Use Windows 11 built-in IKEv2 client for FlexVPN

FC_cto · ‎03-18-2022

Hello,

I am trying to establish a VPN connection with a FlexVPN setup on a Cisco Router, using the Windows VPN built-in client IKEv2.

To setup the router, I followed the instruction described in this example, using openssl to create the certificates chain.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html

The connection fails with the message 'IKE authentication credentials are unacceptable'

I enabled the debug console on the router to see what's happening and realized that the local IP is sent as identity.

After some researches I found a hotfix was released for this symptom, but only for Windows 7.

--> https://mskb.pkisolutions.com/kb/975488

This workaround does not seems to be applicable to Windows 11.

Is there a way to prevent Windows 11 from sending the local IP as identity ?

andrew.butterworth · ‎06-15-2022

I've had some success with getting this working in the lab on a C800 series. I was testing on a live C891F running 15.6(1)T3, however as it was live I thought I'd better test this in the lab. I've got several C887VA's and these run the same IOS images as the C891F so the plan was once it was working I'd push the config to the live C891F. I'm running 15.9(3)M5 Universal image and have the Advanced IP Services and 1GB memory licenses active.

Unfortunately I've not been able to get it working well enough to replace the L2TP/IPSec setup I have that works effortlessly with IPv4 & IPv6.

The back-end services are all MS (AD, DNS, RADIUS (NPS), Certificate Authority etc). The Windows CA is a single box and integrated into AD. It has SCEP enabled and I've modified the 'IPSec (Offline Request)' certificate template on the CA to include the EKU for 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2) and IP security tunnel termination (1.3.6.1.5.5.7.3.6) - not sure whether these are both needed but I seem to recall they are?

I've enrolled the C887VA for a certificate using SCEP and the workstation I'm testing with has a Machine Certificate via a GPO (users also get certificates via GPO, however I'm using EAP to authenticate).

RADIUS is handled by an NPS server with a policy that has conditions for Windows Group Membership of a VPN security group I created, the Authenticate-Type=EAP or PEAP and Service-Type=Login. The policy has constraints of EAP type=PEAP with MS-CHAPv2.

The Loopback0 interface on the router is configured in DNS and this is the hostname that the Windows client connects to.

It works, however only for either IPv4 or IPv6, not both at the same time. If IPv6 & IPv4 is enabled in the RA profile on the Windows PC then IPv6 seems to take priority and an IPv4 SA is never negotiated. If IPv6 is disabled in the RA profile then an IPv4 SA is established and I get IPv4 connectivity.

This is the scrubbed configuration

version 15.9
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname ikev2-test
!
boot-start-marker
boot system flash flash:/c800-universalk9-mz.SPA.159-3.M5.bin
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
no logging console
enable password xxxxxxx
!
aaa new-model
!
!
aaa group server radius NPS-Servers
 server name nps-1
 ip radius source-interface Loopback0
 ipv6 radius source-interface Loopback0
!
aaa authentication login default local
aaa authentication login VPN-IKEv2 group NPS-Servers
aaa authorization network IKEv2-authorisation local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
!
crypto pki trustpoint cert-auth
 enrollment retry count 20
 enrollment retry period 5
 enrollment mode ra
 enrollment url http://cert-auth.my-domain.local:80/certsrv/mscep/mscep.dll
 serial-number
 fqdn ikev2-test.my-domain.local
 subject-name cn=ikev2-test.my-domain.local
 subject-alt-name ikev2-test.my-domain.local
 revocation-check crl
 source interface Loopback0
 auto-enroll 95 regenerate
!
!
crypto pki certificate chain cert-auth
 certificate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xx
        quit
 certificate ca xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx 
  xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xx
        quit
!
ip dhcp pool LAN
 network 10.97.97.0 255.255.255.248
 default-router 10.97.97.6
 dns-server 192.168.100.20 192.168.102.133
 lease 0 2
!
!
ip domain name my-domain.local
ip name-server 192.168.102.133
ip name-server 192.168.100.20
ip inspect WAAS flush-timeout 10
ip cef
ipv6 general-prefix Home-HE-48 2001:xxx:xxxx::/48
ipv6 unicast-routing
ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license udi pid C887VA-K9 sn xxxxxxxxxxx
license accept end user agreement
license boot module c800 level advipservices
!
!
vtp mode transparent
username admin privilege 15 password xxxxxxxxxx
!
redundancy
 notification-timer 120000
!
crypto ikev2 authorization policy windows-authorisation
 ipv6 pool VPN-2
 ipv6 dns 2001:xxx:xxxx:xxxx::8888 2001:xxx:xxxx:xxxx::8888
 pool default
 dns 192.168.100.20 192.168.102.133
 def-domain my-domain.local
 pfs
 route set interface
!
crypto ikev2 proposal windows
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha256
 group 2 14 15 16 19 20
!
crypto ikev2 policy windows
 proposal windows
!
!
crypto ikev2 profile windows-rsa
 match identity remote any
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 authentication remote eap query-identity
 pki trustpoint cert-auth
 aaa authentication eap VPN-IKEv2
 aaa authorization group eap list IKEv2-authorisation windows-authorisation local
 virtual-template 30
!
!
!
controller VDSL 0
!
vlan 100
 name LAN
!
vlan 101
 name WAN
!
vlan 102
!
vlan 4092
 name Mgmt
!
track 10 interface Dialer0 ip routing
!
!
crypto logging session
crypto logging ikev2
!
!
crypto ipsec transform-set aes256-sha1 esp-aes esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile windows-ikev2
 set transform-set aes256-sha1
 set mixed-mode
 set ikev2-profile windows-rsa
!
!
!
!
!
!
!
interface Loopback0
 ip address 192.168.255.99 255.255.255.255
 ipv6 address Home-HE-48 ::FFFF:192:168:255:99/128
 ipv6 enable
 ipv6 ospf 10 area 0
!
interface ATM0
 no ip address
 shutdown
 no atm ilmi-keepalive
!
interface Ethernet0
 no ip address
 shutdown
!
interface FastEthernet0
 description Uplink to rest of network
 switchport trunk allowed vlan 1,100,101,1002-1005
 switchport mode trunk
 switchport nonegotiate
 no ip address
!
interface FastEthernet1
 description Windows PC connected here
 switchport access vlan 102
 switchport mode access
 switchport nonegotiate
 no ip address
 spanning-tree portfast
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 switchport access vlan 4092
 switchport mode access
 no ip address
 spanning-tree portfast
!
interface Virtual-Template30 type tunnel
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly in
 ipv6 unnumbered Loopback0
 ipv6 enable
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile windows-ikev2
!
interface Vlan1
 no ip address
!
interface Vlan100
 ip address 192.168.134.1 255.255.255.254
 ip ospf network point-to-point
 ipv6 address Home-HE-48 ::192:168:134:1/127
 ipv6 enable
 ipv6 ospf 10 area 0
 ipv6 ospf network point-to-point
!
interface Vlan101
 ip address 192.168.134.70 255.255.255.224
!
interface Vlan102
 ip address 10.97.97.6 255.255.255.248
!
interface Vlan4092
 description Mgmt
 vrf forwarding Mgmt-vrf
 ip address dhcp
!
interface Dialer0
 no ip address
!
router ospf 10
 auto-cost reference-bandwidth 100000
 redistribute static subnets
 passive-interface default
 no passive-interface Vlan100
 network 10.97.97.0 0.0.0.7 area 0
 network 192.168.0.0 0.0.255.255 area 0
!
ip local pool default 192.168.134.128 192.168.134.135
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint cert-auth
!
!
ip ftp source-interface Vlan4092
ip tftp source-interface Vlan4092
ip ssh version 2
!
ipv6 local pool VPN-2 2001:xxx:xxxx:xxxx::/112 128
!
ipv6 router ospf 10
 auto-cost reference-bandwidth 100000
 passive-interface default
 no passive-interface Vlan100
 redistribute static
!
ipv6 ioam timestamp
!
radius-server attribute 6 on-for-login-auth
radius-server attribute 32 include-in-access-req format %h
radius-server attribute 32 include-in-accounting-req format %h
radius-server dead-criteria tries 3
radius-server retry method reorder
radius-server timeout 1
!
radius server nps-1
 address ipv4 192.168.102.20 auth-port 1812 acct-port 1813
 timeout 2
 key xxxxxxxx
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 0 0
 transport input all
line vty 5 15
 exec-timeout 0 0
 transport input all
!
scheduler allocate 20000 1000
ntp server 192.168.134.0
!