Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IKEv2 VPN base on Win7

I study my project according to this document ID:115014

(https://supportforums.cisco.com/document/98081/flexvpn-anyconnect-ios-headend-over-ipsec-ikev2-and-certificates)

Topo:

R887(IOS-CA,VPN SVR,)-----------Win7

My target is Win7 can connect with R887

Please help, this problem has brothered me for a long time

 

 

My configuration is as belowed:


ikev2#show run

version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ikev2

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
!
no aaa new-model
memory-size iomem 10
clock timezone CHN 8 0
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server CISCO
 database level complete
 database archive pem password 7 014254570F0A040C05
 issuer-name cn=ikev2CA.bpunicom.com, ou=bpunicom, o=bpunicom
 grant auto rollover ca-cert
 grant auto
 eku server-auth client-auth
!
crypto pki trustpoint CISCO
 revocation-check crl
 rsakeypair CISCO
!
crypto pki trustpoint C887
 enrollment url http://172.16.16.200:80
 serial-number
 fqdn ikev2router.bpunicom.com
 subject-name cn=ikev2router.bpunicom.com, ou=bpunicom, o=bpunicom
 revocation-check none
!
crypto pki trustpoint client-1
 enrollment url http://172.16.16.200:80
 serial-number
 ip-address 172.16.16.202
 subject-name cn=client1.bpunicom.com, ou=bpunicom, o=bpunicom
 revocation-check none
!
crypto pki trustpoint TP-self-signed-192633376
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-192633376
 revocation-check none
 rsakeypair TP-self-signed-192633376
!
crypto pki trustpoint client1
 enrollment url http://172.16.16.200:80
 serial-number
 fqdn client1
 ip-address 120.85.132.108
 subject-name cn=client1, ou=bpunicom, o=bpunicom
 revocation-check none
 rsakeypair client-1
!
crypto pki certificate map camap 10
 subject-name co o = bpunicom
!
crypto pki certificate chain CISCO
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343137 30363431 32335A17 0D313730 34313630
  36343132 335A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 810093AA 6B8EC1D7 C28284CE CBD89C14 06D6F0C3 49079C3A
  788285A6 09EABF63 44E9FB21 D6FB2471 9AEE31A3 EC475455 C82F69E8 99CEE893
  1D8B1FD9 5517611F D8D76A57 AD4FC348 63E984D3 A53F50D9 F7C2E77B 68A5842E
  DFFCBC06 689AEFA6 A2775D83 9BEDF8B7 6BC63D86 43CFB65B BDC5439E 1E223E1C
  9B751F67 8D3436F3 59F10203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14330FB2 82E99819 1591035F 6EEC10F8 CA9BFAE3 52301D06 03551D0E 04160414
  330FB282 E9981915 91035F6E EC10F8CA 9BFAE352 300D0609 2A864886 F70D0101
  04050003 8181002A 6F3B1978 E599AA6F 9B466839 2F7094E7 75881032 FB8DC3BE
  5A3881D8 4BFFD408 5CADC599 3A4CD0AE E082A35C 65341FE8 F92E231D 94B0246A
  DA19CD02 D91838F5 2828B6A9 10141BC9 FDBA0B62 111E0261 C3D94DEE A05F7171
  BC319ACB F7A2E53C 5ABE3FB0 26961600 E052B70B 12E054E9 B4AB988C AEE54B1E
  6C3EC75C 06D611
        quit
crypto pki certificate chain C887
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343137 30363431 32335A17 0D313730 34313630
  36343132 335A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 810093AA 6B8EC1D7 C28284CE CBD89C14 06D6F0C3 49079C3A
  788285A6 09EABF63 44E9FB21 D6FB2471 9AEE31A3 EC475455 C82F69E8 99CEE893
  1D8B1FD9 5517611F D8D76A57 AD4FC348 63E984D3 A53F50D9 F7C2E77B 68A5842E
  DFFCBC06 689AEFA6 A2775D83 9BEDF8B7 6BC63D86 43CFB65B BDC5439E 1E223E1C
  9B751F67 8D3436F3 59F10203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14330FB2 82E99819 1591035F 6EEC10F8 CA9BFAE3 52301D06 03551D0E 04160414
  330FB282 E9981915 91035F6E EC10F8CA 9BFAE352 300D0609 2A864886 F70D0101
  04050003 8181002A 6F3B1978 E599AA6F 9B466839 2F7094E7 75881032 FB8DC3BE
  5A3881D8 4BFFD408 5CADC599 3A4CD0AE E082A35C 65341FE8 F92E231D 94B0246A
  DA19CD02 D91838F5 2828B6A9 10141BC9 FDBA0B62 111E0261 C3D94DEE A05F7171
  BC319ACB F7A2E53C 5ABE3FB0 26961600 E052B70B 12E054E9 B4AB988C AEE54B1E
  6C3EC75C 06D611
        quit
crypto pki certificate chain client-1
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343137 30363431 32335A17 0D313730 34313630
  36343132 335A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 810093AA 6B8EC1D7 C28284CE CBD89C14 06D6F0C3 49079C3A
  788285A6 09EABF63 44E9FB21 D6FB2471 9AEE31A3 EC475455 C82F69E8 99CEE893
  1D8B1FD9 5517611F D8D76A57 AD4FC348 63E984D3 A53F50D9 F7C2E77B 68A5842E
  DFFCBC06 689AEFA6 A2775D83 9BEDF8B7 6BC63D86 43CFB65B BDC5439E 1E223E1C
  9B751F67 8D3436F3 59F10203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14330FB2 82E99819 1591035F 6EEC10F8 CA9BFAE3 52301D06 03551D0E 04160414
  330FB282 E9981915 91035F6E EC10F8CA 9BFAE352 300D0609 2A864886 F70D0101
  04050003 8181002A 6F3B1978 E599AA6F 9B466839 2F7094E7 75881032 FB8DC3BE
  5A3881D8 4BFFD408 5CADC599 3A4CD0AE E082A35C 65341FE8 F92E231D 94B0246A
  DA19CD02 D91838F5 2828B6A9 10141BC9 FDBA0B62 111E0261 C3D94DEE A05F7171
  BC319ACB F7A2E53C 5ABE3FB0 26961600 E052B70B 12E054E9 B4AB988C AEE54B1E
  6C3EC75C 06D611
        quit
crypto pki certificate chain TP-self-signed-192633376
 certificate self-signed 03
  30820229 30820192 A0030201 02020103 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31393236 33333337 36301E17 0D313430 34313731 30303330
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3139 32363333
  33373630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  989B99FA A68EE535 1D318041 71E2B46E 261EB19B A35B64BD D420606F CC4463C5
  785A76B7 63878E50 411A474E 02687516 0F3FE410 506FF8BD 3E7B0F29 C1D3D434
  0CBCFB8D C5ACB7C2 68BFB0E0 5AB8DF5F CB7BBDF3 6A267189 A6857813 73C4F64D
  B1A16581 841F3536 5264875E F06DB872 A5719534 A5013A7C 0BAAC571 CDBA8185
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 16801409 EE65610A 89C285B5 C951B1A4 E8BC5830 66FEFA30 1D060355
  1D0E0416 041409EE 65610A89 C285B5C9 51B1A4E8 BC583066 FEFA300D 06092A86
  4886F70D 01010505 00038181 006DB5F3 A0C947F6 7F9136A3 E788C3E1 98C7B22A
  CC594AAA 60B48A08 EDA4FAAB B9F7E80A 4F566BC3 630EC948 2773699D 24263BD8
  38383AFB 2E338492 8D46DA9D 0EB2B37E F9A303BB 8822136A 5EAEC8F4 BEA1B346
  3E373BBC 2EFF25C7 3C29160E 549C9B35 6EE4E527 07697496 9EFEE298 AE34C584
  A2C8104B 76598A60 FAAD274D CA
        quit
crypto pki certificate chain client1
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343137 30363431 32335A17 0D313730 34313630
  36343132 335A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 810093AA 6B8EC1D7 C28284CE CBD89C14 06D6F0C3 49079C3A
  788285A6 09EABF63 44E9FB21 D6FB2471 9AEE31A3 EC475455 C82F69E8 99CEE893
  1D8B1FD9 5517611F D8D76A57 AD4FC348 63E984D3 A53F50D9 F7C2E77B 68A5842E
  DFFCBC06 689AEFA6 A2775D83 9BEDF8B7 6BC63D86 43CFB65B BDC5439E 1E223E1C
  9B751F67 8D3436F3 59F10203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  14330FB2 82E99819 1591035F 6EEC10F8 CA9BFAE3 52301D06 03551D0E 04160414
  330FB282 E9981915 91035F6E EC10F8CA 9BFAE352 300D0609 2A864886 F70D0101
  04050003 8181002A 6F3B1978 E599AA6F 9B466839 2F7094E7 75881032 FB8DC3BE
  5A3881D8 4BFFD408 5CADC599 3A4CD0AE E082A35C 65341FE8 F92E231D 94B0246A
  DA19CD02 D91838F5 2828B6A9 10141BC9 FDBA0B62 111E0261 C3D94DEE A05F7171
  BC319ACB F7A2E53C 5ABE3FB0 26961600 E052B70B 12E054E9 B4AB988C AEE54B1E
  6C3EC75C 06D611
        quit
!
ip domain name bpunicom.com
ip host ikev2router.bpunicom.com 120.85.132.109
ip name-server 120.85.132.109
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
username cisco password 0 cisco
!
crypto ikev2 authorization policy authorpolicy
 pool ikev2pool
!
crypto ikev2 proposal ikev2proposal
 encryption 3des aes-cbc-128
 integrity sha1
 group 5 2
!
crypto ikev2 policy ikev2policy
 match fvrf any
 proposal ikev2proposal
!
!
crypto ikev2 profile ikev2profile
 match identity remote fqdn client-1
 match identity remote address 0.0.0.0
 match certificate camap
 identity local fqdn ikev2router.bpunicom.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint C887
 aaa authorization group cert list ikev2proposal authorpolicy
 virtual-template 1
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0
!
crypto ipsec transform-set transform esp-3des esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile ipsecprofile
 set transform-set transform
 set ikev2-profile ikev2profile
!

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsecprofile
!
interface Vlan1
 ip address 172.16.16.200 255.255.192.0
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 120.85.132.109 255.255.255.248
!
ip local pool ikev2pool 172.16.0.100 172.16.0.200
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip dns server
!
line vty 0 4
 login local
 transport input all
!
ntp update-calendar
ntp server 172.16.0.10
!

wrong information is as belowed:

Apr 22 08:47:33.839: IKEv2:(SA ID = 1):Verify SA init message
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):Insert SA
Apr 22 08:47:33.839: IKEv2:Searching Policy with fvrf 0, local address 120.85.132.109
Apr 22 08:47:33.839: IKEv2:Found Policy 'ikev2policy'
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'client1'   'TP-self-signed-192633376'   'client-1'   'C887'   'CISCO'  
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Apr 22 08:47:33.839: CRYPTO_PKI: (9001B) Session started - identity not specified
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):Request queued for computation of DH key
Apr 22 08:47:33.839: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
Apr 22 08:47:33.839: crypto_engine: Create DH shared secret
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):Request queued for computation of DH secret
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Apr 22 08:47:34.215: crypto_engine: Create IKEv2 SA
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Apr 22 08:47:34.215: crypto engine: deleting DH phase 2 SW:32
Apr 22 08:47:34.215: crypto_engine: Delete DH shared secret
Apr 22 08:47:34.215: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_1024_MODP/Group 2
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'client1'   'TP-self-signed-192633376'   'client-1'   'C887'   'CISCO'  
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Apr 22 08:47:34.215: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

Apr 22 08:47:34.215: IKEv2:(SA ID = 1):Sending Packet [To 120.85.132.108:500/From 120.85.132.109:500/VRF i0:f0]
Initiator SPI : FF634AEDDD4319AA - Responder SPI : FE6CB2D206A07741 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

Apr 22 08:47:34.219: IKEv2:(SA ID = 1):Completed SA init exchange
Apr 22 08:47:34.219: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message[OK]
ikev2#
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired

Apr 22 08:48:04.220: IKEv2:(SA ID = 1):
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Auth exchange failed
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Auth exchange failed

Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Auth exchange failed
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Abort exchange
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Deleting SA
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Apr 22 08:48:04.220: CRYPTO_PKI: Rcvd request to end PKI session 9001B.
Apr 22 08:48:04.220: CRYPTO_PKI: PKI session 9001B has ended. Freeing all resources.
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Apr 22 08:48:04.220: crypto engine: deleting IKEv2 SA SW:26
Apr 22 08:48:04.220: crypto_engine: Delete IKEv2 SA

Apr 22 08:48:42.209: IKEv2:Received Packet [From 120.85.132.108:500/To 120.85.132.109:500/VRF i0:f0]
Initiator SPI : CA4B3C4B2CB58F53 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

 

Everyone's tags (1)
5 REPLIES
Hall of Fame Super Silver

I suspect your client

I suspect your client certificate isn't being accepted for authentication (and would not pass subsequent authorization) based on these debug lines:

Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired

Apr 22 08:48:04.220: IKEv2:(SA ID = 1):
Apr 22 08:48:04.220: IKEv2:(SA ID = 1):Auth exchange failed

The profile specifies rsa-sig as the authentication method and a aaa authorization method yet you have "no aaa new-model".

New Member

I only want R887 and Win7

I only want R887 and Win7 both use certificate  authentication ,

Can i delete this configuration:"aaa authorization group cert list ikev2proposal authorpolicy"?

 

"CRYPTO_PKI: (9001B) Session started - identity not specified"

what does this sentence mean?

Hall of Fame Super Silver

I'm not sure about that

I'm not sure about that specific debug message.

For aaa I would suggest setting up aaa new-model and defining your list to use local method. Something like is shown in the Cisco example "Configuring IKEv2 RA Server for Group Authorization (Local AAA)" in the linked document.

New Member

According to your address, I

According to your address, I re-configure the router and debug message is as belowed:

ikev2#

Apr 25 07:06:16.496: IKEv2:Received Packet [From 120.85.132.108:500/To 120.85.132.109:500/VRF i0:f0]
Initiator SPI : FB4B91A3C5B16329 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Apr 25 07:06:16.496: IKEv2:(SA ID = 1):Verify SA init message
Apr 25 07:06:16.496: IKEv2:(SA ID = 1):Insert SA
Apr 25 07:06:16.496: IKEv2:Searching Policy with fvrf 0, local address 120.85.132.109
Apr 25 07:06:16.496: IKEv2:Found Policy 'ikev2policy'
Apr 25 07:06:16.496: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
Apr 25 07:06:16.496: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'client1'   'CISCO'   'C887'  
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):Request queued for computation of DH key
Apr 25 07:06:16.500: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
Apr 25 07:06:16.528: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Apr 25 07:06:16.528: IKEv2:(SA ID = 1):Request queued for computation of DH secret
Apr 25 07:06:16.528: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Apr 25 07:06:16.528: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Apr 25 07:06:16.528: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   3DES   SHA1   SHA96   DH_GROUP_1024_MODP/Group 2
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'client1'   'CISCO'   'C887'  
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

Apr 25 07:06:16.532: IKEv2:(SA ID = 1):Sending Packet [To 120.85.132.108:500/From 120.85.132.109:500/VRF i0:f0]
Initiator SPI : FB4B91A3C5B16329 - Responder SPI : 55B53C77CE0FF8EB Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ

Apr 25 07:06:16.532: IKEv2:(SA ID = 1):Completed SA init exchange
Apr 25 07:06:16.532: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Failed to receive the AUTH msg before the timer expired

Apr 25 07:06:46.534: IKEv2:(SA ID = 1):
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Auth exchange failed
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Auth exchange failed

Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Auth exchange failed
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Abort exchange
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):Deleting SA
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Apr 25 07:06:46.534: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

 

There are some relating photos of certificate in the attachment

 

The 2 certificates in the attachment are derived when I use "crypto pki export client1 pem url tftp" command, and then I install them on the WIN7

 

 

 

 

 

 

config:

 

ikev2#show run
Building configuration...

Current configuration : 11316 bytes
!
! No configuration change since last restart
! NVRAM config last updated at 15:01:44 CHN Fri Apr 25 2014 by cisco
! NVRAM config last updated at 15:01:44 CHN Fri Apr 25 2014 by cisco
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ikev2
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
!
aaa authorization network local-group-auth-list local
!
aaa session-id common
memory-size iomem 10
clock timezone CHN 8 0
service-module wlan-ap 0 bootimage autonomous
!
crypto pki server CISCO
 database level complete
 database archive pem password 7 135445415F0D06290F
 issuer-name cn=ikev2CA.bpunicom.com, ou=bpunicom, o=bpunicom
 grant auto rollover ca-cert
 grant auto
 eku server-auth client-auth
!
crypto pki trustpoint C887
 enrollment url http://172.16.16.200:80
 serial-number
 fqdn ikev2router.bpunicom.com
 subject-name cn=ikev2router.bpunicom.com, ou=bpunicom, o=bpunicom
 revocation-check none
!
crypto pki trustpoint CISCO
 revocation-check crl
 rsakeypair CISCO
!
crypto pki trustpoint client1
 enrollment url http://172.16.16.200:80
 serial-number
 fqdn client1
 subject-name cn=client1, ou=bpunicom, o=bpunicom
 revocation-check none
 rsakeypair client1
!
crypto pki certificate map camap 10
 subject-name co o = bpunicom
!
crypto pki certificate chain C887
 certificate 02
  3082026C 308201D5 A0030201 02020102 300D0609 2A864886 F70D0101 05050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343234 30393437 32395A17 0D313530 34323430
  39343732 395A3081 86311130 0F060355 040A1308 6270756E 69636F6D 3111300F
  06035504 0B130862 70756E69 636F6D31 21301F06 03550403 1318696B 65763272
  6F757465 722E6270 756E6963 6F6D2E63 6F6D313B 30120603 55040513 0B465458
  31353034 30474839 30250609 2A864886 F70D0109 02161869 6B657632 726F7574
  65722E62 70756E69 636F6D2E 636F6D30 5C300D06 092A8648 86F70D01 01010500
  034B0030 48024100 9C56E3B8 89BE8CC6 11EC66B4 D0C44C46 6FB281FE CFA6AE82
  C71012F3 16DAC474 75243C7F 74470884 0624DCC0 FC9E0386 A1669875 0F0359F3
  FCA1D6C4 38DB8835 02030100 01A36E30 6C301D06 03551D25 04163014 06082B06
  01050507 03010608 2B060105 05070302 300B0603 551D0F04 04030205 A0301F06
  03551D23 04183016 80143017 E63D184A DB21F676 02CA229C A2E64885 3A3E301D
  0603551D 0E041604 14224C7D 7ACB490F 2F892A19 A73CC963 DE17E934 F3300D06
  092A8648 86F70D01 01050500 03818100 366F5347 F002AD54 81079410 C9A2DF6C
  2A4D351A 1F17D3C8 4F5EA8AB 865B55F2 E15783BB BF05D982 7EAAF812 E9EDFFB0
  1FDBB9FC DC858C42 92C5637F 5AA5F31D 0297F7A6 2E63EA57 3F894228 747F6414
  D82BE978 0968C854 FB2DF482 E5083A3A A4883EFE 8CC3B88B 89137185 6D005DFE
  97FB712B B49DB9D1 18B1AE08 351E7B3D
        quit
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343234 30393435 34305A17 0D313730 34323330
  39343534 305A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100A212 76DD02C1 CB455429 91C0E8C0 F3492004 5976FAAF
  7E1B98D3 E725215C 5D565DE8 FB6B8AA1 9BC8C160 333194CB 3F0C32C6 47233A86
  8F9C9575 59BEDEBA 60C169AC B9B9D322 ADD96AFC B9C171A0 41C3DB1B 7E20D3C6
  45EFA187 A88FDF32 4DDCB8DB 66683B42 B563494F D8426DFB D74D4543 9CF137A5
  18897D9C 39694186 240F0203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  143017E6 3D184ADB 21F67602 CA229CA2 E648853A 3E301D06 03551D0E 04160414
  3017E63D 184ADB21 F67602CA 229CA2E6 48853A3E 300D0609 2A864886 F70D0101
  04050003 81810092 7E98DAD7 2551C6BE D90FDDE6 473174BC F77E9B29 F08A677E
  10C026D4 EBE65B0A 080521F7 32A2958F CC6196E3 16E2A1A9 5C64F40A F74B9711
  EBFAFC37 CBE8740F F0E1CBF0 4F480247 8B559134 B3E929B2 2656FE72 2941BCC6
  40013965 ADFCD8B4 C8BE760C 4C101ED7 29673072 F8E0DDF6 FF5B7D5B 8AF1C5B8
  22C30436 BDD22D
        quit
crypto pki certificate chain CISCO
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343234 30393435 34305A17 0D313730 34323330
  39343534 305A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100A212 76DD02C1 CB455429 91C0E8C0 F3492004 5976FAAF
  7E1B98D3 E725215C 5D565DE8 FB6B8AA1 9BC8C160 333194CB 3F0C32C6 47233A86
  8F9C9575 59BEDEBA 60C169AC B9B9D322 ADD96AFC B9C171A0 41C3DB1B 7E20D3C6
  45EFA187 A88FDF32 4DDCB8DB 66683B42 B563494F D8426DFB D74D4543 9CF137A5
  18897D9C 39694186 240F0203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  143017E6 3D184ADB 21F67602 CA229CA2 E648853A 3E301D06 03551D0E 04160414
  3017E63D 184ADB21 F67602CA 229CA2E6 48853A3E 300D0609 2A864886 F70D0101
  04050003 81810092 7E98DAD7 2551C6BE D90FDDE6 473174BC F77E9B29 F08A677E
  10C026D4 EBE65B0A 080521F7 32A2958F CC6196E3 16E2A1A9 5C64F40A F74B9711
  EBFAFC37 CBE8740F F0E1CBF0 4F480247 8B559134 B3E929B2 2656FE72 2941BCC6
  40013965 ADFCD8B4 C8BE760C 4C101ED7 29673072 F8E0DDF6 FF5B7D5B 8AF1C5B8
  22C30436 BDD22D
        quit
crypto pki certificate chain client1
 certificate 03
  3082028D 308201F6 A0030201 02020103 300D0609 2A864886 F70D0101 05050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343234 30393531 31335A17 0D313530 34323430
  39353131 335A3064 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D3110 300E0603 55040313 07636C69 656E7431
  312A3012 06035504 05130B46 54583135 30343047 48393014 06092A86 4886F70D
  01090216 07636C69 656E7431 30819F30 0D06092A 864886F7 0D010101 05000381
  8D003081 89028181 00A85737 B575909C 94F8E680 E47CE3FD 4E02406C 8DAD655D
  93F92AEF 2F061292 882EE7B6 2AF99BEC 6C785307 68283F92 948A32D3 A7EC5AAA
  DB7B0B72 281D33CC 034362F2 FC430738 1BDF05BF 5E22ACFA 2685DEB9 9D828A92
  4E36C1E8 CB0CB45C FD3D97D4 1B5FF37D 062AD135 B126E789 AA967503 318AFF0A
  5D3149CF 81AB0869 3F020301 0001A36E 306C301D 0603551D 25041630 1406082B
  06010505 07030106 082B0601 05050703 02300B06 03551D0F 04040302 05A0301F
  0603551D 23041830 16801430 17E63D18 4ADB21F6 7602CA22 9CA2E648 853A3E30
  1D060355 1D0E0416 0414CAEC 322DC1D5 7D7CAC53 8F014F57 57B34F99 7DC3300D
  06092A86 4886F70D 01010505 00038181 005B0B71 C75EB17D 5A6412C7 42651E8D
  588E405B 7481E9E8 9D5E04FD 6184892A 5BEC64A3 80AB1B68 CD42C08A 6462930F
  3F815717 2A662EA8 90361B91 EDC8E0EE D9A18C71 C0A15431 9509940D 8ADE317F
  A5EA3F27 8989BF3A C9C32B44 437A2AB3 1E657094 6230DFC5 53203D5B A886E52C
  9A3383E9 4915DE20 692186CD 1F319C0E E0
        quit
 certificate ca 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  45311130 0F060355 040A1308 6270756E 69636F6D 3111300F 06035504 0B130862
  70756E69 636F6D31 1D301B06 03550403 1314696B 65763243 412E6270 756E6963
  6F6D2E63 6F6D301E 170D3134 30343234 30393435 34305A17 0D313730 34323330
  39343534 305A3045 3111300F 06035504 0A130862 70756E69 636F6D31 11300F06
  0355040B 13086270 756E6963 6F6D311D 301B0603 55040313 14696B65 76324341
  2E627075 6E69636F 6D2E636F 6D30819F 300D0609 2A864886 F70D0101 01050003
  818D0030 81890281 8100A212 76DD02C1 CB455429 91C0E8C0 F3492004 5976FAAF
  7E1B98D3 E725215C 5D565DE8 FB6B8AA1 9BC8C160 333194CB 3F0C32C6 47233A86
  8F9C9575 59BEDEBA 60C169AC B9B9D322 ADD96AFC B9C171A0 41C3DB1B 7E20D3C6
  45EFA187 A88FDF32 4DDCB8DB 66683B42 B563494F D8426DFB D74D4543 9CF137A5
  18897D9C 39694186 240F0203 010001A3 63306130 0F060355 1D130101 FF040530
  030101FF 300E0603 551D0F01 01FF0404 03020186 301F0603 551D2304 18301680
  143017E6 3D184ADB 21F67602 CA229CA2 E648853A 3E301D06 03551D0E 04160414
  3017E63D 184ADB21 F67602CA 229CA2E6 48853A3E 300D0609 2A864886 F70D0101
  04050003 81810092 7E98DAD7 2551C6BE D90FDDE6 473174BC F77E9B29 F08A677E
  10C026D4 EBE65B0A 080521F7 32A2958F CC6196E3 16E2A1A9 5C64F40A F74B9711
  EBFAFC37 CBE8740F F0E1CBF0 4F480247 8B559134 B3E929B2 2656FE72 2941BCC6
  40013965 ADFCD8B4 C8BE760C 4C101ED7 29673072 F8E0DDF6 FF5B7D5B 8AF1C5B8
  22C30436 BDD22D
        quit
!
ip domain name bpunicom.com
ip host ikev2router.bpunicom.com 120.85.132.109
ip host ca 120.85.132.109
ip name-server 120.85.132.109
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
username cisco privilege 15 password 0 cisco
!
crypto ikev2 authorization policy authorpolicy
 pool ikev2pool
!
crypto ikev2 proposal ikev2proposal
 encryption 3des aes-cbc-128
 integrity sha1
 group 5 2
!        
crypto ikev2 policy ikev2policy
 proposal ikev2proposal
!
!
crypto ikev2 profile ikev2profile
 match identity remote fqdn client1
 match identity remote address 0.0.0.0
 match certificate camap
 identity local fqdn ikev2router.bpunicom.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint C887
 aaa authorization group cert list local-group-auth-list authorpolicy
 virtual-template 1
!
no crypto ikev2 http-url cert
!
!
controller Cellular 0
!
crypto ipsec transform-set transform esp-3des esp-sha-hmac
 mode tunnel
!
!
crypto ipsec profile ipsecprofile
 set transform-set transform
 set ikev2-profile ikev2profile
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsecprofile
!
!
interface Vlan1
 ip address 172.16.16.200 255.255.192.0
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 120.85.132.109 255.255.255.248
!
ip local pool ikev2pool 172.16.0.100 172.16.0.200
ip forward-protocol nd
ip http server
no ip http secure-server
!        
!
control-plane
!
ntp update-calendar
ntp server 172.16.0.10
!
end

New Member

Hi zengkai1988, Did you find

Hi zengkai1988,

 

Did you find a solution for this issue?

1122
Views
0
Helpful
5
Replies
CreatePlease to create content