Re: FTD IKE/IPSec VPN site to site certificate authentication error - Page 2

soufiansaheb · ‎03-19-2024

hello all ,

recently i tried to configure VPN site to site with certificate authentication type, i got the certificate signed by a third party autority , and when i did the debugs i got this log :

CRYPTO_PKI: bitValue of KEY_USAGE = a0PKI[7]: CRYPTO_PKI:check_key_usage: Checking KU for case VPN peer certs.

PKI[7]: CRYPTO_PKI:check_key_usage: KU bit digitalSignature is ON.

PKI[7]: ExtendedKeyUsage OID = serverAuth NOT acceptable for usage type IPSEC VPN Peer

PKI[4]: check_key_usage: No acceptable ExtendedKeyUsage OIDs found

PKI[7]: check_key_usage: IGNORING IPSec Key Usage check failure

PKI[12]: pki_ossl_do_callback, pki_ossl_validate.c:164

PKI[9]: Async unlocked for session 0x9a679795

PKI[12]: CERT_VerifyData, vpn3k_cert_api.c:603

PKI[9]: CERT API thread sleeps!

i saw some documentation that recommend to apply the ignore-ipsec-keyusage , even the support suggest to apply this command on the trustpoint and that what i did :

sh run cry ca trustpoint VPN

crypto ca trustpoint VPN

keypair VPN_BA_AGB

ignore-ipsec-keyusage <---

crl configure

i also checked the option : ignore ipsec key usage on the enroulement in key tab ,

and this is an other recommendation of support :

The recommendation is to get the right EKU/OID on the certificate in order for the firewall to be able to use it for IPSec VPN certificate authentication

but the CA authority confirm to me that they do that with other vendors and it works fine and they can not change th EKU cause this is not allowed ,

is there any way to force FTD to escape the EKU check ?

soufiansaheb · ‎03-19-2024

correct , it's permit the mapped add (natted add) of my lan to the remote lan

sho run access-list CSM_IPSEC_ACL_3 access-list CSM_IPSEC_ACL_3 extended permit ip host (the NAT ip of my lan) host (the remote LAN ip)

and i get this log also :

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 1 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 2 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 3 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto map CSM_INTERNET_AT_map seq 4 peer doesn't match map entry

IKEv2-PLAT-4: (3989): Crypto Map: No proxy match on map CSM_INTERNET_AT_map seq 6

IKEv2-PLAT-4: (3989): Crypto map: Skipping dynamic map CSM_INTERNET_AT_map_dynamic sequence 30000: cannot match peerless map when peer found in previous map entry.IKEv2-PROTO-7: (3989): Failed to verify the proposed policies

IKEv2-PROTO-2: (3989): There was no IPSEC policy found for received TS

MHM Cisco World · ‎03-21-2024

Sorry for some delay in my reply
your Side use ACL
NAT-IP of your LAN -> Remote LAN

the other side of VPN must use
Remote LAN -> NAT-IP of your LAN
and also they need route for this NAT-IP toward the interface of IPsec

if the other side use real IP then you will face issue in IPSec selector

MHM

soufiansaheb · ‎03-21-2024

thanks for the replay , i don't have control in the other side but when we switch back to preshared key authentification the VPN works fine .

soufiansaheb · ‎03-21-2024

hello all,

Please, I'm really struggling with this point. If anyone can help, I would appreciate it!

MHM Cisco World · ‎03-28-2024

Hi friend

If this issue not solved can you share

Show crypto ikev2 sa detail

When you try use cert. For vpn auth

MHM

soufiansaheb · ‎03-29-2024

please find the output below :

IKEv2 SAs:

Session-id:70325, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
1811581195 MypublicIP/500 remotePublicIP/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:20, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/54 sec
Session-id: 70325
Status Description: Negotiation done
Local spi: B2B659E89D6B112E Remote spi: 21B3558F22D77214
Local id: cn=MYCN ,o=MyOrganisation,st=Mystate,c=CountryCode
Remote id: RemotePublicIP
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 1 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Parent SA Extended Status:
Delete in progress: FALSE
Marked for delete: FALSE
Error code: 108

thanks in advanced

MHM Cisco World · ‎03-30-2024

Local id: cn=MYCN ,o=MyOrganisation,st=Mystate,c=CountryCode

Remote id: RemotePublicIP <- why the remote ID is public IP not Cert.?

MHM

soufiansaheb · ‎04-16-2024

hello and sorry for the late aswer ,

i don't know why to be honest do you have any suggestions please ?

MHM Cisco World · ‎04-16-2024

Don't worry

In vpn topolgy advanced ike

Change the peer identity to be peer IP instead of cert

MHM

soufiansaheb · ‎04-17-2024

i changed the peer identity to peer ip but still get the same error

Shanza · ‎03-30-2024

It appears you've followed the recommended steps and explored various options to resolve the issue with VPN configuration. If the CA authority cannot alter the EKU, consider collaborating with Cisco support to explore alternative solutions or workarounds for bypassing the EKU check. For additional assistance, you may also consider consulting reputable attestation services in Dubai for expert guidance on navigating complex certification issues.