Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11917
Views
220
Helpful
19
Replies

IKEv2 - L2L - IPSEC issue with Certificate

Go to solution
hnavi77
Level 1
Level 1

‎02-27-2022 09:59 AM

Hello Team,

I am stucking since an entire week now to figure out what's wrong on my configuration.

I am using a Router (R3) with a ASAv firewall (ASA1) and would like to enable IKEV2 on a Site-to-Site VPN with Certificate authentication.

"The same configuration works perfectly fine between 2 Routers with certificates"

 

ERROR I am seeing from ASAv:

%ASA-7-717038: Tunnel group match found. Tunnel Group: 12.0.0.2, Peer certificate: serial number: 0C, subject name: serialNumber=9N6036MZI6CWCJXNKH99C+unstructuredName=R3.test.com,CN=R3.test.com, issuer_name: CN=R1-CA.
%ASA-4-750003: Local:11.0.0.1:500 Remote:12.0.0.2:500 Username:12.0.0.2 IKEv2 Negotiation aborted due to

ERROR: Auth exchange failed

**

 

*Beginning of Router config:

Using "default" proposal and policy

 

crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN

 

crypto pki certificate map CMAP1 10
subject-name co asa1.test.com

 

Certificate configuration of Router:
Status: Available
Certificate Serial Number (hex): 0C
Certificate Usage: General Purpose
Issuer:
cn=R1-CA
Subject:
Name: R3.test.com
Serial Number: 9N6036MZI6CWCJXNKH99C
hostname=R3.test.com+serialNumber=9N6036MZI6CWCJXNKH99C
cn=R3.test.com
Validity Date:
start date: 15:35:34 UTC Feb 25 2022
end date: 15:35:34 UTC Feb 25 2023
Associated Trustpoints: VPN
Storage: nvram:R1-CA#C.cer

 

crypto ipsec transform-set SET1 esp-aes esp-sha-hmac
mode tunnel

 

crypto map MAP1 10 ipsec-isakmp
set peer 11.0.0.1
set transform-set SET1
set ikev2-profile Profile1
match address VPN-2
crypto map MAP1

 

Extended IP access list VPN-2
10 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255 (707 matches)

 

*end of configuration for Router

***************

 

*Beginning of ASAv Configuration:

 

crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400

 

crypto ikev2 enable outisde

 

crypto ipsec ikev2 ipsec-proposal IPSEC_Proposal1
protocol esp encryption aes
protocol esp integrity sha-1

 

tunnel-group-map enable rules
tunnel-group-map CMAP1 10 12.0.0.2

 

crypto ca certificate map CMAP1 10
subject-name co r3.test.com

 

tunnel-group 12.0.0.2 type ipsec-l2l
tunnel-group 12.0.0.2 general-attributes
default-group-policy GPO
tunnel-group 12.0.0.2 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate VPN

 

crypto map MAP1 10 match address VPN-2
crypto map MAP1 10 set peer 12.0.0.2
crypto map MAP1 10 set ikev2 ipsec-proposal IPSEC_Proposal1
crypto map MAP1 10 set trustpoint VPN
crypto map MAP1 interface outisde

 

access-list VPN-2 line 1 extended permit ip 192.168.5.0 255.255.255.0 192.168.2.0 255.255.255.0 (hitcnt=8)

 

Certificate
Status: Available
Certificate Serial Number: 0b
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=R1-CA
Subject Name:
hostname=ASA1
serialNumber=9ARPJCBCUBS
cn=ASA1.test.com
Validity Date:
start date: 21:56:18 UTC Feb 17 2022
end date: 21:56:18 UTC Feb 17 2023
Storage: config
Associated Trustpoints: VPN

 

*end of configuration

 

I would appreciate your help to understand what I am doing wrong.

Also I am unable to find some documentation to configure ASA-Router with IKEV2 for L2L with certificate.

 

Thanks for your help!

 

Labels:
Preview file
44 KB
19 Replies 19

Go to solution
hnavi77
Level 1
Level 1
In response to MHM Cisco World

‎03-03-2022 01:48 AM

yes I have tested and also have re-issued a new certificate (Router / ASA) with "ou=it" as well to test.

no luck, I have the same error.

******************************

 

ASA1 certificate:

 

Certificate
Status: Available
Certificate Serial Number: 0f
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=R1-CA
Subject Name:
serialNumber=9ARPJCBCUBS
hostname=ASA1.test.com
cn=asa1.test.com
ou=it
Validity Date:
start date: 21:39:45 UTC Feb 26 2022
end date: 21:39:45 UTC Feb 26 2023
Storage: config
Associated Trustpoints: VPN

**

crypto ca certificate map CMAP1 10
subject-name attr cn eq r3.test.com

***********************************************

Router certificate:

 

Certificate
Status: Available
Certificate Serial Number (hex): 10
Certificate Usage: General Purpose
Issuer:
cn=R1-CA
Subject:
Name: R3.test.com
Serial Number: 9N6036MZI6CWCJXNKH99C
hostname=R3.test.com+serialNumber=9N6036MZI6CWCJXNKH99C
cn=r3.test.com
ou=it
Validity Date:
start date: 01:40:16 UTC Feb 27 2022
end date: 01:40:16 UTC Feb 27 2023
Associated Trustpoints: VPN
Storage: nvram:R1-CA#10.cer

 

crypto pki certificate map CMAP1 10
subject-name eq asa1.test.com

Go to solution
hnavi77
Level 1
Level 1

‎03-03-2022 02:21 AM - edited ‎03-03-2022 02:59 AM

I am getting from ASA this new error:

 

%ASA-4-750003: Local:11.0.0.1:500 Remote:12.0.0.2:500 Username:Unknown IKEv2 Negotiation aborted due to ERROR: Unsupported cert encoding found or Peer requested HTTP URL but never sent HTTP_LOOKUP_SUPPORTED Notification

 

%ASA-4-750003: Local:11.0.0.1:500 Remote:12.0.0.2:500 Username:12.0.0.2 IKEv2 Negotiation aborted due to ERROR: Auth exchange failed

 

-> fixed this issue with:

no crypto ikev2 http-url cert (On Router R3).

**********

Current issue:

From Router R3:

 

Feb 27 01:23:00.256: IKEv2:(SESSION ID = 31,SA ID = 1):Searching policy based on peer's identity 'serialNumber=9ARPJCBCUBS+hostname=ASA1.test.com,cn=asa1.test.com,ou=it' of type 'DER ASN1 DN'
Feb 27 01:23:00.271: IKEv2-ERROR:% IKEv2 profile not found
Feb 27 01:23:00.271: IKEv2-ERROR:(SESSION ID = 31,SA ID = 1):: Failed to locate an item in the database
Feb 27 01:23:00.271: IKEv2:(SESSION ID = 31,SA ID = 1):Verification of peer's authentication data FAILED
Feb 27 01:23:00.272: IKEv2:(SESSION ID = 31,SA ID = 1):Sending authentication failure notify
Feb 27 01:23:00.274: IKEv2:(SESSION ID = 31,SA ID = 1):Building packet for encryption.

 

R3 configuration:

crypto ikev2 profile Profile1
match identity remote fqdn ASA1.test.com  (when match identity remote= any IT WORKS)
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN
no crypto ikev2 http-url cert

Go to solution
MHM Cisco World
VIP
VIP
In response to hnavi77

‎03-03-2022 03:04 AM

Sorry can you sent last config with error in asa and router?

Go to solution
hnavi77
Level 1
Level 1
In response to MHM Cisco World

‎03-03-2022 03:51 AM - edited ‎03-03-2022 04:00 AM

With your great help MHM, I finally figured out where the issue was coming from:

There is no way to match the certificate with "eq" on R3 to match ASA certificate field. Only "co" works as expected.

Thanks a lot for your time

 

 

Correct configuration from R3:

 

crypto ikev2 profile Profile1
match certificate CMAP1
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPN
no crypto ikev2 http-url cert

 

crypto pki certificate map CMAP1 10
subject-name co asa1.test.com

 

Config on ASA:

 

ASA certificate:

Certificate
Status: Available
Certificate Serial Number: 0f
Certificate Usage: General Purpose
Public Key Type: RSA (1024 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
cn=R1-CA
Subject Name:
serialNumber=9ARPJCBCUBS
hostname=ASA1.test.com
cn=asa1.test.com
ou=it
Validity Date:
start date: 21:39:45 UTC Feb 26 2022
end date: 21:39:45 UTC Feb 26 2023
Storage: config
Associated Trustpoints: VPN

 

crypto ca certificate map CMAP1 10
subject-name attr cn eq r3.test.com

Customers Also Viewed These Support Documents