VPN client doesn't connect with certificates to Router ISR4221 who is also a CA

StefanStankovic2195 · ‎03-22-2020

Hi everyone,

I would like to establish vpn connection between VPN Client 5.0.7 and Cisco ISR4221 router over certificates. This is the fourth day without success, first day i successed establishing vpn connection using username and password but i need higher level of security. Show run is beneath as some logs. What is right set of commands for enabling Phase1 and Phase2? IOS version 16.7
LOGS are in attach
show run:

Building configuration...

Current configuration : 7262 bytes
!
! Last configuration change at 10:19:03 UTC Sun Mar 22 2020
!
version 16.7
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
!
aaa session-id common
!

subscriber templating

!
multilink bundle-name authenticated
!
crypto pki server CAserver
no database archive
issuer-name CN=CAserver, OU=vlatacom.com
grant auto
!
crypto pki trustpoint CAserver
revocation-check crl
rsakeypair CAserver
!
crypto pki trustpoint VPN
enrollment terminal
subject-name CN=PERICR-LT, OU=vlatacom.com
revocation-check none
rsakeypair kljucevi
!
crypto pki certificate map cert_map 10
subject-name co vlatacom
!
crypto pki certificate chain CAserver
certificate ca 01
3082022D ......
quit
crypto pki certificate chain VPN
certificate 02
308202CB ...........
quit
certificate ca 01
3082022D ...........
quit
!
!
license udi pid ISR4221/K9 sn FGL221591WT
no license smart enable
diagnostic bootup level minimal
!
spanning-tree extend system-id
!

username ceci privilege 15 secret 5 $1$S9hH$qTxCdbp5S88rykqzmBxfw0
username user password 0 cisco
!
redundancy
mode none
!
crypto isakmp policy 3
encr aes
hash md5
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
domain cisco.com
pool ippool
acl 101
!
crypto isakmp client configuration group vpclient
crypto isakmp profile certpro
ca trust-point VPN
match certificate cert_map
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!

crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map cert_map client configuration address respond
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!

interface GigabitEthernet0/0/0
ip address 10.10.10.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
ip address 172.16.1.1 255.255.255.0
ip nat outside
negotiation auto
crypto map clientmap
!
ip local pool ippool 192.168.1.1 192.168.1.2
ip nat inside source list 111 interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
!
!
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
!
!

control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
!
wsma agent exec
!
wsma agent config
!
wsma agent filesys
!
wsma agent notify

end

Cristian Matei · ‎03-24-2020

Hi,

1. I suppose, based on the configured "VPN" trustpoint, that you have enrolled the router with itself, as he CA self-signed certificate cannot be used for IKE sessions.

2. Does the OU of the certificate from the remote VPN client have the value of isakmp client group name configured on the EzPVN server?

Regards,

Cristian Matei.