Re: IKEv2 with certificates

pjetupjetu · ‎01-10-2013

Example provided is on 1941 ISR routers with 15.2(2)T1 software. One router has 15.3(1)T.

IKEv2 with pre-shared key comes up fine.

IKEv2 with certificates gives auth exchange fail error

IKEv1 with same certificates comes up fine.

The above were Microsoft CA certificates.

I tried with IOS CA certificates, still auth exchange fail error.

Same results with 3945 and 2911 routers on IOS 15.1(2)T

olpeleri · ‎01-11-2013

At first glance,

crypto ikev2 profile RIGHT

match identity remote address 192.168.11.41 255.255.255.252

By default the identity sent by the router is fetched from the Certificate DN. If you want use an ip address as ikev2 identity, then you would need to add on both sides

identity local address <.....>

Cheers

olpeleri · ‎01-11-2013

Hello,

would be handy if you could provide the following debugs when you try to bring up the tunnel?

debug crypto ikev2

debug crypto pki a

debug crypto pki c

debug crypto pki m

debug crypto pki t

debug crypto pki v

olpeleri · ‎01-18-2013

Hello,

I was away for few days. I was looking at your config of your router 1941right and I dont see a router certificate under the CA trustpoint. There is simply a self signed cert.

Did you fix that in the meantime?

Cheers,

Olivier

pjetupjetu · ‎01-25-2013

We have a Cisco rep coming to the site. He indicated that there are issues with IKEv2 - MS AD CS interoperation. He is going to research and test it for us before he comes by.

He also stated that the IOS CA does not support IKEv2 (or maybe our particular solution requiring Suite B with IKEv2).

If I get an answer I will post it and share.

olpeleri · ‎01-28-2013

Hello,

I'm afraid the info is incorrect. IOS CA is of course compatible with ikev2.

Cheers,

TheSlyOne · ‎05-19-2013

Did you ever get an answer to this, I have been struggling for two days to get StrongSwan to talk to my 819 router, and there seems to be a lot of comonality between the errors I am getting and the ones in this post.

pjetupjetu · ‎05-20-2013

Yes. I got it to work. Didn't get any help, but kept trying stuff until it worked.

I'll dig out the document I created and get it to you later today if I can get the time.

pjetupjetu · ‎05-20-2013

This is details of how I got it working.

sho tech ipsec

------------------ show version ------------------

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(2)T1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 29-Feb-12 20:40 by prod_rel_team

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

happy uptime is 30 minutes
System returned to ROM by power-on
System restarted at 20:26:58 UTC Fri Mar 1 2013
System image file is "flash0:c2900-universalk9-mz.SPA.152-2.T1.bin"
Last reload type: Normal Reload
Last reload reason: power-on

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco CISCO2911/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor board ID FTX1621AJFU
3 Gigabit Ethernet interfaces
1 terminal line
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
250880K bytes of ATA System CompactFlash 0 (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO2911/K9 FTX1621AJFU

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
------------------------------------------------------------------
ipbase        ipbasek9      Permanent      ipbasek9
security      securityk9    Permanent      securityk9
uc            None          None           None
data          None          None           None

Configuration register is 0x2102

------------------ show running-config ------------------

Building configuration...

Current configuration : 6483 bytes
!
! Last configuration change at 20:56:07 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
! NVRAM config last updated at 20:55:05 UTC Fri Mar 1 2013 by csfc
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname happy
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
logging buffered 51200 warnings
no logging console
enable secret 4 4Q5iiIH2YznVeGHA3p6Qjm8oBj4LWNDTHjsG21MxgXU
!
no aaa new-model
!
!
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
!
!
ip domain name csfc.com
ip name-server 192.168.1.3
no ip cef
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint dc-ca
enrollment terminal
subject-name cn=happy.csfc,c=us
revocation-check none
!
!
!
crypto pki certificate map CRT 10
issuer-name co csfc
!
crypto pki certificate chain dc-ca
certificate 3F51979A000000000012
3082038E 30820333 A0030201 02020A3F 51979A00 00000000 12300A06 082A8648
CE3D0403 02303B31 13301106 0A099226 8993F22C 64011916 03636F6D 31143012
060A0992 268993F2 2C640119 16046373 6663310E 300C0603 55040313 0564632D
6361301E 170D3133 30333031 31383532 35365A17 0D313530 33303131 38353235
365A3022 310B3009 06035504 06130275 73311330 11060355 0403130A 68617070
792E6373 66633059 30130607 2A8648CE 3D020106 082A8648 CE3D0301 07034200
0429D4D8 F89E295B F7AF826F 86A3F29D EF48FCFF D2374B0F D39CD393 620D3EFD
D484BFA4 3ED08E16 7FDF839D 0FF85690 26C0545C 1B56EC17 7A2E6C1D 5D1A6CD8
DDA38202 36308202 32300B06 03551D0F 04040302 06C0301D 0603551D 0E041604
142DCC8D 554A4853 C4C03B3D 2400E3EA 459406B5 AE301F06 03551D23 04183016
80142389 F56583FC B73D3F11 79A47EAB 96721E76 81AA3081 BB060355 1D1F0481
B33081B0 3081ADA0 81AAA081 A78681A4 6C646170 3A2F2F2F 434E3D64 632D6361
2C434E3D 44432C43 4E3D4344 502C434E 3D507562 6C696325 32304B65 79253230
53657276 69636573 2C434E3D 53657276 69636573 2C434E3D 436F6E66 69677572
6174696F 6E2C4443 3D637366 632C4443 3D636F6D 3F636572 74696669 63617465
5265766F 63617469 6F6E4C69 73743F62 6173653F 6F626A65 6374436C 6173733D
63524C44 69737472 69627574 696F6E50 6F696E74 3081B406 082B0601 05050701
010481A7 3081A430 81A10608 2B060105 05073002 8681946C 6461703A 2F2F2F43
4E3D6463 2D63612C 434E3D41 49412C43 4E3D5075 626C6963 2532304B 65792532
30536572 76696365 732C434E 3D536572 76696365 732C434E 3D436F6E 66696775
72617469 6F6E2C44 433D6373 66632C44 433D636F 6D3F6341 43657274 69666963
6174653F 62617365 3F6F626A 65637443 6C617373 3D636572 74696669 63617469
6F6E4175 74686F72 69747930 3C06092B 06010401 82371507 042F302D 06252B06
01040182 37150881 98D47A81 B6D74A87 A98B18DF C60887B8 D4794787 BCE00C86
9D892C02 01640201 11301306 03551D25 040C300A 06082B06 01050508 0202301B
06092B06 01040182 37150A04 0E300C30 0A06082B 06010505 08020230 0A06082A
8648CE3D 04030203 49003046 022100E7 E5814B90 CE6EABE2 B12C818A 6323160D
632C0551 B765DA29 0CA4BAAC 27325F02 2100E516 11985F3E CDB23FE7 BB91C836
74C457BB 5EA87ED6 3D9DCF41 AE4CDD40 A28F
quit
certificate ca 2C8A76A7904BB4B341B3AAFA9ED387D3
308201DC 30820183 A0030201 0202102C 8A76A790 4BB4B341 B3AAFA9E D387D330
0A06082A 8648CE3D 04030230 3B311330 11060A09 92268993 F22C6401 19160363
6F6D3114 3012060A 09922689 93F22C64 01191604 63736663 310E300C 06035504
03130564 632D6361 301E170D 31333031 32333135 32383435 5A170D31 38303132
33313533 3834345A 303B3113 3011060A 09922689 93F22C64 01191603 636F6D31
14301206 0A099226 8993F22C 64011916 04637366 63310E30 0C060355 04031305
64632D63 61305930 1306072A 8648CE3D 02010608 2A8648CE 3D030107 03420004
EFA5B6B5 BC89C22A B91DDDBB 60034DB9 21655D71 3965177D 9D5956D0 8C45ABC9
38EB4175 44AA06DC 19B94DAB 368AC06C 35077B97 24BE5879 758256FA 03838F2F
A3693067 30130609 2B060104 01823714 0204061E 04004300 41300E06 03551D0F
0101FF04 04030201 86300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
0E041604 142389F5 6583FCB7 3D3F1179 A47EAB96 721E7681 AA301006 092B0601
04018237 15010403 02010030 0A06082A 8648CE3D 04030203 47003044 022010BD
C2ADC8B7 C2C05DB2 CFE2E78A B3A47E2E 8A3193CA 607E4AE3 EEF105F0 42CE0220
056C951C 45ECD966 DFA9BADB 9F1CC71E 8F029C12 F94593A6 21B50A49 C1E62581
quit
license udi pid CISCO2911/K9 sn FTX1621AJFU
!
!
username csfc privilege 15 secret 4
username admin privilege 15 secret 4
username Happy privilege 15 secret 4
!
redundancy
!
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha256
group 19
!
crypto ikev2 policy policy1
proposal prop-1
!
!
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca
!
no crypto ikev2 diagnose error
no crypto ikev2 http-url cert
crypto ikev2 certificate-cache 750
crypto ikev2 fragmentation mtu 1400
!
!
!
crypto logging ikev2
!
!
crypto ipsec transform-set SEC esp-aes esp-sha256-hmac
!
crypto ipsec profile default
set transform-set SEC
set ikev2-profile default
!
!
!
!
!
!
interface Tunnel0
no ip address
!
interface Tunnel1
ip address 192.168.100.1 255.255.255.0
tunnel source GigabitEthernet0/1
tunnel destination 192.168.11.42
tunnel protection ipsec profile default
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.1.40 255.255.255.0
duplex full
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.11.41 255.255.255.252
duplex full
speed auto
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 192.168.2.0 255.255.255.0 Tunnel1
!
!
no cdp advertise-v2
!
!
control-plane
!
!
banner login ^CCPLEEEESE!^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
password
login local
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
sntp server 192.168.1.3 version 3
!
end

------------------ show crypto tech-support ------------------

------------------ show crypto isakmp sa count ------------------

Active ISAKMP SA's: 0
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 0

------------------ show crypto ipsec sa count ------------------

IPsec SA total: 2, active: 2, rekeying: 0, unused: 0, invalid: 0

------------------ show crypto isakmp sa detail ------------------

Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

IPv6 Crypto ISAKMP SA

------------------ show crypto ipsec sa detail ------------------

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.41

   protected vrf: (none)
   local ident (addr/mask/prot/port): (192.168.11.41/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (192.168.11.42/255.255.255.255/47/0)
   current_peer 192.168.11.42 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 271, #pkts encrypt: 271, #pkts digest: 271
    #pkts decaps: 275, #pkts decrypt: 275, #pkts verify: 275
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 192.168.11.41, remote crypto endpt.: 192.168.11.42
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x1DF8CFFA(502845434)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBF473CF2(3209116914)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 5, flow_id: SW:5, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4181836/3479)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x1DF8CFFA(502845434)
        transform: esp-aes esp-sha256-hmac ,
        in use settings ={Tunnel, }
        conn id: 6, flow_id: SW:6, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4181837/3479)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

------------------ show crypto session summary ------------------

------------------ show crypto session detail ------------------

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1
Uptime: 00:02:00
Session status: UP-ACTIVE
Peer: 192.168.11.42 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: cn=grumpy.csfc,c=us
      Desc: (none)
IKEv2 SA: local 192.168.11.41/500 remote 192.168.11.42/500 Active
          Capabilities:(none) connid:3 lifetime:23:58:00
IPSEC FLOW: permit 47 host 192.168.11.41 host 192.168.11.42
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 275 drop 0 life (KB/Sec) 4181836/3479
        Outbound: #pkts enc'ed 271 drop 0 life (KB/Sec) 4181837/3479

------------------ show crypto isakmp peers ------------------

------------------ show crypto ruleset detail ------------------

Mtree:
199 VRF 0 11 192.168.11.41/500 ANY Forward, Forward
299 VRF 0 11 192.168.11.41/4500 ANY Forward, Forward
200000199 VRF 0 11 ANY/848 ANY Forward, Forward
200000299 VRF 0 11 ANY ANY/848 Forward, Forward
6553700000000000101 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Encrypt
6553700000000000199 VRF 0 2F 192.168.11.41 192.168.11.42 Discard/notify, Discard/notify

------------------ show processes memory | include Crypto IKMP ------------------

260 0 5432 880 18424 3 3 Crypto IKMP

------------------ show processes cpu | include Crypto IKMP ------------------

260 0 6 0 0.00% 0.00% 0.00% 0 Crypto IKMP

------------------ show crypto eli ------------------

Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session : 0 active, 3200 max, 0 failed

------------------ show cry engine accelerator statistic ------------------

Device:   Onboard VPN
Location: Onboard: 0
    :Statistics for encryption device since the last clear
     of counters 1826 seconds ago
                  0 packets in                           0 packets out
                  0 bytes in                             0 bytes out
                  0 paks/sec in                          0 paks/sec out
                  0 Kbits/sec in                         0 Kbits/sec out
                  0 packets decrypted                    0 packets encrypted
                  0 bytes before decrypt                 0 bytes encrypted
                  0 bytes decrypted                      0 bytes after encrypt
                  0 packets decompressed                 0 packets compressed
                  0 bytes before decomp                  0 bytes before comp
                  0 bytes after decomp                   0 bytes after comp
                  0 packets bypass decompr               0 packets bypass compres
                  0 bytes bypass decompres               0 bytes bypass compressi
                  0 packets not decompress               0 packets not compressed
                  0 bytes not decompressed               0 bytes not compressed
                  1.0:1 compression ratio                1.0:1 overall
        Last 5 minutes:
                  0 packets in                           0 packets out
                  0 paks/sec in                          0 paks/sec out
                  0 bits/sec in                          0 bits/sec out
                  0 bytes decrypted                      0 bytes encrypted
                  0 Kbits/sec decrypted                  0 Kbits/sec encrypted
                  1.0:1 compression ratio                1.0:1 overall

------------------ show cry isakmp diagnose error ------------------

Exit Path Table - status: disable, current entry 0, deleted 0, max allow 10

------------------ show cry isakmp diagnose error count ------------------

Exit Trace counters

------------------ show crypto call admission statistics ------------------

---------------------------------------------------------------------
               Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit:        0 Max IKE SAs:     0 Max in nego: 1000
Total IKE SA Count:           0 active:          0 negotiating:     0
Incoming IKE Requests:        0 accepted:        0 rejected:        0
Outgoing IKE Requests:        0 accepted:        0 rejected:        0
Rejected IKE Requests:        0 rsrc low:        0 Active SA limit: 0
                                                   In-neg SA limit: 0
IKE packets dropped at dispatch:        0

Max IPSEC SAs:     0
Total IPSEC SA Count:           0 active:          0 negotiating:     0
Incoming IPSEC Requests:        0 accepted:        0 rejected:        0
Outgoing IPSEC Requests:        0 accepted:        0 rejected:        0

Phase1.5 SAs under negotiation: 0

sho ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
Embedded-Service-Engine0/0 unassigned      YES NVRAM administratively down down
GigabitEthernet0/0         192.168.1.40    YES NVRAM up                    up
GigabitEthernet0/1         192.168.11.41   YES NVRAM up                    up
GigabitEthernet0/2         unassigned      YES NVRAM administratively down down
Tunnel0                    unassigned      YES unset up                    down
Tunnel1                    192.168.100.1   YES NVRAM up                    up
happy#
happy#sho crypto pki cert verb
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3F51979A000000000012
Certificate Usage: Signature
Issuer:
    cn=dc-ca
    dc=csfc
    dc=com
Subject:
    Name: happy.csfc
    cn=happy.csfc
    c=us
CRL Distribution Points:
    ldap:///CN=dc-ca,CN=DC,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=csfc,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
    start date: 18:52:56 UTC Mar 1 2013
    end   date: 18:52:56 UTC Mar 1 2015
Subject Key Info:
    Public Key Algorithm: rsaEncryption
    EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: BF234623 9E7F2C73 EBE07B0A 9E89FC76
Fingerprint SHA1: DB8A8D50 23D9E2DD AC2ED2DC 5A857569 279F44D5
X509v3 extensions:
    X509v3 Key Usage: C0000000
      Digital Signature
      Non Repudiation
    X509v3 Subject Key ID: 2DCC8D55 4A4853C4 C03B3D24 00E3EA45 9406B5AE
    X509v3 Authority Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
    Authority Info Access:
    Extended Key Usage:
        1.3.6.1.5.5.8.2.2
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#12.cer
Key Label: happy.csfc.com
Key storage device: private config

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 2C8A76A7904BB4B341B3AAFA9ED387D3
Certificate Usage: Signature
Issuer:
    cn=dc-ca
    dc=csfc
    dc=com
Subject:
    cn=dc-ca
    dc=csfc
    dc=com
Validity Date:
    start date: 15:28:45 UTC Jan 23 2013
    end   date: 15:38:44 UTC Jan 23 2018
--More--           Subject Key Info:
    Public Key Algorithm: rsaEncryption
    EC Public Key: (256 bit)
Signature Algorithm: SHA256 with ECDSA
Fingerprint MD5: 1F937411 4DB57036 73D54124 E50E83FC
Fingerprint SHA1: E78FE0BF DF5F168A 67860C48 78EC427C 66FE551A
X509v3 extensions:
    X509v3 Key Usage: 86000000
      Digital Signature
      Key Cert Sign
      CRL Signature
    X509v3 Subject Key ID: 2389F565 83FCB73D 3F1179A4 7EAB9672 1E7681AA
    X509v3 Basic Constraints:
        CA: TRUE
    Authority Info Access:
Associated Trustpoints: dc-ca
Storage: nvram:dc-ca#87D3CA.cer

happy#sho crypt key mypubkey all
% Key pair was generated at: 18:44:07 UTC Mar 1 2013
Key name: eckey
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 4200049A 28E9709A
2F81DEE9 9ED27787 B790D3B4 487B3F2D DBA06E95 43298A54 19A3B0B7 E9107223
5CB9F3CD 9D8BD0E9 9AB9FFC4 698C1912 CBADC469 9E7CD6D3 46E5A2
% Key pair was generated at: 18:49:21 UTC Mar 1 2013
Key name: happy.csfc.com
Key type: EC KEYS
Storage Device: private-config
Usage: Signature Key
Key is not exportable.
Key Data:
30593013 06072A86 48CE3D02 0106082A 8648CE3D 03010703 42000429 D4D8F89E
295BF7AF 826F86A3 F29DEF48 FCFFD237 4B0FD39C D393620D 3EFDD484 BFA43ED0
8E167FDF 839D0FF8 569026C0 545C1B56 EC177A2E 6C1D5D1A 6CD8DD
happy# sho crypto ike2 v2 session detail
IPv4 Crypto IKEv2 Session

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.11.41/500     192.168.11.42/500     none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
      Life/Active Time: 86400/339 sec
      CE id: 1084, Session-id: 1
      Status Description: Negotiation done
      Local spi: 239BE9D173BFD509       Remote spi: C7A295975E26147B
      Local id: cn=happy.csfc,c=us
      Remote id: cn=grumpy.csfc,c=us
      Local req msg id: 0              Remote req msg id: 2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued: 0              Remote req queued: 2
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled
Child sa: local selector 192.168.11.41/0 - 192.168.11.41/65535
          remote selector 192.168.11.42/0 - 192.168.11.42/65535
          ESP spi in/out: 0xBF473CF2/0x1DF8CFFA
          AH spi in/out: 0x0/0x0
          CPI in/out: 0x0/0x0
          Encr: AES-CBC, keysize: 128, esp_hmac: SHA256
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

IPv6 Crypto IKEv2 Session

happy#sho crypto ikev2 session sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
3         192.168.11.41/500     192.168.11.42/500     none/none            READY
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: ECDSA, Auth verify: ECDSA
      Life/Active Time: 86400/386 sec
      CE id: 1084, Session-id: 1
      Status Description: Negotiation done
      Local spi: 239BE9D173BFD509       Remote spi: C7A295975E26147B
      Local id: cn=happy.csfc,c=us
      Remote id: cn=grumpy.csfc,c=us
      Local req msg id: 0              Remote req msg id: 2
      Local next msg id: 0              Remote next msg id: 2
      Local req queued: 0              Remote req queued: 2
      Local window:      5              Remote window:      5
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected
      Cisco Trust Security SGT is disabled

IPv6 Crypto IKEv2 SA

happy#sho crypto ikev2 sa detail         stats
--------------------------------------------------------------------------------
                          Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit:   0        Max IKEv2 SAs: 0        Max in nego: 1000
Total IKEv2 SA Count:    1        active:        1        negotiating: 0
Incoming IKEv2 Requests: 34       accepted:      34       rejected:    0
Outgoing IKEv2 Requests: 50       accepted:      50       rejected:    0
Rejected IKEv2 Requests: 0        rsrc low:      0        SA limit:    0
IKEv2 packets dropped at dispatch: 0
Incoming IKEV2 Cookie Challenged Requests: 0
    accepted: 0        rejected: 0        rejected no cookie: 0

happy#exit

jivo · ‎09-11-2024

Hi pjetupjetu,

I need some help regarding remote/local auth option in IKv2 profile.
I need to have two options RSA & ECDSA as I found in this discussion.
I know this is old discussion, but if you pjetupjetu or anyone else can comment on my question, related with this part of config that pjetupjetu listed here:
crypto ikev2 profile default
match certificate CRT
identity local dn
authentication local ecdsa-sig
authentication remote rsa-sig
authentication remote ecdsa-sig
pki trustpoint dc-ca

So I am interested how to get in same crypto ikv2 profile to two different auth options for remote and local authentication.

I have this sw:
Cisco IOS XE Software, Version 16.06.07
which is newer than what pjetupjetu used at time of his post, but I can't get this.
If I try to configure additional
authentication local ecdsa
when I already have:
authentication local rsa
than eisting rsa is overvritten with ecdsa...

BR,
jivo

MHM Cisco World · ‎09-11-2024

make new post

MHM