I am trying to configure a 3925 router (C3900-SPE100/K9) running 15.4(2)T as a VPN gateway for end users running Cisco AnyConnect 3.1.05160 with FIPS enabled. I am working on this using Suite B compliant algorithms for the authentication and encryption. Both the router and the client computer have Suite B compliant certificates that are version 3 with sha384ECDSA as the signature algorithm and the public key is based on ECC (384 bits) and ECDH_P384.
If I set the router to use rsa-sig as the remote and local authentication method and the client to use the RSA_Sigs Anyconnect profile, the client connects. If I set the router to use ecdsa-sig and the client to use the ECDSA_Sigs profile, the client comes back with an error message that states “The IPSec VPN connection was terminated due to an authentication failure or timeout. Please contact your network administrator.”
I enabled debugging on the router for both methods (output attached), and saw that for the RSA method that the router gets the client’s CN from the certificate and seems to accept it. When using the ECDSA method, the router comes back with “'*$AnyConnectClient$*' of type 'Group name'” and then says that it failed to locate an item in the database subsequently failing the connection.
If anyone has any ideas on how to get ECDSA authentication to work, I would appreciate it. I have attached the AnyConnect profiles, the debugs, and the crypto commands on the router. If anyone needs anything else to help with this, please let me know.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :