cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
985
Views
1
Helpful
14
Replies

signature validation failed with Ciscco 8500CL/Strongswan

Tin-Huynh
Level 1
Level 1

Hi

Strongswant shows the below when setup VPN with 8500CL. I know that there is a Cisco bug : https://bst.cisco.com/quickview/bug/CSCuw01249. Do I need to upgrade the latest version for my server ?

Thank you

[IKE] received issuer cert "C=CA, O=Spacebridge, CN=Spacebridge root CA"
16[CFG] looking for peer configs matching 192.168.250.1[%any]...192.168.250.124[cisco.ca]
16[CFG] selected peer config 'home'
16[CFG] using trusted certificate "CN=idu1, unstructuredName=cisco1"
16[CFG] using trusted ca certificate "C=CA, O=Spacebridge, CN=Spacebridge root CA"
16[CFG] reached self-signed root ca with a path length of 0
16[CFG] checking certificate status of "CN=idu1, unstructuredName=cisco1"
16[CFG] certificate status is not available
16[IKE] signature validation failed, looking for anot

 

14 Replies 14

@Tin-Huynh 

what makes you think you hit this Bug? This Bug is related to firewall device. I dont see 8500CL in the affected devices.

 

Products (9)
Cisco 3000 Series Industrial Security Appliances (ISA), Cisco ASA 5500-X Series Firewalls, Cisco Firepower 1000 Series, Cisco Firepower 2100 Series, Cisco Firepower 4100 Series, Cisco Firepower 9300 Series, Cisco Secure Firewall 3100 Series, Cisco Secure Firewall ASA, Cisco Secure Firewall ASA Virtual
 
This bug have no fixed release by the way.

Can I see the ikev2 profile config 

MHM

IKEv2 profile: ING_PROFILE
Shutdown : No
Ref Count: 3
Match criteria:
Fvrf: any
Local address/interface: none
Identities:
fqdn idu1
Certificate maps: none
Local identity: fqdn cisco.ca
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: ING_KEYRING
Trustpoint(s):
ING_OPENSSL
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none

Trustpoint(s):
ING_OPENSSL <<- this trustpoint is point to correct CA or sub CA?

MHM

I can enroll CSR, input authentication and import INT_OPENSSL on 8500

Actually, It is working with 2900. I just have problem with 8500

Below is log of 2900

 

IKEv2 profile: IKEv2-Profile
Ref Count: 3
Match criteria:  
 Fvrf: any
 Local address/interface:  
  1.2.3.4
 Identities: any
 Certificate maps: none
Local identity: DN
Remote identity: none
Local authentication method: rsa-sig
Remote authentication method(s): rsa-sig
EAP options: none
Keyring: none
Trustpoint(s):  
 ING
Lifetime: 86400 seconds
DPD: interval 300, retry-interval 5, periodic
NAT-keepalive: disabled
Ivrf: none
Virtual-template: none
mode auto: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none

2[CFG] certificate status is not available
12[IKE] authentication of 'CN=Spacebridge root CA, O=Spacebridge, C=CA' with RSA signature successful
12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
12[IKE] authentication of 'C=CA, ST=Some-State, O=SpaceBridge' (myself) with RSA signature successful
12[IKE] sending end entity cert "C=CA, ST=Some-State, O=SpaceBridge"
12[IKE] IKE_SA home[3] established between 192.168.254.111[C=CA, ST=Some-State, O=SpaceBridge]...192.168.254.124[CN=Spacebridge root CA, O=Spacebridge, C=CA]
12[IKE] scheduling rekeying in 13027s
12[IKE] maximum IKE_SA lifetime 14467s

On 8500

ASA1#show crypto pki trustpoints ING_OPENSSL
Trustpoint ING_OPENSSL:
Subject Name:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Serial Number (hex): 3CA6C2EC7D8810D7
Certificate configured.

https://serverfault.com/questions/529814/strongswan-outputs-in-log-certificate-status-is-not-available

The strongswan dont have oscp or crl to check the status of cisco cert. That why the cert. Is reject.

Check link I share 

Thanks 

MHM

Tin-Huynh
Level 1
Level 1

If I start ipsec from Strongswan, now Cisco complain about bad hash and fail to verify

*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Found Policy 'ING_POLICY'
*Jan 15 17:04:35.747: IKEv2:not a VPN-SIP session
*Jan 15 17:04:35.747: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ING_OPENSSL
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Verify peer's policy
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's policy verified
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Get peer's authentication method
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's authentication method is 'RSA'
*Jan 15 17:04:35.747: IKEv2:Validation list created with 1 trustpoints
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
*Jan 15 17:04:35.748: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*Jan 15 17:04:35.749: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED
*Jan 15 17:04:35.749: IKEv2-ERROR:(SESSION ID = 99,SA ID = 1):: Failed to validate the certificate
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verify cert failed
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verification of peer's authentication data FAILED

 

in cisco use 

 revocation-check none

 in strongswan you need to disable revocation 

MHM

Tin-Huynh
Level 1
Level 1

Same issue .  I got exactly the same issue with https://lists.strongswan.org/pipermail/users/2022-September/015440.html

Trying to test with his patch, but not work, even I can see strongswan goes to his code/change

swanctl --stats
uptime: 103 seconds, since Jan 15 17:48:55 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1327104, mmap 0, used 234064, free 1093040
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem pkcs8 af-alg fips-prf gmp curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs led unity counters

 

 

Tin-Huynh
Level 1
Level 1

Does 8500 always run sha256 in IKE2 authentication , no mater what the proposal is ?

Tin-Huynh
Level 1
Level 1

Dear, I think I can fix the hash issue . S.t missing in ike2 profile. Now . It show another issue

*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Insert SA
*Jan 16 00:37:54.446: IKEv2:Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 16 00:37:54.446: IKEv2:Found Policy 'ING_POLICY'
*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Processing IKE_SA_INIT message
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 16 00:37:54.447: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH key
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH secret
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 16 00:37:54.469: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Generating IKE_SA_INIT message
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To 192.168.250.1:500/From 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Completed SA init exchange
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From 192.168.250.1:500/To 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing ENCR payload
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing IDi payload IDi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing CERT payload CERT
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing AUTH payload AUTH
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing SA payload SA
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSi payload TSi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSr payload TSr
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16417)
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16420)

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Stopping timer to wait for auth message
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Checking NAT discovery
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):NAT not found
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):Searching policy based on peer's identity 'cn=Spacebridge root CA,o=Spacebridge,c=CA' of type 'DER ASN1 DN'
*Jan 16 00:37:55.318: IKEv2-ERROR:% IKEv2 profile not found

 

What does 'type 'DER ASN1 DN;  means ?

Tin-Huynh
Level 1
Level 1

Hi, Can we export an CA Certificate ( with key, of course) on Cisco using CLI ?

Thank you

Tin-Huynh
Level 1
Level 1

I imported the same CA certificate on 2900 and 8500

2900 can show the fingerprint , but 8500 does not. It's weird

on 2900

CA Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 3CA6C2EC7D8810D7
 Certificate Usage: Signature
 Issuer:  
   cn=Spacebridge root CA
   o=Spacebridge
   c=CA
 Subject:  
   cn=Spacebridge root CA
   o=Spacebridge
   c=CA
 Validity Date:  
   start date: 16:16:56 UTC Jan 6 2025
   end   date: 16:16:56 UTC Jan 6 2035
 Subject Key Info:
   Public Key Algorithm: rsaEncryption
   RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 Fingerprint MD5: 2FFEE1BD 4DAAA801 2A784427 8766B163  
 Fingerprint SHA1: 01B902D2 0390BDB3 693FA78E B0DE9877 8922F576  
 X509v3 extensions:
   X509v3 Key Usage: 6000000
     Key Cert Sign
     CRL Signature
   X509v3 Subject Key ID: BED8CFE1 C709382C A3C06429 00F7CB41 FCD1728A  
   X509v3 Basic Constraints:
       CA: TRUE
   Authority Info Access:
 Associated Trustpoints: ING_TEST ING  
 Storage: nvram:Spacebridger#10D7CA.cer


On 8500

CA Certificate
Status: Available
Certificate Serial Number (hex): 3CA6C2EC7D8810D7
Certificate Usage: Signature
Issuer:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Subject:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Validity Date:
start date: 16:16:56 UTC Jan 6 2025
end date: 16:16:56 UTC Jan 6 2035
Associated Trustpoints: ING