08-31-2016 09:07 AM - edited 02-21-2020 08:57 PM
Hello,
we have cisco asa 5508 with software version 9.6.1
We are implementing Remote Access IPSec (and SSL as well actually) VPN using Windows 7 and Windows 10 native VPN Clients.
For Windows 7, we configured the firewall using this reference document:
http://www.cisco.com/c/en/us/support/docs/security-vpn/webvpn-ssl-vpn/119208-config-asa-00.html
Everything works fine here with Windows 7.
Since, there is no document for Windows 10, I also configured everything exactly the same for Windows 10 Native Client and ASA. However it does not function and gives an Error:
Username: <my_username_here> IKEv2 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
Any idea what might be going wrong?
08-31-2016 11:01 AM
Hi,
Please configure a new ike policy with following parameters:
encryption aes
integrity sha
group 5
prf sha
lifetime seconds 86400
Also check the Pre shared key.
Let me know if this helps.
Thanks,
Vishnu
09-01-2016 12:28 AM
Hi
No it did not help. I checked the pre shared key and also tried with certificates.
New ike policy does not help.
Regards,
Rahul
10-09-2016 03:49 AM
Hi Rahul
We are experiencing the same problem with Windows 10 clients on our IKEV2 remote access using the Windows native VPN. Did you find a solution?
Thanks
11-18-2016 08:13 AM
Hi Merlin,
no.. not yet.. what about you guys?
11-18-2016 12:38 PM
Hi Rahul
Yes, we have this working now...it seemed to come right after trying different encryption settings then rebooting everything (router, Windows 10 client, certificate revocation list webserver) - most especially, rebooting the Windows 10 client seemed to help at one point.
I was actually implementing ‘IKEV2 EAP with MS-CHAP-V2 password VPN’ with an ISR rather than ASA but was receiving the same error message as mentioned in the OP.
Here is an example IOS config from our notes (the CA trustpoint is missing from this config), perhaps this helps...
aaa new-model
aaa group server radius <radius server group name>
server-private <radius server ip address x.x.x.x> key 0 <radius key unencrypted>
aaa authentication login default local
aaa authentication login local_auth local
aaa authentication login <name for eap authentication list> group <radius server group name>
aaa authentication ppp default group <radius server group name>
aaa authorization network default group <radius server group name>
aaa authorization network <name for eap authorization list> local
crypto ikev2 authorization policy <ikev2 authorization policy name>
pool <ip pool name>
dns <dns server ip address x.x.x.x>
netmask <subnet mask to use with the ip pool name xxx.xxx.xxx.xxx>
def-domain <the domain name to assign to the remote pc’s connection>
crypto ikev2 proposal <ikev2 proposal name>
encryption aes-cbc-256
integrity sha256
group 2
crypto ikev2 policy <ikev2 policy name>
proposal <ikev2 proposal name>
crypto ikev2 profile <ikev2 profile name>
match identity remote address 0.0.0.0
authenticated local rsa-sig
authenticated remote eap query-identity
pki trustpoint <name of CA server trustpoint that holds the local router’s certificate for that CA>
dpd 60 2 on-demand
aaa authentication eap <name for eap authentication list>
aaa authorization group eap list <name for eap authorization list> <ikev2 authorization policy name>
virtual-template <number of virtual template to use>
crypto ipsec transform-set <transform set name> esp-3des esp-sha-hmac
crypto ipsec profile <ipsec profile name>
set transform-set <transform set name>
set ikev2-profile <ikev2 profile name>
interface virtual-template <number of virtual template to use>
ip unnumbered <the interface in the dmz – not the public interface>
tunnel mode ipsec ipv4
tunnel protection ipsec profile <ipsec profile name>
ip local pool <ip pool name> <first ip address of unique subnet x.x.x.x> <last ip address of unique subnet x.x.x.x>
11-28-2017 04:26 PM
So what was the problem, and what was the solution..
03-16-2017 08:30 AM
Hi Rahul,
did you find a solution. At the moment I have the same problem.
I have an ASA5512 and ASA5506 for testing with 9.7.1
09-01-2016 01:32 AM
what is the anyconnect version on the ASA and the windows 10 machine?
09-01-2016 06:15 AM
hi.
we do not use anyconnect.
we are using Native VPN Client in Windows 10.
04-25-2018 04:14 AM
Hi Rahul,
Did you have any luck with Win10 native VPN client to connect your Cisco ASA VPN servers? I believe it works with IKEv2/IPsec protocol (as per Cisco websites). What we are looking for to get it work with SSL instead IPsec as most remote Wi-Fi (Hotels/Restaurants etc.) the IPsec protocol has been blocked. I would like to know if Win10 native client can support SSL protocol to connect Cisco ASA VPNs?
Regards,
Ganesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide