06-27-2019 01:09 AM - edited 06-27-2019 01:24 AM
Hi all,
We've posted various bits on this and got some help back but we've not got any further on this. We've got an ISR4431 that we have installed and configured Anyconnect/FlexVPN with a 3rd party cert but cannot get any clients to connect. The DART results show the errors of:
CERTIFICATE_ERROR_VERIFY_ENHKEYUSAGE_NOT_FOUND:No Extended Key Usages were found in the certificate
and
Number of certificates found in the machine certificate store: 0
even though we've installed the cert to the machine store on the test machine
(also getting HTTP_PROBE_ASYNC_ERROR_BAD_STATUS )
We've set the profile XML to SSL and both EAP-Anyconnect and IKE-RSA to test but nothing works.
This is the config below (company policy says we can't normally post this but we're getting nowhere)
company2#sh run
Building configuration...
Current configuration : 16098 bytes
!
! Last configuration change at 18:47:41 GMT Wed Jun 26 2019 by ictadmin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname company2
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
logging buffered 51200 warnings
no logging console
enable secret 5 $1$Y1st$Y7mKB1FxUfEpukhM9Mf39.
enable password 7 044F18130D204747584B56
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login anyconnect_aaa local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
!
!
crypto pki trustpoint secure.company.co.uk
enrollment terminal
serial-number
fqdn secure.company.co.uk
subject-name CN=secure.company.co.uk,OU=ICT,O=companyMoto,C=GB,St=Nottingham,L=Annesley
revocation-check crl
rsakeypair secure.company.co.uk
!
!
crypto pki certificate chain secure.company.co.uk
certificate 0E4E95B9996BAF7C9A55F133CBE2FC22
308205B6 3082049E A0030201 0202100E 4E95B999 6BAF7C9A 55F133CB E2FC2230
0D06092A 864886F7 0D01010B 0500305E 310B3009 06035504 06130255 53311530
13060355 040A130C 44696769 43657274 20496E63 31193017 06035504 0B131077
77772E64 69676963 6572742E 636F6D31 1D301B06 03550403 13144765 6F547275
73742052 53412043 41203230 3138301E 170D3139 30363235 30303030 30305A17
0D313930 37323531 32303030 305A301F 311D301B 06035504 03131473 65637572
652E7473 7562616B 692E636F 2E756B30 82012230 0D06092A 864886F7 0D010101
05000382 010F0030 82010A02 82010100 9FDE1F79 AFA3AC18 F6DA899B 0C189375
FEFBE5F8 7CE1056F BBBB7452 BEB72923 C0ACE22B 26F460DB BADA575E 3EB4814D
33C5F5DE A44D4F0E 07549361 C475BB7E 28FB725D CE610328 88441875 9F2BF2E1
DD098580 5ACA6CE1 FB235C8B 0B82A121 1789BE60 A6DB5146 8572AB3A 0AB82D37
BBF0F27B 52DFA35B C079F6BD 055B5745 99C5248F 16CFD0DC B447BDAC 5A25750E
7FA1BE5E C89F0264 EE36A59E 7437061C 897B2990 957F64D4 2578E9CB 6E857F1B
28C4C410 AE9499A0 EC5ED14B 941E04F3 6684D6BB 688C17F1 327C80B9 E6405E7E
1308E918 26788DCD A23EDB9E 21BF1EFD 52603078 DA62E2CB B05724D1 857151FC
3BF32B4C 65F282A1 244E9EF0 A002BCDD 02030100 01A38202 AD308202 A9301F06
03551D23 04183016 80149058 FFB09C75 A8515477 B1EDF2A3 4316389E 6CC5301D
0603551D 0E041604 14EB7CE7 67F6BE08 058F0EC8 015D83FF C278F159 D1301F06
03551D11 04183016 82147365 63757265 2E747375 62616B69 2E636F2E 756B300E
0603551D 0F0101FF 04040302 05A0301D 0603551D 25041630 1406082B 06010505
07030106 082B0601 05050703 02303E06 03551D1F 04373035 3033A031 A02F862D
68747470 3A2F2F63 64702E67 656F7472 7573742E 636F6D2F 47656F54 72757374
52534143 41323031 382E6372 6C304C06 03551D20 04453043 30370609 60864801
86FD6C01 02302A30 2806082B 06010505 07020116 1C687474 70733A2F 2F777777
2E646967 69636572 742E636F 6D2F4350 53300806 0667810C 01020130 7506082B
06010505 07010104 69306730 2606082B 06010505 07300186 1A687474 703A2F2F
73746174 75732E67 656F7472 7573742E 636F6D30 3D06082B 06010505 07300286
31687474 703A2F2F 63616365 7274732E 67656F74 72757374 2E636F6D 2F47656F
54727573 74525341 43413230 31382E63 72743009 0603551D 13040230 00308201
05060A2B 06010401 D6790204 020481F6 0481F300 F1007700 BBD9DFBC 1F8A71B5
93942397 AA927B47 3857950A AB52E81A 90966436 8E1ED185 0000016B 8F10DA73
00000403 00483046 022100A6 21C67EAC 2616978B 43F937B6 65C5C813 DED17493
EEDC000B 00E9C0C1 83E3B602 2100B6F9 32EEAD53 A9302AE9 E77D6452 3EDF31B5
428C12AA 114C928A 285F51D2 A5CB0076 008775BF E7597CF8 8C43995F BDF36EFF
568D4756 36FF4AB5 60C1B4EA FF5EA083 0F000001 6B8F10DB 0A000004 03004730
45022003 375C7679 BDE4A26C E12F6DFA 9624FDD0 F1DF73C7 03FDF47F 1B97B15C
35164A02 2100D23B 1638E5E9 D42961A7 0E46B7FB 720083AC BA0DC873 FBDA8ECC
FBD6C81E 88D7300D 06092A86 4886F70D 01010B05 00038201 01009908 B65A7DC1
8372B191 30A4C3B1 D0BB07E9 9F64CF3B BA062FA7 1AD900CA 4FA0C091 4D2953F0
398DA302 A2E05D21 1B0AA5DA 5CC0825E B3E72BDA E33CE62A 6E1C0DD0 CEC86925
EC941EBD D1837902 AAD2683C D113EFE7 25E74802 5ECA9414 75D6AC92 1644E4AC
55A02122 DA72F350 C32A6F9B 3F6648EB B1508032 2B1AF883 FC0392BC F2B89640
F3457A00 ADBD9EEE 091D9D70 C1F7FE45 F0F5C810 792FC2AD D82C8BAA 5C99DC30
D841C9B8 7C85E19D 19E23007 C18AAC9F ADA69392 E36BA6A5 629EA36C 204554C4
ED2B3947 DF59694F 2C59949E CE0BFE3B F4AC906B 7D9FBDA7 62C64108 2CD8173F
1BE32DC2 2E2CB660 A6022E3A D99F823F 6DB159BD DDEF9F71 98DC
quit
certificate ca 0546FE1823F7E1941DA39FCE14C46173
3082048B 30820373 A0030201 02021005 46FE1823 F7E1941D A39FCE14 C4617330
0D06092A 864886F7 0D01010B 05003061 310B3009 06035504 06130255 53311530
13060355 040A130C 44696769 43657274 20496E63 31193017 06035504 0B131077
77772E64 69676963 6572742E 636F6D31 20301E06 03550403 13174469 67694365
72742047 6C6F6261 6C20526F 6F742043 41301E17 0D313731 31303631 32323334
355A170D 32373131 30363132 32333435 5A305E31 0B300906 03550406 13025553
31153013 06035504 0A130C44 69676943 65727420 496E6331 19301706 0355040B
13107777 772E6469 67696365 72742E63 6F6D311D 301B0603 55040313 1447656F
54727573 74205253 41204341 20323031 38308201 22300D06 092A8648 86F70D01
01010500 0382010F 00308201 0A028201 0100BF8A D1634DE1 18EA875D E8163C8F
7FB6BE87 1737A40C F8313F9F 45544021 D79D079B CA03234A BD9BED85 02633F9F
85B9EC28 EFF28622 DBF84D54 41C5B442 7FCF3317 010E8290 52D3C734 A4C1A101
DA32A040 AD1F59E4 33FCA0C3 96AC686C D3E89973 8C261077 CBB73F39 32E8D259
28EE0786 E2093B85 F8AA69F6 A96B9F58 AD72C85B 8766AE08 E074FB2D 53436283
3D8F854C 1197DC1E FC5030B8 8308325E 5C5CC4E1 75204AEB A5D6752D DC2D7D7C
E0D0FE7C 75A14E40 02849AD9 0D5A2EA0 ACF3358A 2AEAD65A 5A6C8E2C ABF6DEFD
78472679 7AAA22EA A9E67112 03D3F8BA 53D2799C BD64ACF6 1B63BB4D 8F3802F8
F0575DC5 AA255A0C 5DC530FE 2053196C E9C30203 010001A3 82014030 82013C30
1D060355 1D0E0416 04149058 FFB09C75 A8515477 B1EDF2A3 4316389E 6CC5301F
0603551D 23041830 16801403 DE503556 D14CBB66 F0A3E21B 1BC397B2 3DD15530
0E060355 1D0F0101 FF040403 02018630 1D060355 1D250416 30140608 2B060105
05070301 06082B06 01050507 03023012 0603551D 130101FF 04083006 0101FF02
01003034 06082B06 01050507 01010428 30263024 06082B06 01050507 30018618
68747470 3A2F2F6F 6373702E 64696769 63657274 2E636F6D 30420603 551D1F04
3B303930 37A035A0 33863168 7474703A 2F2F6372 6C332E64 69676963 6572742E
636F6D2F 44696769 43657274 476C6F62 616C526F 6F744341 2E63726C 303D0603
551D2004 36303430 32060455 1D200030 2A302806 082B0601 05050702 01161C68
74747073 3A2F2F77 77772E64 69676963 6572742E 636F6D2F 43505330 0D06092A
864886F7 0D01010B 05000382 01010030 F187553D 8408FC2E 5E6ABA7C D2CDD52C
E3BE02DA 5D8977ED F4E956C0 92F02A55 2D45F71C 2A3F105B F3E9E1BE E1E90025
B9F7A3C1 031BE39E 4E8E921B 099552F9 AC18FD1F 29018B17 0A7334F4 671255EE
22BCCB30 CA80993F FBCF127F CB3D1847 85D8143E 4F0C943F 7BF511A8 516CFBA8
6030A890 A18B6F2E 45DB37B6 1C7EBD16 5921B132 67AD8DA3 4B493F3B 12192CFC
9D0FFF8C FF01230A F3040507 E5670101 B9AF8167 EB29CBAF F8FC863E A45C7384
F9E53973 AC19F303 3677A029 68F5F4EF 3BD3EE88 730AAC2E 95EA6822 D2CDAC6B
F81B5E53 C20FD676 E1750CC4 9125C085 530EE281 D10E1830 C967A4DF D00A1278
074005B1 0F835343 423BE7FB F177FB
quit
license udi pid ISR4331/K9 sn FDO21041AT4
license boot suite FoundationSuiteK9
!
spanning-tree extend system-id
!
username scsupport privilege 15 password 7 1501040A10292A30796166
username ictadmin privilege 15 secret 5 $1$kcmM$5dkOZ4RjoWxsfj6m/Qkki/
username companyict privilege 15 secret 5 $1$CXwV$CUAMtm8.f6o1GkOzXbUE/1
username ict password 7 0719391E1A43485505170F1F
!
redundancy
mode none
!
crypto ikev2 authorization policy anyconnect-local-policy-1
pool anyconnect_pool-1
dns 192.168.2.211
netmask 255.255.192.0
def-domain company.co.uk
!
crypto ikev2 proposal IKEv2-prop1
encryption aes-cbc-256
integrity sha256
group 2
crypto ikev2 proposal ikev2-prop1
encryption aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy IKEv2-prop1
proposal IKEv2-prop1
!
!
crypto ikev2 profile anyconnect-ikev2-profile-1
match identity remote key-id secure.company.co.uk
identity local dn
authentication local rsa-sig
authentication remote rsa-sig
pki trustpoint secure.company.co.uk
dpd 60 2 on-demand
aaa authentication eap anyconnect_aaa
aaa authorization group eap list anyconnect_aaa-1 anyconnect_aaa-local-policy-1
virtual-template 10
!
crypto ikev2 profile secure.company.co.uk
! Profile incomplete (no local and/or remote authentication method specified)
match identity remote key-id secure.company.co.uk
identity local dn
authentication local rsa-sig
!
!
!
vlan internal allocation policy ascending
!
track 10 ip sla 1 reachability
!
!
!
!
!
!
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.5.03040-webdeploy-k9.pkg sequence 1
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 20
authentication pre-share
lifetime 28800
crypto isakmp key LvkBGk97v6 address 159.18.176.101
crypto isakmp key @jasdjgGJUIH87!* address 194.15.51.229
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set NLSET esp-des esp-md5-hmac
mode tunnel
!
crypto ipsec profile VTI
set transform-set ESP-3DES-SHA1
!
crypto ipsec profile anyconnect-ipsec-profile-1
set ikev2-profile anyconnect-ikev2-profile-1
!
!
!
crypto map NLVPN 20 ipsec-isakmp
set peer 194.15.51.229
set transform-set NLSET
match address 101
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface Tunnel0
description crm Site to Site VPN
ip address 100.65.192.193 255.255.255.252
ip mtu 1350
ip nat outside
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 159.18.176.10
tunnel protection ipsec profile VTI
!
interface GigabitEthernet0/0/0
description LeasedLine
ip address xxx.xxx.xxx.xxx 255.255.255.252
ip nat outside
speed 1000
no negotiation auto
!
interface GigabitEthernet0/0/1
description BT FTTC
ip address dhcp
speed 100
no negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
description company_LAN
ip address 192.168.2.10 255.255.192.0
ip nat inside
speed 1000
no negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback0
!
interface Virtual-Template10 type tunnel
ip unnumbered GigabitEthernet0/0/0
tunnel protection ipsec profile anyconnect-ipsec-profile-1
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname company@adsllogin.co.uk
ppp chap password 7 025E5D083B293F701E1759
ppp pap sent-username company@adsllogin.co.uk password 7 0914175A292A2743595554
ppp ipcp dns request
crypto map NLVPN
!
ip local pool anyconnect_pool 192.168.5.100 192.168.5.200
ip nat inside source static 192.168.2.111 100.65.192.117
ip nat inside source static 192.168.2.110 100.65.192.118
ip nat inside source static 192.168.2.112 100.65.192.119
ip nat inside source static 192.168.3.35 100.65.192.120
ip nat inside source static 192.168.2.107 100.65.192.121
ip nat inside source static 192.168.3.29 100.65.192.122
ip nat inside source static 192.168.3.30 100.65.192.123
ip nat inside source static 192.168.3.28 100.65.192.124
ip nat inside source static 192.168.3.32 100.65.192.125
ip nat inside source static 192.168.3.38 100.65.192.126
ip nat inside source static 192.168.3.40 100.65.192.127
ip nat inside source static 192.168.2.108 100.65.192.128
ip nat inside source static 192.168.3.6 100.65.192.134
ip nat inside source static tcp 192.168.2.9 8888 xxx.xxx.xxx.xxx 656 extendable
ip nat inside source static tcp 192.168.2.13 5555 xxx.xxx.xxx.xxx 5555 extendable
ip nat inside source route-map leasedline interface GigabitEthernet0/0/0 overload
ip nat inside source route-map pppoe interface Dialer1 overload
ip nat inside source list 100 interface Tunnel0 overload
ip forward-protocol nd
ip ftp username ict
ip ftp password 7 120F1D4546415D54382E203B
ip http server
ip http authentication local
ip http secure-server
ip tftp source-interface GigabitEthernet0/0/2
ip dns server
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx track 10
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 167.3.137.109 255.255.255.255 Tunnel0
ip route 167.3.137.110 255.255.255.255 Tunnel0
ip route 167.3.137.111 255.255.255.255 Tunnel0
ip route 167.3.137.112 255.255.255.255 Tunnel0
ip route 167.3.137.113 255.255.255.255 Tunnel0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list extended TAC
permit ip any host 192.168.2.18
permit ip host 192.168.2.18 any
!
ip sla 1
icmp-echo xxx.xxx.xxx.xxx source-interface GigabitEthernet0/0/0
threshold 2
timeout 100
frequency 3
ip sla schedule 1 life forever start-time now
logging trap notifications
logging facility local0
logging host 192.168.2.18
access-list 1 permit 192.128.0.0 0.63.255.255
access-list 20 permit 192.168.0.0 0.0.63.255
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.108 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.110 0.0.0.1
access-list 100 permit ip 192.168.0.0 0.0.63.255 167.3.137.112 0.0.0.1
access-list 100 permit ip host 100.65.192.229 167.3.137.108 0.0.0.1
access-list 100 permit ip host 100.65.192.229 167.3.137.110 0.0.0.1
access-list 100 permit ip host 100.65.192.229 167.3.137.112 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.110 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.108 0.0.0.1
access-list 101 deny ip 192.168.0.0 0.0.63.255 167.3.137.112 0.0.0.1
access-list 101 permit ip 192.168.0.0 0.0.63.255 any
access-list 101 permit icmp any any
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 103 permit ip any any
access-list 103 permit icmp any any
dialer-list 1 protocol ip permit
!
route-map leasedline permit 10
match ip address 101
match interface GigabitEthernet0/0/0
!
route-map MeTools permit 10
match ip address 105
match interface Dialer1
!
route-map pppoe permit 10
match ip address 103
match interface Dialer1
!
snmp-server community public RO
snmp-server community private RW
!
!
!
!
control-plane
!
banner motd ^CC
WARNING: IF YOU ARE NOT AUTHORIZED TO ACCESS THIS SYSTEM OR IF YOU
INTEND TO USE THIS SYSTEM BEYOND THE SCOPE OF YOUR AUTHORIZATION,
DISCONNECT IMMEDIATELY.
This computer system is for authorized users only. Individuals
using this system without authority, or in excess of their
authority, are subject to having all of their activities monitored
and recorded by system personnel. In the course of monitoring
individuals improperly using this system or in the course of system
maintenance, the activities of authorized users may also be
monitored. Anyone using this system expressly consents to such
monitoring and is advised that if such monitoring reveals possible
evidence of criminal activity, system personnel may provide
monitoring information and logs as evidence to law enforcement
officials. Crimes may be prosecuted to the fullest extent possible
under state and federal law.
^C
!
line con 0
password 7 105A1A0C071619025D5679
stopbits 1
line aux 0
stopbits 1
line vty 0
privilege level 15
password 7 014B0A11550F031D7914160B360423
transport input ssh
line vty 1 4
privilege level 15
transport input ssh
line vty 5 14
privilege level 15
transport input ssh
line vty 15
privilege level 15
logging synchronous
transport input ssh
!
ntp server 0.uk.pool.ntp.org
!
end
company2#
06-27-2019 01:50 AM
Just as a note while testing that if i set the client profile to use the machine store it just shows as connection failed but if i choose user store then it says no valid certificates ?
Not sure if this helps ?
Thanks
06-27-2019 02:20 AM
If you are using a 3rd Party certificate, are you issuing a unique certificate to the router and each device that's authenticating? Or exporting the certificate with private key and importing?, that's not secure. Use an internal certificate (preferably a Microsoft CA or even Cisco IOS) to issue a unique certificate to the router and each computer.
Your IKEv2 profile is configured for rsa-sig so only IKE-RSA authentication will work in your profile configuration.
Your IPSec profile is incomplete, reference either of the 2 Transform Sets you've defined
Remove the other IKEv2 Profile (secure.company.co.uk) as it's using the same remote key-id as the other profile and could cause conflict, once you've resolved all the other issues.
Define the source interface under the Virtual-Template
As I mentioned in your other post you've defined "aaa authentication eap..." and "aaa authorization group...." commands, these are not doing anything as the authentication is rsa-sig, also the aaa authorization rule is referencing a method list that doesn't exist and an IKEv2 authorization profile that doesn't exist. Remove them.
06-27-2019 03:05 AM
06-27-2019 02:32 AM
06-27-2019 03:09 AM
06-27-2019 03:26 AM
06-27-2019 03:39 AM
06-27-2019 04:10 AM
06-27-2019 05:54 AM
06-27-2019 07:47 AM
06-27-2019 07:52 AM
06-27-2019 09:46 AM
06-27-2019 11:02 AM
06-29-2019 08:49 AM
I've managed to set the ISR up as a CA and i can create a CSR request from Windows 7 but can't find the command to copy/paste it into the Cisco to obtain the machine cert ? If someone could give me an idea then i think we might be about there ?
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide