Skip to main content

ikev2 VPN s-2-s - IOS and ASA - certificate (completed)

As I promised in one of my last posts I’m going to implement s-2-s VPN with certificates, which is more secure and scalable solution. The tunnel will be set up between IOS router and ASA.

                    |<-VPN->|

               /----\         -----                /----\ 
  Loop0 ----  |  R1  |-------| ASA1 |------Gig0/0-|  R2  |
11.11.11.11    \----/    |    -----       20.0.0.1 \----/ 
                      /----\ 
                     |  R3  | 
                      \----/ 
                     PKI SERVER

Let’s start from the PKI Server:

!
hostname R3
!
crypto pki server PKI-SERVER
 grant auto
 no shut
!
!
interface GigabitEthernet0/0
 ip address 10.0.0.100 255.255.255.0
 no sh
!
ip http server
!

We should check the server status to be sure it has started:

R3#sh crypto pki server
Certificate Server PKI-SERVER:
    Status: enabled
    State: enabled
    Server's configuration is locked  (enter "shut" to unlock it)
    Issuer name: CN=PKI-SERVER
    CA cert fingerprint: 39F66FBD 019F618C 189378C2 A6F07016
    Granting mode is: auto
    Last certificate issued serial number (hex): 1
    CA certificate expiration timer: 12:30:03 UTC May 4 2017
    CRL NextUpdate timer: 18:30:04 UTC May 5 2014
    Current primary storage dir: nvram:
    Database Level: Minimum - no cert data written to storage
R3#

I will work on the same configuration which I posted here (http://myitmicroblog.svbtle.com/ikev2-vpn-s2s-ios-and-asa).

Let’s start from R1:

1) trustpoint

!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 rsakeypair KEY1024
!

2) ikev2 profile

!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 10.0.0.2 255.255.255.255
 identity local address 10.0.0.1
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-TRUSTPOINT
!

3) authentication and enrollment of the trustpoint

crypto pki authenticate PKI-TRUSTPOINT
crypto pki enroll PKI-TRUSTPOINT

which looks like:

r1(config)#crypto pki authenticate PKI-TRUSTPOINT
Certificate has the following attributes:
       Fingerprint MD5: 189320F0 B503496C F8B738D6 D096878E
      Fingerprint SHA1: F05A34D8 C016D009 91C83B69 A6B13FF4 661DA4D7

% Do you accept this certificate? [yes/no]: yes
Trustpoint CA certificate accepted.
r1(config)#crypto pki enroll PKI-TRUSTPOINT
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.

Password:
Re-enter password:

% The subject name in the certificate will include: r1.test.com
% Include the router serial number in the subject name? [yes/no]: no
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose PKI-TRUSTPOINT' commandwill show the fingerprint.

r1(config)#
May  6 16:01:57.577: CRYPTO_PKI:  Certificate Request Fingerprint MD5: BBA29F53 A2CCF35E B568A7AC 9FB845F7
May  6 16:01:57.581: CRYPTO_PKI:  Certificate Request Fingerprint SHA1: 52084B11 1DE5BE29 FC7FEF23 FFDB6189 A6A7B452
May  6 16:01:58.485: %PKI-6-CERTRET: Certificate received from Certificate Authority
r1(config)#

Ok, I’m ready now to start with ASA1:

1) trustpoint

crypto ca trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 keypair KEY1024
 crl configure

2) tunnel group

tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate PKI-TRUSTPOINT

3) authentication and enrollment of the trustpoint

crypto ca authenticate PKI-TRUSTPOINT
crypto ca enroll PKI-TRUSTPOINT

which looks like following output:

asa1(config)# crypto ca authenticate PKI-TRUSTPOINT

INFO: Certificate has the following attributes:
Fingerprint:     189320f0 b503496c f8b738d6 d096878e
Do you accept this certificate? [yes/no]: yes

Trustpoint CA certificate accepted.
asa1(config)# crypto ca enroll PKI-TRUSTPOINT
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
   password to the CA Administrator in order to revoke your certificate.
   For security reasons your password will not be saved in the configuration.
   Please make a note of it.
Password: ********
Re-enter password: ********


% The fully-qualified domain name in the certificate will be: asa1.test.com

% Include the device serial number in the subject name? [yes/no]: no

Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
asa1(config)# The certificate has been granted by CA!

asa1(config)#


Let’s try:

R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#


As we see the ping doesn’t work.

Let’s check debug output on ASA1:

IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   3DES   MD596
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (35): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     8a c8 19 6c 6a 2c ec b6 06 a2 7e 25 11 fe fb e3
 IDi  Next payload: CERT, reserved: 0x0, length: 21
    Id type: FQDN, Reserved: 0x0 0x0

     61 73 61 31 2e 74 65 73 74 2e 63 6f 6d
 CERT  Next payload: CERTREQ, reserved: 0x0, length: 556
    Cert encoding X.509 Certificate - signature
Cert data: 551 bytes
 CERTREQ  Next payload: AUTH, reserved: 0x0, length: 25
    Cert encoding X.509 Certificate - signature
CertReq data: 20 bytes
 AUTH  Next payload: SA, reserved: 0x0, length: 136
    Auth method RSA, reserved: 0x0, reserved 0x0
Auth data: 128 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 40
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 36
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 1, reserved: 0x0, id: 3DES
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 20.0.0.1, end addr: 20.0.0.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 11.11.11.11, end addr: 11.11.11.11
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (35): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:88C8186C791B1FF1 - r: 0308BFB95B1C2224]
IKEv2-PROTO-4: IKEV2 HDR ispi: 88C8186C791B1FF1 - rspi: 0308BFB95B1C2224
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 928
 ENCR  Next payload: VID, reserved: 0x0, length: 900
Encrypted data: 896 bytes

IKEv2-PROTO-5: (35): SM Trace-> SA: I_SPI=88C8186C791B1FF1 R_SPI=0308BFB95B1C2224 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:88C8186C791B1FF1 - r: 0308BFB95B1C2224]
IKEv2-PROTO-4: IKEV2 HDR ispi: 88C8186C791B1FF1 - rspi: 0308BFB95B1C2224
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 72

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

Decrypted packet:Data: 72 bytes

and debug output from R1:

May  6 16:06:19.085: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
May  6 16:06:19.085: IKEv2:%Profile could not be found by peer certificate.
May  6 16:06:19.085: IKEv2:% IKEv2 profile not found
May  6 16:06:19.089: IKEv2:(SA ID = 1):Failed to locate an item in the database

May  6 16:06:19.089: IKEv2:(SA ID = 1):
May  6 16:06:19.089: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: R_VERI
r1#FY_AUTH Event: EV_AUTH_FAIL
May  6 16:06:19.089: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

May  6 16:06:19.093: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 72
Payload contents:
 ENCR  Next payload: NOTIFY, reserved: 0x0, length: 44

May  6 16:06:19.097: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=870493F1B3A44F31 R_SPI=4243A48BC2425D71 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
May  6 16:06:19.105: IKEv2:(SA ID = 1):Auth exchange failed


Now, I try to disable revocation from trustpoints:

R1:

!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 revocation-check none
 rsakeypair KEY1024
!

and ASA1:

crypto ca trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 keypair KEY1024
 crl configure
 revocation-check none


and I try ping once again:

R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R2#


debug on ASA1:

IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 72

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE,                                                                                        reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

Decrypted packet:Data: 72 bytes
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat                                                                                       e: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (37): Action: Action_Null
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat                                                                                       e: I_PROC_AUTH Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (37): Process auth response notify
IKEv2-PROTO-1: (37):
IKEv2-PROTO-5: (37): SM Trace-> SA: I_SPI=6811C75A159254A1 R_SPI=193D1DACC14DB918 (I) MsgID = 00000001 CurStat                                                                                       e: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (37): Auth exchange failed


and debug on R1:

May  6 16:26:08.380: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH
May  6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_NAT_T
May  6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_PROC_ID
May  6 16:26:08.384: IKEv2:(SA ID = 1):Received valid parameteres in process id
May  6 16:26:08.384: IKEv2:(SA ID
r1# = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
May  6 16:26:08.384: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_GET_POLICY_BY_PEERID
May  6 16:26:08.388: IKEv2:%Profile could not be found by peer certificate.
May  6 16:26:08.388: IKEv2:% IKEv2 profile not found
May  6 16:26:08.392: IKEv2:(SA ID = 1):Failed to locate an item in the database

May  6 16:26:08.392: IKEv2:(SA ID = 1):
May  6 16:26:08.392: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
May  6 16:26:08.392: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATIO
r1#N_FAILED

May  6 16:26:08.396: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 72
Payload contents:
 ENCR  Next payload: NOTIFY, reserved: 0x0, length: 44

May  6 16:26:08.404: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=054D09092C9702B8 R_SPI=BF8E2428501B57E9 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
May  6 16:26:08.408: IKEv2:(SA ID = 1):Auth exchange failed


I still see the same error message ‘Authentication failed’. Now I will try to test the same configurations on different software versions. The current ones are:

asa1# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)


and

r1#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1)


After consulting the case with a few smart guys I changed some settings but the tunnel still doesn’t work:

R1:

!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 fqdn r1.test.com
 revocation-check none
 rsakeypair KEY1024
!
crypto ikev2 profile IKEV2-PROFILE
 match identity remote fqdn asa1.test.com
 identity local address 10.0.0.1
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-TRUSTPOINT
!
no crypto ikev2 http-url cert
!


and ASA1:

!
crypto ca trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 fqdn asa1.test.com
 keypair KEY1024
 ignore-ipsec-keyusage
 crl configure
!
crypto isakmp identity address


Ok, I tested the same configuration on:

asa1# sh ver
Cisco Adaptive Security Appliance Software Version 9.0(3)  


and

r1#sh ver
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(1)T2.1


but I see the same error message:

IKEv2-PROTO-3: (1): Getting configured policies
IKEv2-PROTO-1: (1): Failed to locate an item in the database
IKEv2-PROTO-1: (1): 
IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=997BD156D059DC59 R_SPI=27187A077D17A255 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2-PROTO-3: (1): Verify auth failed
IKEv2-PROTO-2: (1): Sending authentication failure notify
IKEv2-PROTO-5: Construct Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-3: (1): Building packet for encryption; contents are: 
 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:997BD156D059DC59 - r: 27187A077D17A255]
IKEv2-PROTO-4: IKEV2 HDR ispi: 997BD156D059DC59 - rspi: 27187A077D17A255 
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x1, length: 72
 ENCR  Next payload: NOTIFY, reserved: 0x0, length: 44
Encrypted data: 40 bytes

IKEv2-PROTO-5: (1): SM Trace-> SA: I_SPI=997BD156D059DC59 R_SPI=27187A077D17A255 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (1): Auth exchange failed


When R1 is the initiator I see:

r1#ping 20.0.0.1 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 
.....
Success rate is 0 percent (0/5)

r1#sh crypto ikev2 sa
r1#

and on ASA1 I see the tunnel:

asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:35, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
888776563          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/10 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0x52823e33/0x61c1129c  
asa1# sh crypto ikev2 sa de
asa1# sh crypto ikev2 sa detail 

IKEv2 SAs:

Session-id:35, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
888776563          10.0.0.2/500          10.0.0.1/500      READY    RESPONDER
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: RSA, Auth verify: RSA
      Life/Active Time: 86400/15 sec
      Session-id: 35
      Status Description: Negotiation done
      Local spi: FAD33C384A388120       Remote spi: 0BEECB7CAC914A16
      Local id: 10.0.0.2
      Remote id: 10.0.0.1
      Local req mess id: 0              Remote req mess id: 2
      Local next mess id: 0             Remote next mess id: 2
      Local req queued: 0               Remote req queued: 2
      Local window: 1                   Remote window: 5
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected  
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0x52823e33/0x61c1129c  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
asa1# 

asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11 
      local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
      current_peer: r1.test.com

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: r1.test.com/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 61C1129C
      current inbound spi : 52823E33

    inbound esp sas:
      spi: 0x52823E33 (1384267315)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 368640, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4147200/28773)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x61C1129C (1640043164)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 368640, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4193280/28773)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

asa1#
 


When I send traffic from device behind ASA (and ASA is an initiator) I see following output:

r1#sh crypto ikev2 sa          
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
2         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
3         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
5         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
4         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: 3DES, Hash: SHA256, DH Grp:5, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 120/0 sec

 IPv6 Crypto IKEv2  SA 

r1#

and ASA:

asa1# sh crypto ikev2 sa

There are no IKEv2 SAs
asa1#

I will continue working on this case and I will update the post till the tunnel comes up.

….day later

I continued working on this problem and now I’m almost sure the solution is not supported by Cisco. By solution I mean: ‘ASA & ikev2 & local CA’. I will test it with Windows CA in next few days. Now let’s see what is the last test result.
I changed the configuration on both devices:

ASA1:

!
crypto isakmp identity hostname
!


R1:
 
!
crypto pki certificate map CERT-MAP 10
 issuer-name co r3
!
crypto ikev2 policy IKEV2-POLICY
 match fvrf any
 proposal IKEV2-PROPOSAL
!
!
crypto ikev2 profile IKEV2-PROFILE
 match fvrf any
 match certificate CERT-MAP
 identity local dn
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-TRUSTPOINT
!
no crypto ikev2 http-url cert
!


And debug output:

ASA1:
 
IKEv2-PLAT-3: (82) peer auth method set to: 1
IKEv2-PLAT-3: attempting to find tunnel group for ID: hostname=r1.test.com
IKEv2-PLAT-3: attempting to find tunnel group for IP: 10.0.0.1
IKEv2-PLAT-3: mapped to tunnel group 10.0.0.1 using peer IP
IKEv2-PLAT-3: (82) tg_name set to: 10.0.0.1
IKEv2-PLAT-3: (82) tunn grp type set to: L2L
IKEv2-PLAT-3: Peer ID check not requested
IKEv2-PLAT-3: my_auth_method = 1
IKEv2-PLAT-3: supported_peers_auth_method = 1
IKEv2-PLAT-3: P1 ID = 0
IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-3: Certificate validation queued
IKEv2-PLAT-3: Certificate validation completed
IKEv2-PLAT-1: Failed to verify signature
IKEv2-PLAT-5: Negotiating SA request deleted

ASA1:

IKEv2-PROTO-3: (36): Save pubkey
IKEv2-PROTO-5: (36): SM Trace-> SA: I_SPI=7DB0C331C016FC15 R_SPI=F20D7D3A18064353 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2-PROTO-3: (36): Verify authentication data
IKEv2-PROTO-1: (36): Failed to compute or verify a signature

ASA1:

CRYPTO_PKI: Looking for suitable trustpoints...
CRYPTO_PKI: Storage context locked by thread CERT API
CRYPTO_PKI: Found a suitable authenticated trustpoint PKI-TRUSTPOINT.
CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage extension not found.
CRYPTO_PKI:check_key_usage:Key Usage check OK
CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary
CRYPTO_PKI:Certificate validated. serial number: 0E, subject name:  hostname=r1.test.com.
CRYPTO_PKI: Storage context released by thread CERT API
CRYPTO_PKI: Certificate validated without revocation check
CRYPTO_PKI: valid cert with warning.
CRYPTO_PKI: valid cert status.
CERT_API: calling user callback=0x085fc703 with status=0
CERT_API: Async unlocked for session 0x1f42f6e5
CERT API thread sleeps!
CERT_API: Close session 0x1f42f6e5 synchronously

R1:

May  7 06:04:01.682: CRYPTO_PKI: (1300C2) Session started - identity not specified
May  7 06:04:01.906: CRYPTO_PKI: Trust-Point PKI-TRUSTPOINT picked up
May  7 06:04:01.906: CRYPTO_PKI: 1 matching trustpoints found
May  7 06:04:01.910: CRYPTO_PKI: Trust-Point PKI-TRUSTPOINT picked up
May  7 06:04:01.914: CRYPTO_PKI: 1 matching trustpoints found
May  7 06:04:01.914: CRYPTO_PKI: locked trustpoint PKI-TRUSTPOINT, refcount is 1
May  7 06:04:01.914: CRYPTO_PKI: Identity bound (PKI-TRUSTPOINT) for session 1300C2
May  7 06:04:02.206: CRYPTO_PKI: Rcvd request to end PKI session 1300C2.
May  7 06:04:02.210: CRYPTO_PKI: PKI session 1300C2 has ended. Freeing all resources.
May  7 06:04:02.210: CRYPTO_PKI: unlocked trustpoint PKI-TRUSTPOINT, refcount is 


The last error message is very vague: “Failed to verify signature”. It could explain why on R1 I see ikev2 and ipsec tunnels but not on ASA. It looks like R1 ‘thinks’ the session is set up properly but ASA drop the tunnel based on last failure.

…four days later:

I change ASA and I started to test the config on 8.6(1)10

R1:

IKEv2:Config-request is not supported for crypto maps
IKEv2:No config data to send to toolkit:
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SIGN
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_NO_EVENT
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_RECD_SIG
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) 

MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH


As we see we can’t use crypto map, let’s try the tunnel interface

int GigabitEthernet0/0.28
no crypto map MAPA
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0.28
 tunnel source GigabitEthernet0/0.28
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE

R1:

IKEv2:Peer has sent X509 certificates
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R) 

MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_SAVE_PUBKEY
IKEv2:Peer has sent its own certificate as the first certificate in the chain

IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R) 

MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_VERIFY_AUTH
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R) 

MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_NO_EVENT
IKEv2:(SA ID = 1):Failed to verify signature.
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R) 

MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_FAIL_RECD_VERIFY_SIG
IKEv2:(SA ID = 1):Action: Action_Null
IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AD004020FBFC1FA5 R_SPI=1BE52EDBC8832025 (R) 

MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL
IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED 
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8

%SYS-3-MSGLOST: 24 messages lost because of queue overflow
IKEv2:Got a packet from dispatcher


ASA1:

IKEv2-PLAT-5: INVALID PSH HANDLE

IKEv2-PLAT-3: Translating IKE_ID_AUTO to = 9
IKEv2-PLAT-3: Certificate validation queued
IKEv2-PLAT-3: Certificate validation completed
IKEv2-PLAT-3: 
CONNECTION STATUS: UP... peer: 136.1.28.2:500, phase1_id: hostname=R2.test.com
IKEv2-PLAT-3: (27) connection auth hdl set to 20
IKEv2-PLAT-3: AAA conn attribute retrieval successfully queued for register session 

request.
IKEv2-PLAT-3: (27) idle timeout set to: 30 
IKEv2-PLAT-3: (27) session timeout set to: 0 
IKEv2-PLAT-3: (27) group policy set to DfltGrpPolicy
IKEv2-PLAT-3: (27) class attr set
IKEv2-PLAT-3: (27) tunnel protocol set to: 0x5c
IKEv2-PLAT-3: IPv4 filter ID not configured for connection
IKEv2-PLAT-3: (27) group lock set to: none
IKEv2-PLAT-3: IPv6 filter ID not configured for connection
IKEv2-PLAT-3: (27) connection attribues set valid to TRUE
IKEv2-PLAT-3: Successfully retrieved conn attrs
IKEv2-PLAT-3: Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-3: 
CONNECTION STATUS: REGISTERED... peer: 136.1.28.2:500, phase1_id: 

hostname=R2.test.com
IKEv2-PLAT-3: (27) mib_index set to: 501
IKEv2-PLAT-5: New ikev2 sa request activated
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-3: Tunnel initiate failure reported to tunnel manager, handle: 0x81C0809.
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local 

Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  

Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-4: SENT PKT [INFORMATIONAL] [136.1.28.8]:500->[136.1.28.2]:500 

InitSPI=0x9e9785f43e01c515 RespSPI=0x59ee02be29771e2e MID=00000002

Small progress.

On R1 I found:

IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
    local_proxy= 150.1.2.2/255.255.255.255/256/0,
    remote_proxy= 136.1.38.3/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 
    {esp-aes 256 esp-md5-hmac }
R2#

ASA1:

group-policy GroupPolicy-IKEV2 internal
group-policy GroupPolicy-IKEV2 attributes
 vpn-idle-timeout 30
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 136.1.28.2 general-attributes
 default-group-policy GroupPolicy-IKEV2


but I see still IPsec error on R1:

R2#
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
    local_proxy= 150.1.2.2/255.255.255.255/256/0,
    remote_proxy= 136.1.38.3/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
map_db_find_best did not find matching map
IPSEC(ipsec_process_proposal): proxy identities not supported
R2#

form Cisco.com:

 Proxy Identities Not Supported

This message appears in debugs if the access list for IPsec traffic does not match.

    1d00h: IPSec(validate_transform_proposal): proxy identities not supported
    1d00h: ISAKMP: IPSec policy invalidated proposal
    1d00h: ISAKMP (0:2): SA not acceptable!


but with tunnel interface you don’t specify ACL on R1. Let’s check the config once again.
I found the ikev2 profile has missing virtual template:

!
crypto ikev2 profile IKEV2-PROFILE
 match fvrf any
 match certificate CERT-MAP
 identity local dn 
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-TRUSTPOINT
!    

 
 
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#crypto ikev2 profile IKEV2-PROFILE
R2(config-ikev2-profile)#virt
R2(config-ikev2-profile)#virtual-template 1
R2(config-ikev2-profile)#end
R2#

Let’s try ping again:
 
R2#
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 136.1.28.2:0, remote= 136.1.28.8:0,
    local_proxy= 150.1.2.2/255.255.255.255/256/0,
    remote_proxy= 136.1.38.3/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel), 
    lifedur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
Crypto mapdb : proxy_match
        src addr     : 150.1.2.2
        dst addr     : 136.1.38.3
        protocol     : 0
        src port     : 0
        dst port     : 0
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC: Expand action denied, discard or forward packet.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
        src addr     : 150.1.2.2
        dst addr     : 136.1.38.3
        protocol     : 256
        src port     : 0
        dst port     : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found Virtual-Access1-head-0
IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 

136.1.28.8
IPSEC(create_sa): sa created,
  (sa) sa_dest= 136.1.28.2, sa_proto= 50, 
    sa_spi= 0x4C020662(1275201122), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001
    sa_lifetime(k/sec)= (4608000/3600)
IPSEC(create_sa): sa created,
  (sa) sa_dest= 136.1.28.8, sa_proto= 50, 
    sa_spi= 0xD4282DF9(3559403001), 
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002
    sa_lifetime(k/sec)= (4608000/3600)
IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV4 route from ACL 

for 136.1.28.8
IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access1
IPSEC(rte_mgr): VPN Route Added 136.1.38.3 255.255.255.255 via Virtual-Access1 in IP 

DEFAULT TABLE with tag 0 distance 1
IPSEC: Expand action denied, notify RP
%LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
R2

Wow, the tunnel is up!

R2#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         136.1.28.2/500        136.1.28.8/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth 

verify: RSA
      Life/Active Time: 86400/242 sec

 IPv6 Crypto IKEv2  SA 

R2#sh crypto ikev2 sa de
R2#sh crypto ikev2 sa detailed 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         136.1.28.2/500        136.1.28.8/500        none/none            READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth 

verify: RSA
      Life/Active Time: 86400/248 sec
      CE id: 1065, Session-id: 54
      Status Description: Negotiation done
      Local spi: 4FE13C2D047A1588       Remote spi: 8288EA6E3CD51CE0
      Local id: hostname=R2.test.com
      Remote id: hostname=ASA4.test.com
      Local req msg id:  0              Remote req msg id:  21        
      Local next msg id: 0              Remote next msg id: 21        
      Local req queued:  0              Remote req queued:  21        
      Local window:      5              Remote window:      1         
      DPD configured for 0 seconds, retry 0
      NAT-T is not detected  
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA 

R2#

 

 
ASA4# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:60, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 69339775        136.1.28.8/500        136.1.28.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth 

verify: RSA 
      Life/Active Time: 86400/274 sec
Child sa: local selector  136.1.38.3/0 - 136.1.38.3/65535
          remote selector 150.1.2.2/0 - 150.1.2.2/65535
          ESP spi in/out: 0xd4282df9/0x4c020662  
ASA4#  
 
ASA4# sh crypto ikev2 sa detail 

IKEv2 SAs:

Session-id:60, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 69339775        136.1.28.8/500        136.1.28.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA, Auth 

verify: RSA 
      Life/Active Time: 86400/278 sec
      Session-id: 60
      Status Description: Negotiation done
      Local spi: 8288EA6E3CD51CE0       Remote spi: 4FE13C2D047A1588
      Local id: hostname=ASA4.test.com
      Remote id: hostname=R2.test.com
      Local req mess id: 24             Remote req mess id: 0
      Local next mess id: 24            Remote next mess id: 0
      Local req queued: 24              Remote req queued: 0
      Local window: 1                   Remote window: 5
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected  
Child sa: local selector  136.1.38.3/0 - 136.1.38.3/65535
          remote selector 150.1.2.2/0 - 150.1.2.2/65535
          ESP spi in/out: 0xd4282df9/0x4c020662  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: 3DES, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA4# 


After many hours which I spent on it, the tunnel between IOS and ASA is working fine, below you can find my notes and comments:
  • It doesn’t work for ASA 8.4(2) – IOS 15.2(4)S5 on GNS3, I’m not sure if this is software or gns3 problem
  • I tested it on following software (physical devices) and it works fine:
    a) ASA 9.0(3) – IOS 15.2(1)T2.1
    b) ASA 8.6(1)10 – IOS 15.2(3)T3
    c) ASA 8.4(5)6– IOS 15.2(1)T2.1
    d) ASA 8.4(4)5 – IOS 15.2(1)T2.1
  • On router you can’t use crypto map only DVTI (R1 can’t initiate the tunnel): <-- [UPDATE: I was wrong here, CMAP works on 8.4 & 8.6]
[* above sentence is not valid anymore, I was able set up VPN between ASA and IOS router using CMAP, no idea with what settings I received the message]

IKEv2:Config-request is not supported for crypto maps IKEv2:No config data to send to toolkit: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=6EF270ED3D3BAFAD R_SPI=3E2E9C450753ECC4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP

VTI is recommended by Cisco (http://www.cisco.com/c/en/us/support/docs/security/flexvpn/116008-flexvpn-nge-config-00.html?referring_site=smartnavRD):
 
“The recommended IPSec interface on IOS is a Virtual Tunnel Interface (VTI), which creates a generic routing encapsulation (GRE) interface that is protected by IPsec. For a VTI, the Traffic Selector (what traffic should be protected by the IPSec security associations (SA)), consists of GRE traffic from the tunnel source to the tunnel destination. Because the ASA does not implement GRE interfaces, but instead creates IPSec SAs based on traffic defined in an access control list (ACL), we must enable a method that allows the router to respond to the IKEv2 initiation with a mirror of the proposed traffic selectors. The use of Dynamic Virtual Tunnel Interface (DVTI) on the FlexVPN router allows this device to respond to the presented Traffic Selector with a mirror of the Traffic Selector that was presented.”
  • Don’t use MD5 for ikev2 policy (for IPSec MD5 works fine):
IKEv2-PROTO-2: (23): Process auth response notify
IKEv2-PROTO-1: (23): 
IKEv2-PROTO-5: (23): SM Trace-> SA: I_SPI=54AA0A4BAEBB8E5C R_SPI=C96948D0304FE6AA (I)  
MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
IKEv2-PROTO-3: (23): Auth exchange failed
IKEv2-PROTO-1: (23): Auth exchange failed

  • Full config:

ASA:

hostname asa1
domain-name test.com
!             
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0 
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 20.0.0.2 255.255.255.0 
!
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11 
!
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp encryption 3des
 protocol esp integrity sha-1
!
crypto map MAPA 10 match address VPN
crypto map MAPA 10 set peer 10.0.0.1
crypto map MAPA 10 set ikev2 ipsec-proposal IPSEC-PROPOSAL
crypto map MAPA 10 set trustpoint PKI-TRUSTPOINT
crypto map MAPA interface outside
!
crypto ca trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 ignore-ipsec-keyusage
 crl configure
!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
ntp server 10.0.0.100
!
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
 peer-id-validate nocheck
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate PKI-TRUSTPOINT


R1:
 
hostname r1
!
ip domain name test.com
!
crypto pki trustpoint PKI-TRUSTPOINT
 enrollment url http://10.0.0.100:80
 revocation-check none
 rsakeypair KEY1024
! eku request server-auth 
!
crypto pki certificate map CERT-MAP 10
 issuer-name co r3
!
crypto ikev2 proposal IKEV2-PROPOSAL 
 encryption aes-cbc-256
 integrity sha-1
 group 5
!
crypto ikev2 policy IKEV2-POLICY 
 match fvrf any
 proposal IKEV2-PROPOSAL
!
!
crypto ikev2 profile IKEV2-PROFILE
 match fvrf any
 match certificate CERT-MAP
 identity local dn 
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-TRUSTPOINT
 virtual-template 1
!
no crypto ikev2 http-url cert
!         
crypto ipsec transform-set TS esp-3des esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
 set transform-set TS 
 set ikev2-profile IKEV2-PROFILE
!
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.255
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IPSEC-PROFILE
!
ntp server 10.0.0.100


PKI Server:
 
!  pki gns
!
!
hostname r3
!
ip domain name test.com
!
crypto pki server PKI-SERVER
 issuer-name CN=r3.test.com,OU=IT
 grant auto
 hash sha1
! eku server-auth ipsec-end-system ipsec-tunnel ipsec-user
!
interface GigabitEthernet0/0
 ip address 10.0.0.100 255.255.255.0
 no sh
!
ip http server
!
ntp master

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...