Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1292
Views
0
Helpful
0
Replies

windows built-in IKEv2 clients are not finding a valid machine certificate

luelco1971
Level 1
Level 1

‎10-18-2014 12:15 PM

Hi All,

 

I'm trying to connect windows built-in clients to a Cisco IOS IKEv2 headend. I want to use EAP to authenticate the clients with there AD credentials. For EAP, I need to use certificates so I will use self-signed certificates as I don't have a CA. 

Once I have ceated a certificate for the headend, i import this on the clients Trusted Root Certification Authorities. But when I try to connect the client to the headend, I get an error message from the client "Error 13806: IKE failed to find valid machine certificate". It seems that Microsoft is having issue with the certificate. 

Does anyone have an idea what I'm doing wrong? 

Headend config:

aaa new-model
aaa group server radius AAA-AuthC-Group-RA
 server-private v.v.v.v auth-port 1812 acct-port 1813 key secret
aaa authentication login AAA-AuthC-List-RA group AAA-AuthC-Group-RA
aaa authorization network AAA-AuthZ-List-RA local 
!
crypto pki trustpoint PKI-TP-SS-RA
 enrollment selfsigned
 serial-number none
 fqdn headend
 ip-address none
 subject-name cn=x.x.x.x
 revocation-check none
 rsakeypair PKI-TP-SS-RA-Key 2048
 eku request server-auth 
!
ip local pool IKEV2-POOL-RA 10.0.0.10 10.0.0.250
crypto ikev2 authorization policy IKEV2-AUTHORIZATION-POLICY-RA 
 pool IKEV2-POOL-RA
 dns 10.0.0.1
 netmask 255.255.255.0
!
crypto ikev2 proposal IKEV2-PROPOSAL-RA 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 policy IKEV2-POLICY-RA 
 proposal IKEV2-PROPOSAL-RA
!
crypto ikev2 profile IKEV2-PROFILE-RA
 match identity remote key-id mydomain.com
 identity local dn 
 authentication remote eap query-identity
 authentication local rsa-sig
 pki trustpoint PKI-TP-SS-RA
 dpd 60 2 on-demand
 aaa authentication eap AAA-AuthC-List-RA
 aaa authorization group eap list AAA-AuthZ-List-RA
 virtual-template 10
!
no crypto ikev2 http-url cert
!
crypto ipsec profile IPSEC-PROFILE-AES-256
 set transform-set IPSEC-AES-256 
!
crypto ipsec profile IPSEC-PROFILE-AES256-SHA1
 set transform-set IPSEC-AES256-SHA1 
 set ikev2-profile IKEV2-PROFILE-RA
!
interface Loopback10
 ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template10 type tunnel
 description FlexVPN-RA tunnel
 bandwidth 20000
 ip unnumbered Loopback10
 ip mtu 1400
 ip flow ingress
 ip tcp adjust-mss 1360
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE-AES256-SHA1
!

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents