03-18-2022 10:46 AM - edited 03-25-2022 11:37 AM
Hello,
I am trying to establish a VPN connection with a FlexVPN setup on a Cisco Router, using the Windows VPN built-in client IKEv2.
To setup the router, I followed the instruction described in this example, using openssl to create the certificates chain.
https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html
The connection fails with the message 'IKE authentication credentials are unacceptable'
I enabled the debug console on the router to see what's happening and realized that the local IP is sent as identity.
After some researches I found a hotfix was released for this symptom, but only for Windows 7.
--> https://mskb.pkisolutions.com/kb/975488
This workaround does not seems to be applicable to Windows 11.
Is there a way to prevent Windows 11 from sending the local IP as identity ?
Is there a way to prevent Windows 11 from sending the local IP as identity ?
06-15-2022 03:50 AM - edited 06-16-2022 01:23 AM
I've had some success with getting this working in the lab on a C800 series. I was testing on a live C891F running 15.6(1)T3, however as it was live I thought I'd better test this in the lab. I've got several C887VA's and these run the same IOS images as the C891F so the plan was once it was working I'd push the config to the live C891F. I'm running 15.9(3)M5 Universal image and have the Advanced IP Services and 1GB memory licenses active.
Unfortunately I've not been able to get it working well enough to replace the L2TP/IPSec setup I have that works effortlessly with IPv4 & IPv6.
The back-end services are all MS (AD, DNS, RADIUS (NPS), Certificate Authority etc). The Windows CA is a single box and integrated into AD. It has SCEP enabled and I've modified the 'IPSec (Offline Request)' certificate template on the CA to include the EKU for 'IP security IKE intermediate (1.3.6.1.5.5.8.2.2) and IP security tunnel termination (1.3.6.1.5.5.7.3.6) - not sure whether these are both needed but I seem to recall they are?
I've enrolled the C887VA for a certificate using SCEP and the workstation I'm testing with has a Machine Certificate via a GPO (users also get certificates via GPO, however I'm using EAP to authenticate).
RADIUS is handled by an NPS server with a policy that has conditions for Windows Group Membership of a VPN security group I created, the Authenticate-Type=EAP or PEAP and Service-Type=Login. The policy has constraints of EAP type=PEAP with MS-CHAPv2.
The Loopback0 interface on the router is configured in DNS and this is the hostname that the Windows client connects to.
It works, however only for either IPv4 or IPv6, not both at the same time. If IPv6 & IPv4 is enabled in the RA profile on the Windows PC then IPv6 seems to take priority and an IPv4 SA is never negotiated. If IPv6 is disabled in the RA profile then an IPv4 SA is established and I get IPv4 connectivity.
This is the scrubbed configuration
version 15.9 service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service internal service sequence-numbers ! hostname ikev2-test ! boot-start-marker boot system flash flash:/c800-universalk9-mz.SPA.159-3.M5.bin boot-end-marker ! ! vrf definition Mgmt-vrf ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! no logging console enable password xxxxxxx ! aaa new-model ! ! aaa group server radius NPS-Servers server name nps-1 ip radius source-interface Loopback0 ipv6 radius source-interface Loopback0 ! aaa authentication login default local aaa authentication login VPN-IKEv2 group NPS-Servers aaa authorization network IKEv2-authorisation local ! ! ! ! ! ! aaa session-id common clock timezone GMT 0 0 clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00 ! crypto pki trustpoint cert-auth enrollment retry count 20 enrollment retry period 5 enrollment mode ra enrollment url http://cert-auth.my-domain.local:80/certsrv/mscep/mscep.dll serial-number fqdn ikev2-test.my-domain.local subject-name cn=ikev2-test.my-domain.local subject-alt-name ikev2-test.my-domain.local revocation-check crl source interface Loopback0 auto-enroll 95 regenerate ! ! crypto pki certificate chain cert-auth certificate xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xx quit certificate ca xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xxxxxxxx xx quit ! ip dhcp pool LAN network 10.97.97.0 255.255.255.248 default-router 10.97.97.6 dns-server 192.168.100.20 192.168.102.133 lease 0 2 ! ! ip domain name my-domain.local ip name-server 192.168.102.133 ip name-server 192.168.100.20 ip inspect WAAS flush-timeout 10 ip cef ipv6 general-prefix Home-HE-48 2001:xxx:xxxx::/48 ipv6 unicast-routing ipv6 cef ! ! ! ! ! multilink bundle-name authenticated ! ! ! ! ! ! ! license feature MEM-8XX-512U1GB license udi pid C887VA-K9 sn xxxxxxxxxxx license accept end user agreement license boot module c800 level advipservices ! ! vtp mode transparent username admin privilege 15 password xxxxxxxxxx ! redundancy notification-timer 120000 ! crypto ikev2 authorization policy windows-authorisation ipv6 pool VPN-2 ipv6 dns 2001:xxx:xxxx:xxxx::8888 2001:xxx:xxxx:xxxx::8888 pool default dns 192.168.100.20 192.168.102.133 def-domain my-domain.local pfs route set interface ! crypto ikev2 proposal windows encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha256 group 2 14 15 16 19 20 ! crypto ikev2 policy windows proposal windows ! ! crypto ikev2 profile windows-rsa match identity remote any identity local dn authentication remote rsa-sig authentication local rsa-sig authentication remote eap query-identity pki trustpoint cert-auth aaa authentication eap VPN-IKEv2 aaa authorization group eap list IKEv2-authorisation windows-authorisation local virtual-template 30 ! ! ! controller VDSL 0 ! vlan 100 name LAN ! vlan 101 name WAN ! vlan 102 ! vlan 4092 name Mgmt ! track 10 interface Dialer0 ip routing ! ! crypto logging session crypto logging ikev2 ! ! crypto ipsec transform-set aes256-sha1 esp-aes esp-sha-hmac mode tunnel ! ! crypto ipsec profile windows-ikev2 set transform-set aes256-sha1 set mixed-mode set ikev2-profile windows-rsa ! ! ! ! ! ! ! interface Loopback0 ip address 192.168.255.99 255.255.255.255 ipv6 address Home-HE-48 ::FFFF:192:168:255:99/128 ipv6 enable ipv6 ospf 10 area 0 ! interface ATM0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0 no ip address shutdown ! interface FastEthernet0 description Uplink to rest of network switchport trunk allowed vlan 1,100,101,1002-1005 switchport mode trunk switchport nonegotiate no ip address ! interface FastEthernet1 description Windows PC connected here switchport access vlan 102 switchport mode access switchport nonegotiate no ip address spanning-tree portfast ! interface FastEthernet2 no ip address ! interface FastEthernet3 switchport access vlan 4092 switchport mode access no ip address spanning-tree portfast ! interface Virtual-Template30 type tunnel ip unnumbered Loopback0 ip nat inside ip virtual-reassembly in ipv6 unnumbered Loopback0 ipv6 enable tunnel mode ipsec ipv4 tunnel protection ipsec profile windows-ikev2 ! interface Vlan1 no ip address ! interface Vlan100 ip address 192.168.134.1 255.255.255.254 ip ospf network point-to-point ipv6 address Home-HE-48 ::192:168:134:1/127 ipv6 enable ipv6 ospf 10 area 0 ipv6 ospf network point-to-point ! interface Vlan101 ip address 192.168.134.70 255.255.255.224 ! interface Vlan102 ip address 10.97.97.6 255.255.255.248 ! interface Vlan4092 description Mgmt vrf forwarding Mgmt-vrf ip address dhcp ! interface Dialer0 no ip address ! router ospf 10 auto-cost reference-bandwidth 100000 redistribute static subnets passive-interface default no passive-interface Vlan100 network 10.97.97.0 0.0.0.7 area 0 network 192.168.0.0 0.0.255.255 area 0 ! ip local pool default 192.168.134.128 192.168.134.135 ip forward-protocol nd no ip http server ip http authentication local ip http secure-server ip http secure-trustpoint cert-auth ! ! ip ftp source-interface Vlan4092 ip tftp source-interface Vlan4092 ip ssh version 2 ! ipv6 local pool VPN-2 2001:xxx:xxxx:xxxx::/112 128 ! ipv6 router ospf 10 auto-cost reference-bandwidth 100000 passive-interface default no passive-interface Vlan100 redistribute static ! ipv6 ioam timestamp ! radius-server attribute 6 on-for-login-auth radius-server attribute 32 include-in-access-req format %h radius-server attribute 32 include-in-accounting-req format %h radius-server dead-criteria tries 3 radius-server retry method reorder radius-server timeout 1 ! radius server nps-1 address ipv4 192.168.102.20 auth-port 1812 acct-port 1813 timeout 2 key xxxxxxxx ! ! control-plane ! ! line con 0 no modem enable line aux 0 line vty 0 4 exec-timeout 0 0 transport input all line vty 5 15 exec-timeout 0 0 transport input all ! scheduler allocate 20000 1000 ntp server 192.168.134.0 !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide