ikev2 VPN s-2-s - IOS and ASA - certificate (completed)
As I promised in one of my last posts I’m going to implement s-2-s VPN with certificates, which is more secure and scalable solution. The tunnel will be set up between IOS router and ASA.
|<-VPN->|
/----\ ----- /----\
Loop0 ---- | R1 |-------| ASA1 |------Gig0/0-| R2 |
11.11.11.11 \----/ | ----- 20.0.0.1 \----/
/----\
| R3 |
\----/
PKI SERVER
Let’s start from the PKI Server:
!
hostname R3
!
crypto pki server PKI-SERVER
grant auto
no shut
!
!
interface GigabitEthernet0/0
ip address 10.0.0.100 255.255.255.0
no sh
!
ip http server
!
We should check the server status to be sure it has started:
R3#sh crypto pki server
Certificate Server PKI-SERVER:
Status: enabled
State: enabled
Server's configuration is locked (enter "shut" to unlock it)
Issuer name: CN=PKI-SERVER
CA cert fingerprint: 39F66FBD 019F618C 189378C2 A6F07016
Granting mode is: auto
Last certificate issued serial number (hex): 1
CA certificate expiration timer: 12:30:03 UTC May 4 2017
CRL NextUpdate timer: 18:30:04 UTC May 5 2014
Current primary storage dir: nvram:
Database Level: Minimum - no cert data written to storage
R3#
I will work on the same configuration which I posted here (http://myitmicroblog.svbtle.com/ikev2-vpn-s2s-ios-and-asa).
Let’s start from R1:
1) trustpoint
!
crypto pki trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
rsakeypair KEY1024
!
2) ikev2 profile
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote address 10.0.0.2 255.255.255.255
identity local address 10.0.0.1
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint PKI-TRUSTPOINT
!
3) authentication and enrollment of the trustpoint
crypto pki authenticate PKI-TRUSTPOINT
crypto pki enroll PKI-TRUSTPOINT
which looks like:
r1(config)#crypto pki authenticate PKI-TRUSTPOINT
Certificate has the following attributes:
Fingerprint MD5: 189320F0 B503496C F8B738D6 D096878E
Fingerprint SHA1: F05A34D8 C016D009 91C83B69 A6B13FF4 661DA4D7
% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#crypto pki enroll PKI-TRUSTPOINT
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: r1.test.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose PKI-TRUSTPOINT' commandwill show the fingerprint.
r1(config)#
May 6 16:01:57.577: CRYPTO_PKI: Certificate Request Fingerprint MD5: BBA29F53 A2CCF35E B568A7AC 9FB845F7
May 6 16:01:57.581: CRYPTO_PKI: Certificate Request Fingerprint SHA1: 52084B11 1DE5BE29 FC7FEF23 FFDB6189 A6A7B452
May 6 16:01:58.485: %PKI-6-CERTRET: Certificate received from Certificate Authority
r1(config)#
Ok, I’m ready now to start with ASA1:
1) trustpoint
crypto ca trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
keypair KEY1024
crl configure
2) tunnel group
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate PKI-TRUSTPOINT
3) authentication and enrollment of the trustpoint
crypto ca authenticate PKI-TRUSTPOINT
crypto ca enroll PKI-TRUSTPOINT
which looks like following output:
asa1(config)# crypto ca authenticate PKI-TRUSTPOINT
INFO: Certificate has the following attributes:
Fingerprint: 189320f0 b503496c f8b738d6 d096878e
Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
asa1(config)# crypto ca enroll PKI-TRUSTPOINT
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password: ********
Re-enter password: ********
% The fully-qualified domain name in the certificate will be: asa1.test.com
% Include the device serial number in the subject name? [yes/no]: no
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
asa1(config)# The certificate has been granted by CA!
asa1(config)#
Let’s try:
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
As we see the ping doesn’t work.
Let’s check debug output on ASA1:
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3: ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
3DES MD596
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (35): Building packet for encryption; contents are:
VID Next payload: IDi, reserved: 0x0, length: 20
8a c8 19 6c 6a 2c ec b6 06 a2 7e 25 11 fe fb e3
IDi Next payload: CERT, reserved: 0x0, length: 21
Id type: FQDN, Reserved: 0x0 0x0
61 73 61 31 2e 74 65 73 74 2e 63 6f 6d
CERT Next payload: CERTREQ, reserved: 0x0, length: 556
Cert encoding X.509 Certificate - signature
Cert data: 551 bytes
CERTREQ Next payload: AUTH, reserved: 0x0, length: 25
Cert encoding X.509 Certificate - signature
CertReq data: 20 bytes
AUTH Next payload: SA, reserved: 0x0, length: 136
Auth method RSA, reserved: 0x0, reserved 0x0
Auth data: 128 bytes
SA Next payload: TSi, reserved: 0x0, length: 40
IKEv2-PROTO-4: last proposal: 0x0, reserved: 0x0, length: 36
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
IKEv2-PROTO-4: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
IKEv2-PROTO-4: last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id:
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 20.0.0.1, end addr: 20.0.0.1
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 11.11.11.11, end addr: 11.11.11.11
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
IKEv2-PROTO-3: (35): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:88C8186C791B1FF1 - r: 0308BFB95B1C2224]
IKEv2-PROTO-4: IKEV2 HDR ispi: 88C8186C791B1FF1 - rspi: 0308BFB95B1C2224
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 928
ENCR Next payload: VID, reserved: 0x0, length: 900
Encrypted data: 896 bytes
IKEv2-PROTO-5: (35): SM Trace-> SA: I_SPI=88C8186C791B1FF1 R_SPI=0308BFB95B1C2224 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:88C8186C791B1FF1 - r: 0308BFB95B1C2224]
IKEv2-PROTO-4: IKEV2 HDR ispi: 88C8186C791B1FF1 - rspi: 0308BFB95B1C2224
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 72
REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
Decrypted packet:Data: 72 bytes
and debug output from R1:
May 6 16:06:19.085: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
May 6 16:06:19.085: IKEv2:%Profile could not be found by peer certificate.
May 6 16:06:19.085: IKEv2:% IKEv2 profile not found
May 6 16:06:19.089: IKEv2:(SA ID = 1):Failed to locate an item in the database
May 6 16:06:19.089: IKEv2:(SA ID = 1):
May 6 16:06:19.089: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: R_VERI
r1#FY_AUTH Event: EV_AUTH_FAIL
May 6 16:06:19.089: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
May 6 16:06:19.093: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 72
Payload contents:
ENCR Next payload: NOTIFY, reserved: 0x0, length: 44
May 6 16:06:19.097: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
May 6 16:06:19.105: IKEv2:(SA ID = 1):Auth exchange failed
Now, I try to disable revocation from trustpoints:
R1:
!
crypto pki trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
revocation-check none
rsakeypair KEY1024
!
and ASA1:
crypto ca trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
keypair KEY1024
crl configure
revocation-check none
and I try ping once again:
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#
debug on ASA1:
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 72
REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
Decrypted packet:Data: 72 bytes
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat e: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (37): Action: Action_Null
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat e: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (37): Process auth response notify
IKEv2-PROTO-1: (37):
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat e: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (37): Auth exchange failed
and debug on R1:
May 6 16:26:08.380: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
May 6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
May 6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
May 6 16:26:08.384: IKEv2:(SA ID = 1):Received valid parameteres in process id
May 6 16:26:08.384: IKEv2:(SA ID
r1# = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
May 6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
May 6 16:26:08.388: IKEv2:%Profile could not be found by peer certificate.
May 6 16:26:08.388: IKEv2:% IKEv2 profile not found
May 6 16:26:08.392: IKEv2:(SA ID = 1):Failed to locate an item in the database
May 6 16:26:08.392: IKEv2:(SA ID = 1):
May 6 16:26:08.392: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
May 6 16:26:08.392: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATIO
r1#N_FAILED
May 6 16:26:08.396: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 72
Payload contents:
ENCR Next payload: NOTIFY, reserved: 0x0, length: 44
May 6 16:26:08.404: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
May 6 16:26:08.408: IKEv2:(SA ID = 1):Auth exchange failed
I still see the same error message ‘Authentication failed’. Now I will try to test the same configurations on different software versions. The current ones are:
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(2)
and
r1#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1)
–
After consulting the case with a few smart guys I changed some settings but the tunnel still doesn’t work:
R1:
!
crypto pki trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
fqdn r1.test.com
revocation-check none
rsakeypair KEY1024
!
crypto ikev2 profile IKEV2-PROFILE
match identity remote fqdn asa1.test.com
identity local address 10.0.0.1
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint PKI-TRUSTPOINT
!
no crypto ikev2 http-url cert
!
and ASA1:
!
crypto ca trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
fqdn asa1.test.com
keypair KEY1024
ignore-ipsec-keyusage
crl configure
!
crypto isakmp identity address
Ok, I tested the same configuration on:
asa1# sh ver
Cisco Adaptive Security Appliance Software Version 9.0(3)
and
r1#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(1)T2.1
but I see the same error message:
IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-1: (1): Failed to locate an item in the database
IKEv2-PROTO-1: (1):
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=997BD156D059DC59 R_SPI=27187A077D17A255 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-3: (1): Verify auth failed
IKEv2-PROTO-2: (1): Sending authentication failure notify
IKEv2-PROTO-5: Construct Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-3: (1): Building packet for encryption; contents are:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:997BD156D059DC59 - r: 27187A077D17A255]
IKEv2-PROTO-4: IKEV2 HDR ispi: 997BD156D059DC59 - rspi: 27187A077D17A255
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 72
ENCR Next payload: NOTIFY, reserved: 0x0, length: 44
Encrypted data: 40 bytes
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=997BD156D059DC59 R_SPI=27187A077D17A255 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (1): Auth exchange failed
When R1 is the initiator I see:
r1#ping 20.0.0.1 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11
.....
Success rate is 0 percent (0/5)
r1#sh crypto ikev2 sa
r1#
and on ASA1 I see the tunnel:
asa1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:35, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
888776563 10.0.0.2/500 10.0.0.1/500 READY RESPONDER
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/10 sec
Child sa: local selector 20.0.0.1/0 - 20.0.0.1/65535
remote selector 11.11.11.11/0 - 11.11.11.11/65535
ESP spi in/out: 0x52823e33/0x61c1129c
asa1# sh crypto ikev2 sa de
asa1# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:35, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
888776563 10.0.0.2/500 10.0.0.1/500 READY RESPONDER
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/15 sec
Session-id: 35
Status Description: Negotiation done
Local spi: FAD33C384A388120 Remote spi: 0BEECB7CAC914A16
Local id: 10.0.0.2
Remote id: 10.0.0.1
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 20.0.0.1/0 - 20.0.0.1/65535
remote selector 11.11.11.11/0 - 11.11.11.11/65535
ESP spi in/out: 0x52823e33/0x61c1129c
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa1#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
current_peer: r1.test.com
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: r1.test.com/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 61C1129C
current inbound spi : 52823E33
inbound esp sas:
spi: 0x52823E33 (1384267315)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 368640, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4147200/28773)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x61C1129C (1640043164)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 368640, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4193280/28773)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
When I send traffic from device behind ASA (and ASA is an initiator) I see following output:
r1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.0.0.1/500 10.0.0.2/500 none/none IN-NEG
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
3 10.0.0.1/500 10.0.0.2/500 none/none IN-NEG
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 none/none IN-NEG
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
5 10.0.0.1/500 10.0.0.2/500 none/none IN-NEG
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
4 10.0.0.1/500 10.0.0.2/500 none/none IN-NEG
Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 120/0 sec
IPv6 Crypto IKEv2 SA
r1#
and ASA:
asa1# sh crypto ikev2 sa
There are no IKEv2 SAs
asa1#
I will continue working on this case and I will update the post regulary till the tunnel comes up.
….day later
I continued working on this problem and now I’m almost sure the solution is not supported by Cisco. By solution I mean: ‘ASA & ikev2 & local CA’. I will test it with Windows CA in next few days. Now let’s see what is the last test result.
I changed the configuration on both devices:
ASA1:
!
crypto isakmp identity hostname
!
R1:
!
crypto pki certificate map CERT-MAP 10
issuer-name co r3
!
crypto ikev2 policy IKEV2-POLICY
match fvrf any
proposal IKEV2-PROPOSAL
!
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint PKI-TRUSTPOINT
!
no crypto ikev2 http-url cert
!
And debug output:
ASA1:
IKEv2-PLAT-3: (82) peer auth method set to: 1
IKEv2-PLAT-3: attempting to find tunnel group for ID: hostname=r1.test.com
IKEv2-PLAT-3: attempting to find tunnel group for IP: 10.0.0.1
IKEv2-PLAT-3: mapped to tunnel group 10.0.0.1 using peer IP
IKEv2-PLAT-3: (82) tg_name set to: 10.0.0.1
IKEv2-PLAT-3: (82) tunn grp type set to: L2L
IKEv2-PLAT-3: Peer ID check not requested
IKEv2-PLAT-3: my_auth_method = 1
IKEv2-PLAT-3: supported_peers_auth_method = 1
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-3: Certificate validation queued
IKEv2-PLAT-3: Certificate validation completed
IKEv2-PLAT-1: Failed to verify signature
IKEv2-PLAT-5: Negotiating SA request deleted
ASA1:
IKEv2-PROTO-3: (36): Save pubkey
IKEv2-PROTO-5: (36): SM Trace-> SA: I_SPI=7DB0C331C016FC15 R_SPI=F20D7D3A18064353 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (36): Verify authentication data
IKEv2-PROTO-1: (36): Failed to compute or verify a signature
ASA1:
CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint PKI-TRUSTPOINT.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0E, subject name: hostname=r1.test.com.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation check
CRYPTO_PKI: valid cert with warning.
CRYPTO_PKI: valid cert status.
CERT_API: calling user callback=0x085fc703 with status=0
CERT_API: Async unlocked for session 0x1f42f6e5
CERT API thread sleeps!
CERT_API: Close session 0x1f42f6e5 synchronously
R1:
May 7 06:04:01.682: CRYPTO_PKI: (1300C2) Session started - identity not specified
May 7 06:04:01.906: CRYPTO_PKI: Trust-Point PKI-TRUSTPOINT picked up
May 7 06:04:01.906: CRYPTO_PKI: 1 matching trustpoints found
May 7 06:04:01.910: CRYPTO_PKI: Trust-Point PKI-TRUSTPOINT picked up
May 7 06:04:01.914: CRYPTO_PKI: 1 matching trustpoints found
May 7 06:04:01.914: CRYPTO_PKI: locked trustpoint PKI-TRUSTPOINT, refcount is 1
May 7 06:04:01.914: CRYPTO_PKI: Identity bound (PKI-TRUSTPOINT) for session 1300C2
May 7 06:04:02.206: CRYPTO_PKI: Rcvd request to end PKI session 1300C2.
May 7 06:04:02.210: CRYPTO_PKI: PKI session 1300C2 has ended. Freeing all resources.
May 7 06:04:02.210: CRYPTO_PKI: unlocked trustpoint PKI-TRUSTPOINT, refcount is
The last error message is very vague: “Failed to verify signature”. It could explain why on R1 I see ikev2 and ipsec tunnels but not on ASA. It looks like R1 ‘thinks’ the session is set up properly but ASA drop the tunnel based on last failure.
…four days later:
I changed ASA and I started to test the config on 8.6(1)10
R1:
IKEv2:Config-request is not supported for crypto maps
IKEv2:No config data to send to toolkit:
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SIGN
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_RECD_SIG
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I)
MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
As we see we can’t use crypto map, let’s try the tunnel interface
int GigabitEthernet0/0.28
no crypto map MAPA
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0.28
tunnel source GigabitEthernet0/0.28
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
R1:
IKEv2:Peer has sent X509 certificates
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R)
MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_SAVE_PUBKEY
IKEv2:Peer has sent its own certificate as the first certificate in the chain
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R)
MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R)
MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
IKEv2:(SA ID = 1):Failed to verify signature.
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R)
MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_RECD_VERIFY_SIG
IKEv2:(SA ID = 1):Action: Action_Null
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R)
MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
%SYS-3-MSGLOST: 24 messages lost because of queue overflow
IKEv2:Got a packet from dispatcher
ASA1:
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-3: Certificate validation queued
IKEv2-PLAT-3: Certificate validation completed
IKEv2-PLAT-3:
CONNECTION STATUS: UP... peer: 136.1.28.2:500, phase1_id: hostname=R2.test.com
IKEv2-PLAT-3: (27) connection auth hdl set to 20
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session
request.
IKEv2-PLAT-3: (27) idle timeout set to: 30
IKEv2-PLAT-3: (27) session timeout set to: 0
IKEv2-PLAT-3: (27) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (27) class attr set
IKEv2-PLAT-3: (27) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (27) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (27) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3:
CONNECTION STATUS: REGISTERED... peer: 136.1.28.2:500, phase1_id:
hostname=R2.test.com
IKEv2-PLAT-3: (27) mib_index set to: 501
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-3: Tunnel initiate failure reported to tunnel manager, handle: 0x81C0809.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local
Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0.
Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-4: SENT PKT [INFORMATIONAL] [136.1.28.8]:500->[136.1.28.2]:500
InitSPI=0x9e9785f43e01c515 RespSPI=0x59ee02be29771e2e MID=00000002
On R1 I found:
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
local_proxy= 150.1.2.2/255.255.255.255/256/0,
remote_proxy= 136.1.38.3/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes 256 esp-md5-hmac }
R2#
ASA1:
group-policy GroupPolicy-IKEV2 internal
group-policy GroupPolicy-IKEV2 attributes
vpn-idle-timeout 30
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 136.1.28.2 general-attributes
default-group-policy GroupPolicy-IKEV2
but I see still IPsec error on R1:
R2#
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
local_proxy= 150.1.2.2/255.255.255.255/256/0,
remote_proxy= 136.1.38.3/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): proxy identities not supported
R2#
form Cisco.com:
Proxy Identities Not Supported
This message appears in debugs if the access list for IPsec traffic does not match.
1d00h: IPSec(validate_transform_proposal): proxy identities not supported
1d00h: ISAKMP: IPSec policy invalidated proposal
1d00h: ISAKMP (0:2): SA not acceptable!
but with tunnel interface you don’t specify ACL on R1. Let’s check the config once again.
I found the ikev2 profile has missing virtual template:
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint PKI-TRUSTPOINT
!
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#crypto ikev2 profile IKEV2-PROFILE
R2(config-ikev2-profile)#virt
R2(config-ikev2-profile)#virtual-template 1
R2(config-ikev2-profile)#end
R2#
Let’s try ping again:
R2#
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
local_proxy= 150.1.2.2/255.255.255.255/256/0,
remote_proxy= 136.1.38.3/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Crypto mapdb : proxy_match
src addr : 150.1.2.2
dst addr : 136.1.38.3
protocol : 0
src port : 0
dst port : 0
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 150.1.2.2
dst addr : 136.1.38.3
protocol : 256
src port : 0
dst port : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found Virtual-Access1-head-0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer
136.1.28.8
IPSEC(create_sa): sa created,
(sa) sa_dest= 136.1.28.2, sa_proto= 50,
sa_spi= 0x4C020662(1275201122),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
sa_lifetime(k/sec)= (4608000/3600)
IPSEC(create_sa): sa created,
(sa) sa_dest= 136.1.28.8, sa_proto= 50,
sa_spi= 0xD4282DF9(3559403001),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
sa_lifetime(k/sec)= (4608000/3600)
IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV4 route from ACL
for 136.1.28.8
IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access1
IPSEC(rte_mgr): VPN Route Added 136.1.38.3 255.255.255.255 via Virtual-Access1 in IP
DEFAULT TABLE with tag 0 distance 1
IPSEC: Expand action denied, notify RP
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2
Wow, the tunnel is up!
R2#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 136.1.28.2/500 136.1.28.8/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth
verify: RSA
Life/Active Time: 86400/242 sec
IPv6 Crypto IKEv2 SA
R2#sh crypto ikev2 sa de
R2#sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 136.1.28.2/500 136.1.28.8/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth
verify: RSA
Life/Active Time: 86400/248 sec
CE id: 1065, Session-id: 54
Status Description: Negotiation done
Local spi: 4FE13C2D047A1588 Remote spi: 8288EA6E3CD51CE0
Local id: hostname=R2.test.com
Remote id: hostname=ASA4.test.com
Local req msg id: 0 Remote req msg id: 21
Local next msg id: 0 Remote next msg id: 21
Local req queued: 0 Remote req queued: 21
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
R2#
ASA4# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:60, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
69339775 136.1.28.8/500 136.1.28.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth
verify: RSA
Life/Active Time: 86400/274 sec
Child sa: local selector 136.1.38.3/0 - 136.1.38.3/65535
remote selector 150.1.2.2/0 - 150.1.2.2/65535
ESP spi in/out: 0xd4282df9/0x4c020662
ASA4# sh crypto ikev2 sa de
ASA4# sh crypto ikev2 sa detail
IKEv2 SAs:
Session-id:60, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
69339775 136.1.28.8/500 136.1.28.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth
verify: RSA
Life/Active Time: 86400/278 sec
Session-id: 60
Status Description: Negotiation done
Local spi: 8288EA6E3CD51CE0 Remote spi: 4FE13C2D047A1588
Local id: hostname=ASA4.test.com
Remote id: hostname=R2.test.com
Local req mess id: 24 Remote req mess id: 0
Local next mess id: 24 Remote next mess id: 0
Local req queued: 24 Remote req queued: 0
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 136.1.38.3/0 - 136.1.38.3/65535
remote selector 150.1.2.2/0 - 150.1.2.2/65535
ESP spi in/out: 0xd4282df9/0x4c020662
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: 3DES, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA4#
After many hours which I spent on it, the tunnel between IOS and ASA is working fine, below you can find my notes and comments:
It doesn’t work for ASA 8.4(2) – IOS 15.2(4)S5 on GNS3, I’m not sure if this is software or gns3 problem
I tested it on following software (physical devices) and it works fine:
a) ASA 9.0(3) – IOS 15.2(1)T2.1
b) ASA 8.6(1)10 – IOS 15.2(3)T3
c) ASA 8.4(5)6– IOS 15.2(1)T2.1
d) ASA 8.4(4)5 – IOS 15.2(1)T2.1On router you can’t use crypto map only DVTI (R1 can’t initiate the tunnel):*
[* above sentence is not valid anymore, I was able set up VPN between ASA and IOS router using CMAP, no idea with what settings I received the message]
IKEv2:Config-request is not supported for crypto maps
IKEv2:No config data to send to toolkit:
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
VTI is recommended by Cisco (http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116008-flexvpn-nge-config-00.html?referring_site=smartnavRD):
“The recommended IPSec interface on IOS is a Virtual Tunnel Interface (VTI), which creates a generic routing encapsulation (GRE) interface that is protected by IPsec. For a VTI, the Traffic Selector (what traffic should be protected by the IPSec security associations (SA)), consists of GRE traffic from the tunnel source to the tunnel destination. Because the ASA does not implement GRE interfaces, but instead creates IPSec SAs based on traffic defined in an access control list (ACL), we must enable a method that allows the router to respond to the IKEv2 initiation with a mirror of the proposed traffic selectors. The use of Dynamic Virtual Tunnel Interface (DVTI) on the FlexVPN router allows this device to respond to the presented Traffic Selector with a mirror of the Traffic Selector that was presented.”
- Don’t use MD5 for ikev2 policy (for IPSec MD5 works fine):
IKEv2-PROTO-2: (23): Process auth response notify
IKEv2-PROTO-1: (23):
IKEv2-PROTO-5: (23): SM Trace-> SA: I_SPI=54AA0A4BAEBB8E5C R_SPI=C96948D0304FE6AA (I)
MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (23): Auth exchange failed
IKEv2-PROTO-1: (23): Auth exchange failed
- Full config:
ASA:
hostname asa1
domain-name test.com
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 10.0.0.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 20.0.0.2 255.255.255.0
!
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
protocol esp encryption 3des
protocol esp integrity sha-1
!
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 10.0.0.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA 10 set trustpoint PKI-TRUSTPOINT
crypto map MAPA interface outside
!
crypto ca trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
ignore-ipsec-keyusage
crl configure
!
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
!
ntp server 10.0.0.100
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication certificate
ikev2 local-authentication certificate PKI-TRUSTPOINT
R1:
hostname r1
!
ip domain name test.com
!
crypto pki trustpoint PKI-TRUSTPOINT
enrollment url http://10.0.0.100:80
revocation-check none
rsakeypair KEY1024
! eku request server-auth
!
crypto pki certificate map CERT-MAP 10
issuer-name co r3
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha-1
group 5
!
crypto ikev2 policy IKEV2-POLICY
match fvrf any
proposal IKEV2-PROPOSAL
!
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint PKI-TRUSTPOINT
virtual-template 1
!
no crypto ikev2 http-url cert
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TS
set ikev2-profile IKEV2-PROFILE
!
!
interface Loopback0
ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
!
ntp server 10.0.0.100
PKI Server:
! pki gns
!
!
hostname r3
!
ip domain name test.com
!
crypto pki server PKI-SERVER
issuer-name CN=r3.test.com,OU=IT
grant auto
hash sha1
! eku server-auth ipsec-end-system ipsec-tunnel ipsec-user
!
interface GigabitEthernet0/0
ip address 10.0.0.100 255.255.255.0
no sh
!
ip http server
!
ntp master
66
Kudos
66
Kudos