01-15-2025 04:38 AM
Hi
Strongswant shows the below when setup VPN with 8500CL. I know that there is a Cisco bug : https://bst.cisco.com/quickview/bug/CSCuw01249. Do I need to upgrade the latest version for my server ?
Thank you
[IKE] received issuer cert "C=CA, O=Spacebridge, CN=Spacebridge root CA"
16[CFG] looking for peer configs matching 192.168.250.1[%any]...192.168.250.124[cisco.ca]
16[CFG] selected peer config 'home'
16[CFG] using trusted certificate "CN=idu1, unstructuredName=cisco1"
16[CFG] using trusted ca certificate "C=CA, O=Spacebridge, CN=Spacebridge root CA"
16[CFG] reached self-signed root ca with a path length of 0
16[CFG] checking certificate status of "CN=idu1, unstructuredName=cisco1"
16[CFG] certificate status is not available
16[IKE] signature validation failed, looking for anot
01-15-2025 05:00 AM
what makes you think you hit this Bug? This Bug is related to firewall device. I dont see 8500CL in the affected devices.
01-15-2025 05:39 AM
Can I see the ikev2 profile config
MHM
01-15-2025 05:45 AM
IKEv2 profile: ING_PROFILE
Shutdown : No
Ref Count: 3
Match criteria:
Fvrf: any
Local address/interface: none
Identities:
fqdn idu1
Certificate maps: none
Local identity: fqdn cisco.ca
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: ING_KEYRING
Trustpoint(s):
ING_OPENSSL
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
01-15-2025 05:50 AM
Trustpoint(s):
ING_OPENSSL <<- this trustpoint is point to correct CA or sub CA?
MHM
01-15-2025 07:11 AM
I can enroll CSR, input authentication and import INT_OPENSSL on 8500
Actually, It is working with 2900. I just have problem with 8500
Below is log of 2900
IKEv2 profile: IKEv2-Profile
Ref Count: 3
Match criteria:
Fvrf: any
Local address/interface:
1.2.3.4
Identities: any
Certificate maps: none
Local identity: DN
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: none
Trustpoint(s):
ING
Lifetime: 86400 seconds
DPD: interval 300, retry-interval 5, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
2[CFG] certificate status is not available
12[IKE] authentication of 'CN=Spacebridge root CA, O=Spacebridge, C=CA' with RSA signature successful
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12[IKE] authentication of 'C=CA, ST=Some-State, O=SpaceBridge' (myself) with RSA signature successful
12[IKE] sending end entity cert "C=CA, ST=Some-State, O=SpaceBridge"
12[IKE] IKE_SA home[3] established between 192.168.254.111[C=CA, ST=Some-State, O=SpaceBridge]...192.168.254.124[CN=Spacebridge root CA, O=Spacebridge, C=CA]
12[IKE] scheduling rekeying in 13027s
12[IKE] maximum IKE_SA lifetime 14467s
01-15-2025 07:14 AM
On 8500
ASA1#show crypto pki trustpoints ING_OPENSSL
Trustpoint ING_OPENSSL:
Subject Name:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Serial Number (hex): 3CA6C2EC7D8810D7
Certificate configured.
01-15-2025 08:41 AM
The strongswan dont have oscp or crl to check the status of cisco cert. That why the cert. Is reject.
Check link I share
Thanks
MHM
01-15-2025 09:01 AM
If I start ipsec from Strongswan, now Cisco complain about bad hash and fail to verify
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Found Policy 'ING_POLICY'
*Jan 15 17:04:35.747: IKEv2:not a VPN-SIP session
*Jan 15 17:04:35.747: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ING_OPENSSL
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Verify peer's policy
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's policy verified
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Get peer's authentication method
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's authentication method is 'RSA'
*Jan 15 17:04:35.747: IKEv2:Validation list created with 1 trustpoints
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
*Jan 15 17:04:35.748: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*Jan 15 17:04:35.749: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED
*Jan 15 17:04:35.749: IKEv2-ERROR:(SESSION ID = 99,SA ID = 1):: Failed to validate the certificate
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verify cert failed
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verification of peer's authentication data FAILED
01-15-2025 09:12 AM
in cisco use
revocation-check none
in strongswan you need to disable revocation
MHM
01-15-2025 09:41 AM
Same issue . I got exactly the same issue with https://lists.strongswan.org/pipermail/users/2022-September/015440.html
Trying to test with his patch, but not work, even I can see strongswan goes to his code/change
swanctl --stats
uptime: 103 seconds, since Jan 15 17:48:55 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1327104, mmap 0, used 234064, free 1093040
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem pkcs8 af-alg fips-prf gmp curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs led unity counters
01-15-2025 01:22 PM
Does 8500 always run sha256 in IKE2 authentication , no mater what the proposal is ?
01-15-2025 04:37 PM
Dear, I think I can fix the hash issue . S.t missing in ike2 profile. Now . It show another issue
*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Insert SA
*Jan 16 00:37:54.446: IKEv2:Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 16 00:37:54.446: IKEv2:Found Policy 'ING_POLICY'
*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Processing IKE_SA_INIT message
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 16 00:37:54.447: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH key
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH secret
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 16 00:37:54.469: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Generating IKE_SA_INIT message
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To 192.168.250.1:500/From 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Completed SA init exchange
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (30 sec) to wait for auth message
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From 192.168.250.1:500/To 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing ENCR payload
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing IDi payload IDi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing CERT payload CERT
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing AUTH payload AUTH
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing SA payload SA
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSi payload TSi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSr payload TSr
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16417)
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16420)
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Stopping timer to wait for auth message
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Checking NAT discovery
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):NAT not found
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):Searching policy based on peer's identity 'cn=Spacebridge root CA,o=Spacebridge,c=CA' of type 'DER ASN1 DN'
*Jan 16 00:37:55.318: IKEv2-ERROR:% IKEv2 profile not found
What does 'type 'DER ASN1 DN; means ?
01-16-2025 04:18 AM
Hi, Can we export an CA Certificate ( with key, of course) on Cisco using CLI ?
Thank you
01-16-2025 05:43 AM
I imported the same CA certificate on 2900 and 8500
2900 can show the fingerprint , but 8500 does not. It's weird
on 2900
CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3CA6C2EC7D8810D7
Certificate Usage: Signature
Issuer:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Subject:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Validity Date:
start date: 16:16:56 UTC Jan 6 2025
end date: 16:16:56 UTC Jan 6 2035
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 2FFEE1BD 4DAAA801 2A784427 8766B163
Fingerprint SHA1: 01B902D2 0390BDB3 693FA78E B0DE9877 8922F576
X509v3 extensions:
X509v3 Key Usage: 6000000
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: BED8CFE1 C709382C A3C06429 00F7CB41 FCD1728A
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: ING_TEST ING
Storage: nvram:Spacebridger#10D7CA.cer
On 8500
CA Certificate
Status: Available
Certificate Serial Number (hex): 3CA6C2EC7D8810D7
Certificate Usage: Signature
Issuer:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Subject:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Validity Date:
start date: 16:16:56 UTC Jan 6 2025
end date: 16:16:56 UTC Jan 6 2035
Associated Trustpoints: ING
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide