Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

IKEv2 & Suite B VPN

Hi,

I'm trying to get a remote access VPN setup to a 2921-G2 with onboard hardware crypto engine running 15.2(2)T2 IOS.  Remote users use StrongSwan as a VPN client.

I've configured both ends to use RSA certs for authentication and Suite B cryptographic suites, but when attempting to form a tunnel with the router, the authentication process fails with the following debug entries on the router:

*Aug 14 09:21:33.876: crypto_engine_select_crypto_engine: can't handle any more

*Aug 14 09:21:33.880: crypto_engine: no crypto engines available

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data FAILED

*Aug 14 09:21:33.880:  CRYPTO_PKI: Application requested to expire the key

*Aug 14 09:21:33.880:  CRYPTO_PKI: Expiring peer's cached key with key id 17

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Failed to compute or verify a signature

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=76AB0E9D61482693 R_SPI=18E7CB2367731416 (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Event: EV_AUTH_FAIL

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Sending authentication failure notify

*Aug 14 09:21:33.880: IKEv2:Construct Notify Payload: AUTHENTICATION_FAILED

*Aug 14 09:21:33.880: IKEv2:(SA ID = 1):Building packet for encryption. 

Payload contents:

NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8

    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

The entries of concern are: crypto_engine_select_crypto_engine: can't handle any more & crypto_engine: no crypto engines available

Does anyone have an idea of the possible cause of this?

Thanks,

Everyone's tags (5)
1385
Views
0
Helpful
0
Replies
CreatePlease to create content