ikev2 certificate with ios flexvpn client

Hi All,

 

I am testing this scenario. R1 is my CA server and R3 is flexvpn client. With preshared key everything is working fine. But when I change it to certificate auth, facing issue. R3 successfully got the certificate from R1.

R1: Config

crypto pki server CA-SERVER
 issuer-name CN=MTP
 grant auto
 hash sha1
crypto pki trustpoint CA-SERVER
 fqdn R1.test.com
 revocation-check none
 rsakeypair CA-SERVER
 auto-enroll
crypto pki certificate map CMAP 1
 issuer-name co mtp

crypto ikev2 name-mangler MANGLER
 fqdn domain
crypto ikev2 authorization policy default
 pool MY-POOL
 route set access-list ACL
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption aes-cbc-128
 integrity sha512
 group 5
crypto ikev2 policy IKEV2-POLICY
 proposal IKEV2-PROPOSAL

 !
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 23.1.1.3 255.255.255.255
 match certificate CMAP
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-SERVER
 aaa authorization group cert list CERTGROUP MANGLER
 virtual-template 1
crypto isakmp diagnose error
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
 mode tunnel
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
 set ikev2-profile IKEV2-PROFILE

 

interface Virtual-Template1 type tunnel
 ip unnumbered Ethernet0/1
 tunnel source Ethernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

 

 

R3:

crypto pki trustpoint CA-SERVER1
 enrollment url http://12.1.1.1:80
 serial-number
 fqdn R3.test.com
 subject-name CN=VPN-Client
 revocation-check none
 source interface Ethernet0/1
 rsakeypair VPN-KEY
 auto-enroll

crypto pki certificate map CMAP 1
 issuer-name co mtp

crypto ikev2 name-mangler MANGLER
 fqdn domain

crypto ikev2 proposal IKEV2-PROPOSAL
 encryption aes-cbc-128
 integrity sha512
 group 5

crypto ikev2 policy IKEV2-POLICY
 proposal IKEV2-PROPOSAL

crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 12.1.1.1 255.255.255.255
 match certificate CMAP
 identity local address 23.1.1.3
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint CA-SERVER1
 aaa authorization group cert list CERTGROUP MANGLER

crypto ikev2 client flexvpn FLEXVPN-CLIENT
  peer 1 12.1.1.1
  client connect Tunnel0
crypto isakmp diagnose error
crypto ipsec transform-set TS esp-aes 256 esp-sha512-hmac
 mode tunnel
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS
 set ikev2-profile IKEV2-PROFILE

interface Tunnel0
 ip address negotiated
 tunnel source Ethernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 12.1.1.1
 tunnel protection ipsec profile IPSEC-PROFILE

 

 

Debug output:

R1:

 

IKEv2:Received Packet [From 23.1.1.3:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

IKEv2:(SA ID = 1):Verify SA init message
IKEv2:(SA ID = 1):Insert SA
IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
IKEv2:Found Policy 'IKEV2-POLICY'
IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER'  
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SA ID = 1):Request queued for computation of DH key
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER'  
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

IKEv2:(SA ID = 1):Completed SA init exchange
IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

IKEv2:(SA ID = 1):Stopping timer to wait for auth message
IKEv2:(SA ID = 1):Checking NAT discovery
IKEv2:(SA ID = 1):NAT not found
IKEv2:(SA ID = 1):Searching policy based on peer's identity '23.1.1.3' of type 'IPv4 address'
IKEv2:Optional profile description not updated in PSH
IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
IKEv2:Found Policy 'IKEV2-POLICY'
IKEv2:Found matching IKEv2 profile 'IKEV2-PROFILE'
IKEv2:(SA ID = 1):Verify peer's policy
IKEv2:(SA ID = 1):Peer's policy verified
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
IKEv2:(SA ID = 1):Sending authentication failure notify
IKEv2:(SA ID = 1):Building packet for encryption. 
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

R1#
IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

IKEv2:(SA ID = 1):Auth exchange failed
IKEv2:(SA ID = 1):Auth exchange failed

IKEv2:(SA ID = 1):Auth exchange failed
IKEv2:(SA ID = 1):Abort exchange
IKEv2:(SA ID = 1):Deleting SA
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

 

 

R3:

 

R3#
IKEv2:Searching Policy with fvrf 0, local address 23.1.1.3
IKEv2:Found Policy 'IKEV2-POLICY'
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5

IKEv2:(SA ID = 1):Sending Packet [To 12.1.1.1:500/From 23.1.1.3:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

IKEv2:(SA ID = 1):Insert SA

IKEv2:(SA ID = 1):Received Packet [From 12.1.1.1:500/To 23.1.1.3:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):Verify SA init message
IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'CA-SERVER1'  
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint CA-SERVER1
IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
IKEv2:(SA ID = 1):Checking NAT discovery
IKEv2:(SA ID = 1):NAT not found
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SA ID = 1):Completed SA init exchange
IKEv2:Config data to send:
Config-type: Config-request
Attrib type: ipv4-addr, length: 0
Attrib type: ipv4-netmask, length: 0
Attrib type: ipv4-dns, length: 0
Attrib type: ipv4-dns, length: 0
Attrib type: ipv4-nbns, length: 0
Attrib type: ipv4-nbns, length: 0
Attrib type: ipv4-subnet, length: 0
Attrib type: app-version, length: 219, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.3(1.3)T, ENGINEERING WEEKLY BUILD, synced to V152_4_M1_10
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 25-Oct-12 04:35 by hlo
Attrib type: split-dns, length: 0
Attrib type: banner, length: 0
Attrib type: config-url, length: 0
Attrib type: backup-gateway, length: 0
Attrib type: def-domain, length: 0
IKEv2:(SA ID = 1):Have config mode data to send
IKEv2:(SA ID = 1):Check for EAP exchange
IKEv2:(SA ID = 1):Generate my authentication data
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SA ID = 1):Get my authentication method
IKEv2:(SA ID = 1):My authentication method is 'RSA'
IKEv2:(SA ID = 1):Sign authentication data
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
IKEv2:(SA ID = 1):Authentication material has been sucessfully signed
IKEv2:(SA ID = 1):Check for EAP exchange
IKEv2:(SA ID = 1):Generating IKE_AUTH message
IKEv2:(SA ID = 1):Constructing IDi payload: '23.1.1.3' of type 'IPv4 address'
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'   'CA-SERVER1'  
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA512   Don't use ESN
IKEv2:(SA ID = 1):Building packet for encryption. 
Payload contents:
 VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

IKEv2:(SA ID = 1):Sending Packet [To 12.1.1.1:500/From 23.1.1.3:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 ENCR
 

IKEv2:(SA ID = 1):Received Packet [From 12.1.1.1:500/To 23.1.1.3:500/VRF i0:f0]
Initiator SPI : DBF41D1284C9F9E6 - Responder SPI : 0662F8E8716EECFD Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)

IKEv2:(SA ID = 1):
R3#Process auth response notify
IKEv2:(SA ID = 1):
IKEv2:(SA ID = 1):Auth exchange failed
IKEv2:(SA ID = 1):Auth exchange failed

IKEv2:(SA ID = 1):Auth exchange failed
IKEv2:(SA ID = 1):Abort exchange
IKEv2:(SA ID = 1):Deleting SA
IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

Comments

  • I have not validated the complete configuration, but one mistake is obvious frm the confoguration and debug messages:R1 is a CA server, but it does NOT have a ceritificate to be used for IKEv2 authentication; the self-signed certificate of R1 as a result of being a CA, can ONLY br used for signing purposes, not for IKE or any other purposes; you need to crate a new truspoint on R1, enroll R1 with itself and reference the new truspoint in your IKEv2 configuration.

  • Thanks Cristian. It is working after creating the new trust point.

Sign In or Register to comment.