Hi

No it did not help. I checked the pre shared key and also tried with certificates.

New ike policy does not help.

Regards,

Rahul

Hi Rahul

We are experiencing the same problem with Windows 10 clients on our IKEV2 remote access using the Windows native VPN. Did you find a solution?

Thanks

Hi Merlin,

no.. not yet.. what about you guys?

Hi Rahul

Yes, we have this working now...it seemed to come right after trying different encryption settings then rebooting everything (router, Windows 10 client, certificate revocation list webserver) - most especially, rebooting the Windows 10 client seemed to help at one point.

I was actually implementing ‘IKEV2 EAP with MS-CHAP-V2 password VPN’  with an ISR rather than ASA but was receiving the same error message as mentioned in the OP.

Here is an example IOS config from our notes (the CA trustpoint is missing from this config), perhaps this helps...

aaa new-model

aaa group server radius <radius server group name>

 server-private <radius server ip address x.x.x.x> key 0 <radius key unencrypted>

aaa authentication login default local

aaa authentication login local_auth local

aaa authentication login <name for eap authentication list> group <radius server group name>

aaa authentication ppp default group <radius server group name>

aaa authorization network default group <radius server group name>

aaa authorization network <name for eap authorization list> local

crypto ikev2 authorization policy <ikev2 authorization policy name>

 pool <ip pool name>

 dns <dns server ip address x.x.x.x>

 netmask <subnet mask to use with the ip pool name xxx.xxx.xxx.xxx>

 def-domain <the domain name to assign to the remote pc’s connection>

crypto ikev2 proposal <ikev2 proposal name>

 encryption aes-cbc-256

 integrity sha256

 group 2

crypto ikev2 policy <ikev2 policy name>

 proposal <ikev2 proposal name>

crypto ikev2 profile <ikev2 profile name>

 match identity remote address 0.0.0.0

 authenticated local rsa-sig

 authenticated remote eap query-identity

 pki trustpoint <name of CA server trustpoint that holds the local router’s certificate for that CA>

 dpd 60 2 on-demand

 aaa authentication eap <name for eap authentication list>

 aaa authorization group eap list <name for eap authorization list> <ikev2 authorization policy name>

virtual-template <number of virtual template to use>

crypto ipsec transform-set <transform set name> esp-3des esp-sha-hmac

crypto ipsec profile <ipsec profile name>

 set transform-set <transform set name>

 set ikev2-profile <ikev2 profile name>

interface virtual-template <number of virtual template to use>

 ip unnumbered <the interface in the dmz – not the public interface>

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile <ipsec profile name>

ip local pool <ip pool name> <first ip address of unique subnet x.x.x.x> <last ip address of unique subnet x.x.x.x>

So what was the problem, and what was the solution..

Hi Rahul,

did you find a solution. At the moment I have the same problem.

I have an ASA5512 and ASA5506 for testing with 9.7.1

hi.

we do not use anyconnect.

we are using Native VPN Client in Windows 10.

Hi Rahul,

Did you have any luck with Win10 native VPN client to connect your Cisco ASA VPN servers? I believe it works with IKEv2/IPsec protocol (as per Cisco websites). What we are looking for to get it work with SSL instead IPsec as most remote Wi-Fi (Hotels/Restaurants etc.) the IPsec protocol has been blocked. I would like to know if Win10 native client can support SSL protocol to connect Cisco ASA VPNs?

Regards,

Ganesh