in
IEOC CCIE Forums

IEOC - INE's Online Community

Welcome to INE's Online Community - IEOC - a place for CCIE and CCENT candidates to connect, share, and learn. Our Online Community features CCIE forums and discussions for all tracks including Routing & Switching, Voice, Security, Service Provider, Wireless,, and Storage. Through these online communities you can discuss your questions with thousands of your peers, hundreds of CCIE's and INE's own team of world renowned CCIE instructors and authors, Brian Dennis - Quintuple CCIE #2210, Brian McGahan – Triple CCIE #8593, Petr Lapukhov - Quad CCIE #16379, and Mark Snow - Dual CCIE #14073.
Latest post 10-01-2016 12:50 AM by srikanthreddy. 2 replies.
Page 1 of 1 (3 items)
Sort Posts: Previous Next
  • 08-30-2016 3:24 AM

    ikev2 certificate with ios flexvpn client

    Hi All,

     

    I am testing this scenario. R1 is my CA server and R3 is flexvpn client. With preshared key everything is working fine. But when I change it to certificate auth, facing issue. R3 successfully got the certificate from R1.

    R1: Config

    crypto pki server CA-SERVER
     issuer-name CN=MTP
     grant auto
     hash sha1
    crypto pki trustpoint CA-SERVER
     fqdn R1.test.com
     revocation-check none
     rsakeypair CA-SERVER
     auto-enroll
    crypto pki certificate map CMAP 1
     issuer-name co mtp

    crypto ikev2 name-mangler MANGLER
     fqdn domain
    crypto ikev2 authorization policy default
     pool MY-POOL
     route set access-list ACL
    crypto ikev2 proposal IKEV2-PROPOSAL
     encryption aes-cbc-128
     integrity sha512
     group 5
    crypto ikev2 policy IKEV2-POLICY
     proposal IKEV2-PROPOSAL

     !
    crypto ikev2 profile IKEV2-PROFILE
     match identity remote address 23.1.1.3 255.255.255.255
     match certificate CMAP
     authentication remote rsa-sig
     authentication local rsa-sig
     pki trustpoint CA-SERVER
     aaa authorization group cert list CERTGROUP MANGLER
     virtual-template 1
    crypto isakmp diagnose error
    crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
     mode tunnel
    crypto ipsec profile IPSEC-PROFILE
     set transform-set TS
     set ikev2-profile IKEV2-PROFILE

     

    interface Virtual-Template1 type tunnel
     ip unnumbered Ethernet0/1
     tunnel source Ethernet0/1
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile IPSEC-PROFILE

     

     

    R3:

    crypto pki trustpoint CA-SERVER1
     enrollment url http://12.1.1.1:80
     serial-number
     fqdn R3.test.com
     subject-name CN=VPN-Client
     revocation-check none
     source interface Ethernet0/1
     rsakeypair VPN-KEY
     auto-enroll

    crypto pki certificate map CMAP 1
     issuer-name co mtp

    crypto ikev2 name-mangler MANGLER
     fqdn domain

    crypto ikev2 proposal IKEV2-PROPOSAL
     encryption aes-cbc-128
     integrity sha512
     group 5

    crypto ikev2 policy IKEV2-POLICY
     proposal IKEV2-PROPOSAL

    crypto ikev2 profile IKEV2-PROFILE
     match identity remote address 12.1.1.1 255.255.255.255
     match certificate CMAP
     identity local address 23.1.1.3
     authentication remote rsa-sig
     authentication local rsa-sig
     pki trustpoint CA-SERVER1
     aaa authorization group cert list CERTGROUP MANGLER

    crypto ikev2 client flexvpn FLEXVPN-CLIENT
      peer 1 12.1.1.1
      client connect Tunnel0
    crypto isakmp diagnose error
    crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
     mode tunnel
    crypto ipsec profile IPSEC-PROFILE
     set transform-set TS
     set ikev2-profile IKEV2-PROFILE

    interface Tunnel0
     ip address negotiated
     tunnel source Ethernet0/1
     tunnel mode ipsec ipv4
     tunnel destination 12.1.1.1
     tunnel protection ipsec profile IPSEC-PROFILE

     

     

    Debug output:

    R1:

     

    IKEv2:Received Packet [From 23.1.1.3:500/To 12.1.1.1:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0000000000000000 Message id: 0
    IKEv2 IKE_SA_INIT Exchange REQUEST
    Payload contents:
     SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

    IKEv2:(SA ID = 1):Verify SA init message
    IKEv2:(SA ID = 1):Insert SA
    IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
    IKEv2:Found Policy 'IKEV2-POLICY'
    IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER'  
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
    IKEv2:(SA ID = 1):Request queued for computation of DH key
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
    IKEv2:(SA ID = 1):Request queued for computation of DH secret
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
    IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
    IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
    IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
    Num. transforms: 4
       AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER'  
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

    IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 12.1.1.1:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 0
    IKEv2 IKE_SA_INIT Exchange RESPONSE
    Payload contents:
     SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

    IKEv2:(SA ID = 1):Completed SA init exchange
    IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

    IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:500/To 12.1.1.1:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
    IKEv2 IKE_AUTH Exchange REQUEST
    Payload contents:
     VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

    IKEv2:(SA ID = 1):Stopping timer to wait for auth message
    IKEv2:(SA ID = 1):Checking NAT discovery
    IKEv2:(SA ID = 1):NAT not found
    IKEv2:(SA ID = 1):Searching policy based on peer's identity '23.1.1.3' of type 'IPv4 address'
    IKEv2:Optional profile description not updated in PSH
    IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
    IKEv2:Found Policy 'IKEV2-POLICY'
    IKEv2:Found matching IKEv2 profile 'IKEV2-PROFILE'
    IKEv2:(SA ID = 1):Verify peer's policy
    IKEv2:(SA ID = 1):Peer's policy verified
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
    IKEv2:(SA ID = 1):Sending authentication failure notify
    IKEv2:(SA ID = 1):Building packet for encryption. 
    Payload contents:
     NOTIFY(AUTHENTICATION_FAILED)

    R1#
    IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 12.1.1.1:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
    IKEv2 IKE_AUTH Exchange RESPONSE
    Payload contents:
     ENCR

    IKEv2:(SA ID = 1):Auth exchange failed
    IKEv2:(SA ID = 1):Auth exchange failed

    IKEv2:(SA ID = 1):Auth exchange failed
    IKEv2:(SA ID = 1):Abort exchange
    IKEv2:(SA ID = 1):Deleting SA
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

     

     

    R3:

     

    R3#
    IKEv2:Searching Policy with fvrf 0, local address 23.1.1.3
    IKEv2:Found Policy 'IKEV2-POLICY'
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
    IKEv2:(SA ID = 1):Request queued for computation of DH key
    IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
    IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
    IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
    Num. transforms: 4
       AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5

    IKEv2:(SA ID = 1):Sending Packet [To 12.1.1.1:500/From 23.1.1.3:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0000000000000000 Message id: 0
    IKEv2 IKE_SA_INIT Exchange REQUEST
    Payload contents:
     SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

    IKEv2:(SA ID = 1):Insert SA

    IKEv2:(SA ID = 1):Received Packet [From 12.1.1.1:500/To 23.1.1.3:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 0
    IKEv2 IKE_SA_INIT Exchange RESPONSE
    Payload contents:
     SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

    IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
    IKEv2:(SA ID = 1):Verify SA init message
    IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'CA-SERVER1'  
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint CA-SERVER1
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
    IKEv2:(SA ID = 1):Checking NAT discovery
    IKEv2:(SA ID = 1):NAT not found
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
    IKEv2:(SA ID = 1):Request queued for computation of DH secret
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
    IKEv2:(SA ID = 1):Completed SA init exchange
    IKEv2:Config data to send:
    Config-type: Config-request
    Attrib type: ipv4-addr, length: 0
    Attrib type: ipv4-netmask, length: 0
    Attrib type: ipv4-dns, length: 0
    Attrib type: ipv4-dns, length: 0
    Attrib type: ipv4-nbns, length: 0
    Attrib type: ipv4-nbns, length: 0
    Attrib type: ipv4-subnet, length: 0
    Attrib type: app-version, length: 219, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.3(1.3)T, ENGINEERING WEEKLY BUILD, synced to V152_4_M1_10
    Copyright (c) 1986-2012 by Cisco Systems, Inc.
    Compiled Thu 25-Oct-12 04:35 by hlo
    Attrib type: split-dns, length: 0
    Attrib type: banner, length: 0
    Attrib type: config-url, length: 0
    Attrib type: backup-gateway, length: 0
    Attrib type: def-domain, length: 0
    IKEv2:(SA ID = 1):Have config mode data to send
    IKEv2:(SA ID = 1):Check for EAP exchange
    IKEv2:(SA ID = 1):Generate my authentication data
    IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
    IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
    IKEv2:(SA ID = 1):Get my authentication method
    IKEv2:(SA ID = 1):My authentication method is 'RSA'
    IKEv2:(SA ID = 1):Sign authentication data
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
    IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
    IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
    IKEv2:(SA ID = 1):Authentication material has been sucessfully signed
    IKEv2:(SA ID = 1):Check for EAP exchange
    IKEv2:(SA ID = 1):Generating IKE_AUTH message
    IKEv2:(SA ID = 1):Constructing IDi payload: '23.1.1.3' of type 'IPv4 address'
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER1'  
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
    IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
    Num. transforms: 3
       AES-CBC   SHA512   Don't use ESN
    IKEv2:(SA ID = 1):Building packet for encryption. 
    Payload contents:
     VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

    IKEv2:(SA ID = 1):Sending Packet [To 12.1.1.1:500/From 23.1.1.3:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
    IKEv2 IKE_AUTH Exchange REQUEST
    Payload contents:
     ENCR
     

    IKEv2:(SA ID = 1):Received Packet [From 12.1.1.1:500/To 23.1.1.3:500/VRF i0:f0]
    Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
    IKEv2 IKE_AUTH Exchange RESPONSE
    Payload contents:
     NOTIFY(AUTHENTICATION_FAILED)

    IKEv2:(SA ID = 1):
    R3#Process auth response notify
    IKEv2:(SA ID = 1):
    IKEv2:(SA ID = 1):Auth exchange failed
    IKEv2:(SA ID = 1):Auth exchange failed

    IKEv2:(SA ID = 1):Auth exchange failed
    IKEv2:(SA ID = 1):Abort exchange
    IKEv2:(SA ID = 1):Deleting SA
    IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
    IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

    • Post Points: 20
  • 09-21-2016 9:33 AM In reply to

    Re: ikev2 certificate with ios flexvpn client

    I have not validated the complete configuration, but one mistake is obvious frm the confoguration and debug messages:R1 is a CA server, but it does NOT have a ceritificate to be used for IKEv2 authentication; the self-signed certificate of R1 as a result of being a CA, can ONLY br used for signing purposes, not for IKE or any other purposes; you need to crate a new truspoint on R1, enroll R1 with itself and reference the new truspoint in your IKEv2 configuration.

    Cristian Matei, CCIE #23684 (SC/R&S)
    cmatei@ine.com


    InternetworkExpert Inc.
    http://www.ine.com
    Online Community: http://www.ieoc.com
    CCIE Blog: http://blog.ine.com

     

    • Post Points: 20
  • 10-01-2016 12:50 AM In reply to

    Re: ikev2 certificate with ios flexvpn client

    Thanks Cristian. It is working after creating the new trust point.

    • Post Points: 5
Page 1 of 1 (3 items)
IEOC CCIE Forums Internetwork Expert CCIE Training
About IEOC | Terms of Use | RSS | Privacy Policy
© 2010 Internetwork Expert, Inc. All Rights Reserved