Can I see the ikev2 profile config 

MHM

If I start ipsec from Strongswan, now Cisco complain about bad hash and fail to verify

*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Found Policy 'ING_POLICY'
*Jan 15 17:04:35.747: IKEv2:not a VPN-SIP session
*Jan 15 17:04:35.747: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing

*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint ING_OPENSSL
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Verify peer's policy
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's policy verified
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Get peer's authentication method
*Jan 15 17:04:35.747: IKEv2:(SESSION ID = 99,SA ID = 1):Peer's authentication method is 'RSA'
*Jan 15 17:04:35.747: IKEv2:Validation list created with 1 trustpoints
*Jan 15 17:04:35.747: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chain
*Jan 15 17:04:35.748: %PKI-3-CERTIFICATE_INVALID: Certificate chain validation has failed.
*Jan 15 17:04:35.749: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain FAILED
*Jan 15 17:04:35.749: IKEv2-ERROR:(SESSION ID = 99,SA ID = 1):: Failed to validate the certificate
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verify cert failed
*Jan 15 17:04:35.750: IKEv2:(SESSION ID = 99,SA ID = 1):Verification of peer's authentication data FAILED

Same issue .  I got exactly the same issue with https://lists.strongswan.org/pipermail/users/2022-September/015440.html

Trying to test with his patch, but not work, even I can see strongswan goes to his code/change

swanctl --stats
uptime: 103 seconds, since Jan 15 17:48:55 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 1327104, mmap 0, used 234064, free 1093040
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem pkcs8 af-alg fips-prf gmp curve25519 xcbc cmac hmac kdf gcm drbg attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs led unity counters

Does 8500 always run sha256 in IKE2 authentication , no mater what the proposal is ?

Dear, I think I can fix the hash issue . S.t missing in ike2 profile. Now . It show another issue

*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Insert SA
*Jan 16 00:37:54.446: IKEv2:Searching Policy with fvrf 0, local address 192.168.250.124
*Jan 16 00:37:54.446: IKEv2:Found Policy 'ING_POLICY'
*Jan 16 00:37:54.446: IKEv2:(SESSION ID = 116,SA ID = 1):Processing IKE_SA_INIT message
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jan 16 00:37:54.447: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jan 16 00:37:54.447: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH key
*Jan 16 00:37:54.461: IKEv2:(SESSION ID = 116,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Request queued for computation of DH secret
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jan 16 00:37:54.469: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Generating IKE_SA_INIT message
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'ING_OPENSSL' 'ING_TEST_1' 'SLA-TrustPoint'
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jan 16 00:37:54.469: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Sending Packet [To 192.168.250.1:500/From 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Completed SA init exchange
*Jan 16 00:37:54.469: IKEv2:(SESSION ID = 116,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Received Packet [From 192.168.250.1:500/To 192.168.250.124:500/VRF i0:f0]
Initiator SPI : 4290CD2760A0738B - Responder SPI : 5D8B8E420D069D12 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing ENCR payload
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing IDi payload IDi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing CERT payload CERT
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing AUTH payload AUTH
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing SA payload SA
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSi payload TSi
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing TSr payload TSr
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16417)
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16420)

*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Stopping timer to wait for auth message
*Jan 16 00:37:55.316: IKEv2:(SESSION ID = 116,SA ID = 1):Checking NAT discovery
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):NAT not found
*Jan 16 00:37:55.317: IKEv2:(SESSION ID = 116,SA ID = 1):Searching policy based on peer's identity 'cn=Spacebridge root CA,o=Spacebridge,c=CA' of type 'DER ASN1 DN'
*Jan 16 00:37:55.318: IKEv2-ERROR:% IKEv2 profile not found

What does 'type 'DER ASN1 DN;  means ?

Hi, Can we export an CA Certificate ( with key, of course) on Cisco using CLI ?

Thank you

I imported the same CA certificate on 2900 and 8500

2900 can show the fingerprint , but 8500 does not. It's weird

on 2900

CA Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 3CA6C2EC7D8810D7
 Certificate Usage: Signature
 Issuer:  
   cn=Spacebridge root CA
   o=Spacebridge
   c=CA
 Subject:  
   cn=Spacebridge root CA
   o=Spacebridge
   c=CA
 Validity Date:  
   start date: 16:16:56 UTC Jan 6 2025
   end   date: 16:16:56 UTC Jan 6 2035
 Subject Key Info:
   Public Key Algorithm: rsaEncryption
   RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 Fingerprint MD5: 2FFEE1BD 4DAAA801 2A784427 8766B163  
 Fingerprint SHA1: 01B902D2 0390BDB3 693FA78E B0DE9877 8922F576  
 X509v3 extensions:
   X509v3 Key Usage: 6000000
     Key Cert Sign
     CRL Signature
   X509v3 Subject Key ID: BED8CFE1 C709382C A3C06429 00F7CB41 FCD1728A  
   X509v3 Basic Constraints:
       CA: TRUE
   Authority Info Access:
 Associated Trustpoints: ING_TEST ING  
 Storage: nvram:Spacebridger#10D7CA.cer

On 8500

CA Certificate
Status: Available
Certificate Serial Number (hex): 3CA6C2EC7D8810D7
Certificate Usage: Signature
Issuer:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Subject:
cn=Spacebridge root CA
o=Spacebridge
c=CA
Validity Date:
start date: 16:16:56 UTC Jan 6 2025
end date: 16:16:56 UTC Jan 6 2035
Associated Trustpoints: ING