Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2127
Views
5
Helpful
7
Replies

3925 VPN with ECDSA Authentication

Go to solution
Jimmy Copeland
Level 1
Level 1

‎06-02-2014 06:17 AM

I am trying to configure a 3925 router (C3900-SPE100/K9) running 15.4(2)T as a VPN gateway for end users running Cisco AnyConnect 3.1.05160 with FIPS enabled.  I am working on this using Suite B compliant algorithms for the authentication and encryption.  Both the router and the client computer have Suite B compliant certificates that are version 3 with sha384ECDSA as the signature algorithm and the public key is based on ECC (384 bits) and ECDH_P384. 

If I set the router to use rsa-sig as the remote and local authentication method and the client to use the RSA_Sigs Anyconnect profile, the client connects.  If I set the router to use ecdsa-sig and the client to use the ECDSA_Sigs profile, the client comes back with an error message that states “The IPSec VPN connection was terminated due to an authentication failure or timeout.  Please contact your network administrator.”

I enabled debugging on the router for both methods (output attached), and saw that for the RSA method that the router gets the client’s CN from the certificate and seems to accept it.  When using the ECDSA method, the router comes back with “'*$AnyConnectClient$*' of type 'Group name'” and then says that it failed to locate an item in the database subsequently failing the connection.

If anyone has any ideas on how to get ECDSA authentication to work, I would appreciate it.  I have attached the AnyConnect profiles, the debugs, and the crypto commands on the router.  If anyone needs anything else to help with this, please let me know.


Thanks.

Jimmy

Labels:
Preview file
1 KB
Preview file
44 KB
Preview file
1 KB
Preview file
7 KB
Preview file
1 KB
Preview file
1 KB
Preview file
1 KB
Preview file
27 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jimmy Copeland

‎06-16-2014 11:48 AM

Also have a try with the latest AnyConnect - 3.1.05170 (released June 16 2014) has a resolved caveat as follows:

CSCuo75389

anyconnect

AnyConnect is sending incorrect auth method for IKEv2 ECDSA based auth

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-02-2014 07:19 AM

James, 

 

Can you also attach a sanitized profile before (RSA) and after (EDCSA)?

I'm just curious, you seem to be causing AC to send the default identity of $AnyConnectClient$

vide:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/anyconnectadmin31/apxAvpnxmlref.html

 

This in turn is causing your cert maps to fail and IKEv2 profile is not matched. 

 

M. 

0 Helpful

Go to solution
Jimmy Copeland
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-02-2014 07:50 AM

Marcin,

The AC profiles were already attached.  Sorry.  I should have been a little more clear about all the attached files.  The rsa_sigs.xml_.txt is the profile for when RSA worked.  The ecdsa_sigs.txt file is the profile that I am using for ECDSA authentication.  Both are pretty basic since I used the profile from http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html as a template.

Thanks.

Jimmy

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Jimmy Copeland

‎06-02-2014 11:14 PM

Jimmy, 

 

In the EDCSA profile for AC you're using IPsec only, which will essentially cause it to try ASA-style connection. The "odd" identity and EAP-Anyconnect as auth method will be used. 

 

I _believe_ that even for ECDSA signed certs you should be using IKE-RSA as authentication method. However I left VPN team more than a year ago things could have changed. 

 

Anyway there's quite a few different moving parts, open up a TAC case if you want fastest answer. 

You might point out there's a gap in knowledge base about example showing this type of config. 

 

M.

0 Helpful

Go to solution
Jimmy Copeland
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-03-2014 05:26 AM

Marcin,

 

I appreciate you looking over this.  I had a feeling I was going to have to open a TAC case but wanted to see if the community had seen this first. 

 

Also I did try the IKE-RSA method in the profile and got no joy.

 

Thanks again and when I get an answer I will make sure to post it.

 

Jimmy

0 Helpful

Go to solution
Jimmy Copeland
Level 1
Level 1
In response to Jimmy Copeland

‎06-09-2014 09:48 AM

So I got an answer to the problem...somewhat.  The problem is a bug in the ISRG2 code and how it handles ECDSA certs.  There is a fix coming out and that should resolve this issue. 

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Jimmy Copeland

‎06-10-2014 12:39 AM

Cool.

Do you have the bug id? Let's punt it here so people are aware.

M.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Jimmy Copeland

‎06-16-2014 11:48 AM

Also have a try with the latest AnyConnect - 3.1.05170 (released June 16 2014) has a resolved caveat as follows:

CSCuo75389

anyconnect

AnyConnect is sending incorrect auth method for IKEv2 ECDSA based auth

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents