: end
ASA1(config)#

hnavi77 · ‎02-27-2022

I am using CML 2.x for this setup.

Thanks for your help, much appreciated.

MHM Cisco World · ‎03-01-2022

Certificate Router:
Subject:
cn: R3.test.com
R validate ASA IP by default change this with

match identity remote fqdn ASA1.test.com

Certificate ASA
Subject Name:
cn=ASA1.test.com

peer-id-validate nocheck

please try above change

hnavi77 · ‎03-01-2022

unfortunately, this doesn't fix the problem.

I am seeing the exact same error message:

*Auth exchange failed*

****

In order to validate my certificates on both sides (Router / ASA), I did configure IKEv1 with L2L with Certificate on both sides and everything was working as perfectly.

Something is weird with IKEV2.

***

regards,

MHM Cisco World · ‎03-02-2022

crypto ca certificate map CMAP1 10

issuer-name attr cn R1-CA
subject-name attr cn r3.test.com

cn since the ASA certificate contain the issue and name with cn not ou.

peer-id-validate nocheck <-still use this command

hnavi77 · ‎03-02-2022

still not ok - same error message.

%ASA-4-750003: Local:11.0.0.1:500 Remote:12.0.0.2:500 Username:12.0.0.2 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed.

Configuration applied.

On R3:

R3(config)#do sh run | s crypto pki certificate map CMAP1 10
crypto pki certificate map CMAP1 10
issuer-name co r1-ca
subject-name co asa1.test.com

ON ASA1:

ASA1(config)# sh run crypto ca certificate map CMAP1
crypto ca certificate map CMAP1 10
issuer-name attr cn eq r1-ca
subject-name attr cn eq r3.test.com

tunnel-group 12.0.0.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN

MHM Cisco World · ‎03-02-2022

please clear crypto ipsec and isakmp and

THEN

please CN can be sensitive case so write it as it appear in certificate.

MHM Cisco World · ‎03-02-2022

Hi, do you check again ?