IKEv2 establishment with certificates

gucakrtalic1 · ‎07-08-2013

Hi,

I have an issue when trying to set up IkePeer association between HostE and CISCO 2951 using certificates.

I have on the HostE certificate retrieved from SCEP server.

CISCOs certificate is signed by OpenSSL machine.

So on HostE I have installed certificate retrieved from SCEP server and also certificate of the

issuer of CISCOs certificate(OpenSSL machine)

On CISCO I've only authenticated SCEP server certificate.

This is configuration of SCEP certificate on CISCO:

crypto pki trustpoint SCEP_server

enrollment terminal pem

revocation-check none

storage flash0:/certs/

!

I simply just authenticate this certificate:

crypto pki authenticate SCEP_server

crypto pki certificate map cmap-57 1

issuer-name co eric

subject-name co scep

!

Than copy/paste SCEP server certificate. Fingerprint is same.

Following message appears in CISCO log:

Jul 8 14:54:59.308: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C

Jul 8 14:54:59.308: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 8 14:54:59.308: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 8 14:54:59.308: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 8 14:54:59.308: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jul 8 14:54:59.308: CRYPTO_PKI: Found a subject match

Jul 8 14:54:59.308: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 8 14:54:59.308: CRYPTO_PKI: Found a issuer match

Jul 8 14:54:59.308: CRYPTO_PKI: No suitable trustpoints found

Jul 8 14:54:59.308: IKEv2:(1): Platform errors

Jul 8 14:54:59.308: IKEv2:(1):

Jul 8 14:54:59.308: IKEv2:(1): Sending authentication failure notify

Jul 8 14:54:59.308: IKEv2:(1): Auth exchange failed

Jul 8 14:54:59.308: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors

Jul 8 14:54:59.308: IKEv2:(1): Deleting SA

Jul 8 14:54:59.312: CRYPTO_PKI: PKI session 109EA has ended. Freeing all resources.

Jul 8 14:54:59.312: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0

Jul 8 14:55:03.508: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request

What should exactly be stated in certificate map ?

BR

Renato

Marcin Latosiewicz · ‎07-08-2013

Renato,

If you authenticated a trustpoint you only specified that you trust this CA (unless you will be sending cert from other CA as identity?)

Unless you have auto-enrollment configured you still need to enroll.

Also look under IKEv2 profile, it allows you to add a few option for PKI irt trustpoint to be used.

For a simple deploment cert maps should not needed.

M.

gucakrtalic · ‎07-08-2013

Hi,

Thanks for the help you provided.

Actually this mentioned SCEP_server, as You said I just want to trust.

During the IKE peer establishment CISCO should receive and validate as truested

certificate from hostE(remote node). hostE gets certificate from authenticated SCEP_server.

Hopefully this scenario should be fine in theory since importing a SCEP_server certificate does not work.

Or I should state somewhere that this certificate is auto enrolled as root one( it is actually root one for peer nodes)?

BR

Renato

Marcin Latosiewicz · ‎07-09-2013

Renato,

I missed the import part, if it's in the same trustpoint etc it should be fine.

Can we have a look at full debugs and config not just snippets + show cry pki cert verb?

On each peer you need to have identity cert (and it's signing cert) + certificate (CA/sub-CA) which we will use to validate received cert from remote end.

M.

gucakrtalic1 · ‎07-09-2013

Hi Marcin,

Here are the printouts:

AS67129#show crypto pki certificates verbose

CA Certificate

Status: Available

Version: 3

Certificate Serial Number (hex): 0D

Certificate Usage: General PurpoAU

Issuer:

cn=TEST CA for VE SCEP Server

ou=AL/ETE

o=Anai

Subject:

cn=SubCA for VE SCEP Server

ou=AL/ETE

o=Anai DE

c=AU

Validity Date:

start date: 08:37:41 UTC Oct 22 2009

end date: 08:37:41 UTC Oct 20 2019

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (1024 bit)

Signature Algorithm: SHA1 with RSA Encryption

Fingerprint MD5: CF5E3F6A 6BD0F348 3612B785 1259241C

Fingerprint SHA1: 389FE1A7 CF3DD551 3C484EF1 BAC5DD28 1525F43A

X509v3 extensions:

X509v3 Basic Constraints:

CA: TRUE

Authority Info Access:

Associated Trustpoints: SCEP_Server

Storage: flash0:/certs/TESTCAforVE#DCA.cer

Certificate

Status: Available

Version: 1

Certificate Serial Number (hex): 028E

Certificate Usage: General Purpose

Issuer:

cn=Cipher-2048-sha256

ou=CiscoCA

o=Anai DE

st=Sydney

c=AU

Subject:

Name: AS67129.lab.au

Serial Number: FCZ142371YK

SerialNumber=FCZ142371YK+hostname=AS67129.lab.au

cn=router2951

ou=AS67129

o=Cisco

c=AU

st=Sydney

l=HWLab

Validity Date:

start date: 11:51:36 UTC Jul 4 2013

end date: 11:51:36 UTC Aug 3 2013

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Signature Algorithm: SHA256 with RSA Encryption

Fingerprint MD5: 7BBBD66B 0C7B08C7 E04A83FA 25159517

Fingerprint SHA1: A69DAA8C 30377848 C170E90D 1C644FF5 1D898C9B

X509v3 extensions:

Authority Info Access:

Associated Trustpoints: cisco.certificate

Storage: flash0:/certs/Cipher-2048-#28E.cer

CA Certificate

Status: Available

Version: 1

Certificate AUrial Number (hex): 00

Certificate Usage: General Purpose

Issuer:

cn=Cipher-2048-sha256

ou=CiscoCA

o=Anai DE

st=Sydney

c=AU

Subject:

cn=Cipher-2048-sha256

ou=CiscoCA

o=Anai DE

st=Sydney

c=AU

Validity Date:

start date: 15:07:43 UTC Jul 1 2013

end date: 15:07:43 UTC Jun 30 2016

Subject Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (2048 bit)

Signature Algorithm: SHA256 with RSA Encryption

Fingerprint MD5: 67144E26 95DA0514 56C678A1 FB387261

Fingerprint SHA1: EED96A3C 11E1ED83 5FA6B028 44B6BE10 1E19A6B2

X509v3 extensions:

Authority Info Access:

Associated Trustpoints: cisco.certificate

Storage: flash0:/certs/Cipher-2048-#0CA.cer

AS67129#show logging

Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.

Console logging: level debugging, 6234252 messages logged, xml disabled,

filtering disabled

Monitor logging: level debugging, 0 messages logged, xml disabled,

filtering disabled

Buffer logging: level debugging, 6234252 messages logged, xml disabled,

filtering disabled

Exception Logging: size (8192 bytes)

Count and timestamp logging messages: disabled

Persistent logging: disabled

Trap logging: level informational, 47679 message lines logged

Log Buffer (8192 bytes):

alidation list has 1 trustpoints

Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0

Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C

Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=TEST CA for VE SCEP server,ou=AL/ETE,o=Anai" serial number= 0D

Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

1B 07 81 C0 33 53 CE 85 FC 05 0D 96 CC 78 83 5C

Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 0C

Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

12 BA 39 5E DA 2D 33 A3 4A 91 EE A9 C8 A9 61 3B

Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 01

Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E C6 62 9A 83 C8 5A 6F 82 27 61 14 54 5E 24 74

Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jul 9 14:21:36.648: CRYPTO_PKI: Found a subject match

Jul 9 14:21:36.648: CRYPTO_PKI: validation path has 1 certs

Jul 9 14:21:36.648: CRYPTO_PKI: Check for identical certs

Jul 9 14:21:36.648: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0

Jul 9 14:21:36.648: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C

Jul 9 14:21:36.648: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:36.648: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 9 14:21:36.648: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 9 14:21:36.648: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jul 9 14:21:36.648: CRYPTO_PKI: Found a subject match

Jul 9 14:21:36.648: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 9 14:21:36.648: CRYPTO_PKI: Found a issuer match

Jul 9 14:21:36.648: CRYPTO_PKI: No suitable trustpoints found

Jul 9 14:21:36.648: IKEv2:(1): Platform errors

Jul 9 14:21:36.648: IKEv2:(1):

Jul 9 14:21:36.648: IKEv2:(1): Sending authentication failure notify

Jul 9 14:21:36.648: IKEv2:(1): Auth exchange failed

Jul 9 14:21:36.648: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors

Jul 9 14:21:36.648: IKEv2:(1): Deleting SA

Jul 9 14:21:36.648: CRYPTO_PKI: PKI session 15D09 has ended. Freeing all resources.

Jul 9 14:21:36.648: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0

Jul 9 14:21:40.097: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request

Jul 9 14:21:40.097: IKEv2:(1): Processing initial message

Jul 9 14:21:40.097: CRYPTO_PKI: Identity not specified for session 15D0A

Jul 9 14:21:40.101: IKEv2:(1): Sending initial message

Jul 9 14:21:40.245: IKEv2:(1): Recieved valid parameteres in process id

Jul 9 14:21:40.245: CRYPTO_PKI: Trust-Point cisco.certificate picked up

Jul 9 14:21:40.245: CRYPTO_PKI: 1 matching trustpoints found

Jul 9 14:21:40.245: CRYPTO_PKI: Trust-Point cisco.certificate picked up

Jul 9 14:21:40.245: CRYPTO_PKI: 1 matching trustpoints found

Jul 9 14:21:40.245: CRYPTO_PKI: locked trustpoint cisco.certificate, refcount is 1

Jul 9 14:21:40.245: CRYPTO_PKI: Identity bound (cisco.certificate) for session 15D0A

Jul 9 14:21:40.245: CRYPTO_PKI(Cert Lookup) issuer="cn=Cipher-2048-sha256,ou=CiscoCA,o=Anai DE,st=Stockholm,c=AU" serial number= 02 8E

Jul 9 14:21:40.245: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

AF 14 EC E8 8B 9D 6D 35 1B 78 40 F6 DA C8 DF 87

Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate

Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (954) bytes

Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate

Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (491) bytes

Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate

Jul 9 14:21:40.245: CRYPTO_PKI: Added x509 peer certificate - (467) bytes

Jul 9 14:21:40.245: CRYPTO_PKI: Adding peer certificate

Jul 9 14:21:40.249: CRYPTO_PKI: Added x509 peer certificate - (522) bytes

Jul 9 14:21:40.249: CRYPTO_PKI: Validation list has 1 trustpoints

Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0

Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C

Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=TEST CA for VE SCEP server,ou=AL/ETE,o=Anai" serial number= 0D

Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

1B 07 81 C0 33 53 CE 85 FC 05 0D 96 CC 78 83 5C

Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 0C

Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

12 BA 39 5E DA 2D 33 A3 4A 91 EE A9 C8 A9 61 3B

Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" serial number= 01

Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E C6 62 9A 83 C8 5A 6F 82 27 61 14 54 5E 24 74

Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jul 9 14:21:40.249: CRYPTO_PKI: Found a subject match

Jul 9 14:21:40.249: CRYPTO_PKI: validation path has 1 certs

Jul 9 14:21:40.249: CRYPTO_PKI: Check for identical certs

Jul 9 14:21:40.249: CRYPTO_PKI(Cert Lookup) issuer="cn=SubCA for VE SCEP Server,ou=AL/ETE,o=Anai DE,c=AU" serial number= 51 D5 40 F0

Jul 9 14:21:40.249: CRYPTO_PKI: looking for cert in handle=1BF3738, digest=

5E 9B 12 F5 7D CB 43 65 A0 0D 1C 59 BC 75 1A 6C

Jul 9 14:21:40.249: CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

Jul 9 14:21:40.249: CRYPTO_PKI: Create a list of suitable trustpoints

Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 9 14:21:40.249: CRYPTO_PKI: Unable to locate cert record by issuername

Jul 9 14:21:40.249: CRYPTO_PKI: No trust point for cert issuer, looking up cert chain

Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

Jul 9 14:21:40.249: CRYPTO_PKI: Found a subject match

Jul 9 14:21:40.249: CRYPTO_PKI: crypto_pki_get_cert_record_by_issuer()

Jul 9 14:21:40.249: CRYPTO_PKI: Found a issuer match

Jul 9 14:21:40.249: CRYPTO_PKI: No suitable trustpoints found

Jul 9 14:21:40.249: IKEv2:(1): Platform errors

Jul 9 14:21:40.249: IKEv2:(1):

Jul 9 14:21:40.249: IKEv2:(1): Sending authentication failure notify

Jul 9 14:21:40.249: IKEv2:(1): Auth exchange failed

Jul 9 14:21:40.249: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Platform errors

Jul 9 14:21:40.249: IKEv2:(1): Deleting SA

Jul 9 14:21:40.249: CRYPTO_PKI: PKI session 15D0A has ended. Freeing all resources.

Jul 9 14:21:40.249: CRYPTO_PKI: unlocked trustpoint cisco.certificate, refcount is 0

AS67129#

So SCEP server is actually SubCA_cert and it is signed by this issuer

issuer="cn=PKS 2005-08-30,ou=AL/ETE,o=Anai" .

On hostE I have

BR
Renato

Marcin Latosiewicz · ‎07-09-2013

Renato,

Open up a TAC case, there's only so much one can do seeing only part of the problem.

M.