Goal: Use ASA to help native VPN consumer for RA on present variations of Android, Home windows 10/11 (and probably others) utilizing supported varieties resembling IKEv2/IPSec+EAP/MSCHAPv2 for authentication.
An ASA (ASA5516/9.12) is presently used for IKEv1/LT2P Distant Entry and IKEv1/IPSec L2L’s, working properly. It now must help IKEv2/IPSec for RA, as Android has eliminated help for LT2P (others will seemingly observe). If potential, want to keep away from utilizing AnyConnect, SSL-based or any non-free consumer software program. Would additionally want to make use of present native usernames on ASA for authentication as executed now with the IKEv1/LT2P, although (so far as I can inform) certificates are additionally required for IKEv2. Lastly, IKEv1/LT2P and IKEv1/IPSec L2L additionally must proceed to work.
I’ve not discovered on-line references or articles that particularly deal with this use case, although this one which describes IKEv2/EAP RA with Home windows native is the closest (nevertheless the configuration examples are a bit incomplete). This one covers IKEv2 RA, however is for IOS.
Quick model:
There’s a CA certificates and a cert for each the ASA and an Android consumer. Utilizing the native consumer with IKEv2/IPSec MSCHAPv2, will get so far as “Didn’t find an merchandise within the database”. My understanding of that is that it’s failing to match the consumer to a tunnel-group
– although there may be each a tunnel group referred to as VPNGRP
and DefaultRAGroup
(which I assumed it could fall by means of to on this case). I had thought that the ikev2 remote-authentication eap query-identity
would use EAP/PEAP/MSCHAPv2 because the peer’s ID.
Here is the ASA debug for the purpose the place it fails:
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_PROC_ID
IKEv2-PROTO-7: (143): Obtained legitimate parameteres in course of id
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (143): Looking out coverage primarily based on peer's identification 'VPNGRP' of kind 'key ID'
IKEv2-PROTO-2: (143): Didn't find an merchandise within the database
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_AUTH_FAIL
IKEv2-PROTO-4: (143): Verification of peer's authentication information FAILED
IKEv2-PROTO-4: (143): Sending authentication failure notify
IKEv2-PROTO-7: Assemble Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-4: (143): Constructing packet for encryption.
Additionally, utilizing a Home windows native consumer, the peer identification kind that it tries to match is IPv4 deal with
which presents the LAN deal with of the machine adapter (not very useful). I’ve tried peer-id-validate nocheck
and isakmp identification key-id
and auto
and doesn’t change the error.
I imagine the actual concern is that I’ve reached the boundaries of my understanding of this configuration and I am simply not capable of finding any good references that designate how this specific use case may match. I may additionally be misunderstanding the position of the certificates on this configuration – I had thought that on this case it could exchange using a pre-shared-key
string whereas persevering with to permit native/CHAP credentials to allow entry for a selected consumer… this can be an incorrect assumption too.
Any options or clarifications can be most appreciated. Thanks!
TL;DR:
Related ASA config:
ASA Model 9.12(4)58
!
hostname host
domain-name foo.native
access-list acl_vpn_split prolonged allow ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
crypto ipsec ikev1 transform-set set_aes-256-hmac esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set set_aes-256-hma_trans esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set set_aes-256-hma_trans mode transport
crypto ipsec ikev2 ipsec-proposal AESSHA256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec profile VPNGRP
set ikev2 ipsec-proposal AES256
set trustpoint TP
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map cdm_vpnclient 10 set ikev1 transform-set set_aes-256-hmac set_aes-256-hma_trans
crypto dynamic-map cdm_vpnclient 10 set ikev2 ipsec-proposal AESSHA256 AES256 AES192
crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_vpnclient
crypto map cm_outside interface exterior
crypto ca trustpoint TP
enrollment terminal
subject-name CN=host.foo.native, ...
crl configure
crypto ca trustpool coverage
crypto ca certificates chain TP
certificates 02
********
stop
certificates ca *
********
stop
crypto isakmp nat-traversal 30
crypto ikev2 coverage 9
encryption aes-256
integrity sha256
group 24
prf sha
lifetime seconds 86400
crypto ikev2 coverage 10
encryption aes-256
integrity sha256
group 5
prf sha
lifetime seconds 86400
crypto ikev2 coverage 11
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
crypto ikev2 allow exterior
crypto ikev2 remote-access trustpoint TP
crypto ikev1 allow exterior
crypto ikev1 coverage 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy VPNGRP inner
group-policy VPNGRP attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec
password-storage allow
split-tunnel-policy tunnelspecified
split-tunnel-network-list worth acl_vpn_split
intercept-dhcp allow
dynamic-access-policy-record DfltAccessPolicy
tunnel-group DefaultRAGroup general-attributes
address-pool pool_vpn
authentication-server-group (exterior) LOCAL
default-group-policy VPNGRP
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificates TP
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group VPNGRP kind remote-access
tunnel-group VPNGRP general-attributes
address-pool pool_vpn
authentication-server-group (exterior) LOCAL
default-group-policy VPNGRP
tunnel-group VPNGRP ipsec-attributes
ikev1 pre-shared-key *
ikev2 remote-authentication eap query-identity
ikev2 local-authentication certificates TP
username consumer password * nt-encrypted
username user2 password * encrypted
Full ASA debug:
IKEv2-PROTO-4: Obtained Packet [From 100.100.100.100:3316/To 200.200.200.200:500/VRF i0:f0]
Initiator SPI : 324F9A17F65A53FE - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Alternate REQUESTIKEv2-PROTO-5: Subsequent payload: SA, model: 2.0 Alternate kind: IKE_SA_INIT, flags: INITIATOR Message id: 0, size: 652
Payload contents:
SA Subsequent payload: KE, reserved: 0x0, size: 244
final proposal: 0x2, reserved: 0x0, size: 136
Proposal: 1, Protocol id: IKE, SPI measurement: 0, #trans: 15 final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-CBC
final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-CBC
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA512
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA384
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA256
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA96
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA512
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA384
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA256
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA1
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
final rework: 0x0, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
final proposal: 0x0, reserved: 0x0, size: 104
Proposal: 2, Protocol id: IKE, SPI measurement: 0, #trans: 11 final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-GCM
final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-GCM
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA512
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA384
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA256
final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA1
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
final rework: 0x3, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
final rework: 0x0, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
KE Subsequent payload: N, reserved: 0x0, size: 264
DH group: 24, Reserved: 0x0
28 6b 52 84 a9 50 f8 6e d2 fa 81 f7 3a d5 9a c8
d4 af 3b a4 e6 78 91 4e 60 64 8a 45 9b 36 46 e3
N Subsequent payload: NOTIFY, reserved: 0x0, size: 36
4c 21 c2 5d 36 15 f2 7c 80 4e c8 42 96 eb 30 41
5c 60 1f dd 4b 6e 6e 82 2b 9d aa 73 68 32 bb 6c
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Subsequent payload: NOTIFY, reserved: 0x0, size: 28
Safety protocol id: Unknown - 0, spi measurement: 0, kind: NAT_DETECTION_SOURCE_IP
c3 a2 2b 52 02 39 ed c4 d5 14 96 72 ce 1c eb 73
97 d4 02 11
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Subsequent payload: NOTIFY, reserved: 0x0, size: 28
Safety protocol id: Unknown - 0, spi measurement: 0, kind: NAT_DETECTION_DESTINATION_IP
advert 5c fb 61 2c 9c 3f 94 0a b2 7f 7e da cc 70 7c
bc e1 58 e5
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16431 NOTIFY(Unknown - 16431) Subsequent payload: NOTIFY, reserved: 0x0, size: 16
Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0
00 02 00 03 00 04 00 05
IKEv2-PROTO-7: Parse Notify Payload: REDIRECT_SUPPORTED NOTIFY(REDIRECT_SUPPORTED) Subsequent payload: NONE, reserved: 0x0, size: 8
Safety protocol id: Unknown - 0, spi measurement: 0, kind: REDIRECT_SUPPORTED
Decrypted packet:Information: 652 bytes
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_RECV_INIT
IKEv2-PROTO-4: (143): Checking NAT discovery
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_REDIRECT
IKEv2-PROTO-7: (143): Redirect test shouldn't be wanted, skipping it
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_CAC
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_COOKIE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK4_COOKIE_NOTIFY
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_VERIFY_MSG
IKEv2-PROTO-4: (143): Confirm SA init message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_INSERT_SA
IKEv2-PROTO-4: (143): Insert SA
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_PROC_MSG
IKEv2-PROTO-4: (143): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_DETECT_NAT
IKEv2-PROTO-7: (143): Course of NAT discovery notify
IKEv2-PROTO-7: (143): Processing nat detect src notify
IKEv2-PROTO-7: (143): Distant deal with not matched
IKEv2-PROTO-7: (143): Processing nat detect dst notify
IKEv2-PROTO-7: (143): Native deal with matched
IKEv2-PROTO-7: (143): Host is situated NAT exterior
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_SET_POLICY
IKEv2-PROTO-7: (143): Setting configured insurance policies
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_PKI_SESH_OPEN
IKEv2-PROTO-7: (143): Opening a PKI session
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_DH_KEY
IKEv2-PROTO-4: (143): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 24
IKEv2-PROTO-4: (143): Request queued for computation of DH key
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (143): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 24
IKEv2-PROTO-4: (143): Request queued for computation of DH secret
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_SKEYID
IKEv2-PROTO-7: (143): Generate skeyid
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_BLD_MSG
IKEv2-PROTO-4: (143): Producing IKE_SA_INIT message
IKEv2-PROTO-4: (143): IKE Proposal: 1, SPI measurement: 0 (preliminary negotiation),
Num. transforms: 4
(143): AES-CBC(143): SHA1(143): SHA256(143): DH_GROUP_2048_MODP_256_PRIME/Group 24IKEv2-PROTO-7: Assemble Vendor Particular Payload: DELETE-REASONIKEv2-PROTO-7: Assemble Vendor Particular Payload: (CUSTOM)IKEv2-PROTO-7: Assemble Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Assemble Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Assemble Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Assemble Vendor Particular Payload: FRAGMENTATION(143):
IKEv2-PROTO-4: (143): Sending Packet [To 100.100.100.100:3316/From 200.200.200.200:500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 0
(143): IKEv2 IKE_SA_INIT Alternate RESPONSEIKEv2-PROTO-5: (143): Subsequent payload: SA, model: 2.0 (143): Alternate kind: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (143): Message id: 0, size: 599(143):
Payload contents:
(143): SA(143): Subsequent payload: KE, reserved: 0x0, size: 48
(143): final proposal: 0x0, reserved: 0x0, size: 44
Proposal: 1, Protocol id: IKE, SPI measurement: 0, #trans: 4(143): final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-CBC
(143): final rework: 0x3, reserved: 0x0: size: 8
kind: 2, reserved: 0x0, id: SHA1
(143): final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA256
(143): final rework: 0x0, reserved: 0x0: size: 8
kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
(143): KE(143): Subsequent payload: N, reserved: 0x0, size: 264
(143): DH group: 24, Reserved: 0x0
(143):
(143): 38 34 e5 68 3d fd b0 24 d8 04 01 e9 44 7e 13 02
(143): 35 95 24 e7 9f 66 d8 b3 27 69 4f 2c 14 a3 d2 27
(143): f7 84 14 a6 fb 26 advert 6f de 17 1b 85 f4 5d 62 a1
(143): N(143): Subsequent payload: VID, reserved: 0x0, size: 68
(143):
(143): VID(143): Subsequent payload: VID, reserved: 0x0, size: 23
(143):
(143): 43 49 53 43 4f 2nd 44 45 4c 45 54 45 2nd 52 45 41
(143): 53 4f 4e
(143): VID(143): Subsequent payload: NOTIFY, reserved: 0x0, size: 59
(143):
(143): 43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
(143): NOTIFY(NAT_DETECTION_SOURCE_IP)(143): Subsequent payload: NOTIFY, reserved: 0x0, size: 28
(143): Safety protocol id: IKE, spi measurement: 0, kind: NAT_DETECTION_SOURCE_IP
(143):
(143): e1 01 3d b1 46 f4 da 9c 34 97 15 7e 8e 23 a5 0c
(143): 76 cf 0a 75
(143): NOTIFY(NAT_DETECTION_DESTINATION_IP)(143): Subsequent payload: CERTREQ, reserved: 0x0, size: 28
(143): Safety protocol id: IKE, spi measurement: 0, kind: NAT_DETECTION_DESTINATION_IP
(143):
(143): fe d5 1f 3b 6e f2 ed 39 46 84 02 b1 ed 95 ab 6b
(143): 7a fc d3 15
(143): CERTREQ(143): Subsequent payload: NOTIFY, reserved: 0x0, size: 25
(143): Cert encoding X.509 Certificates - signature
(143): CertReq information: 20 bytes
(143): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(143): Subsequent payload: VID, reserved: 0x0, size: 8
(143): Safety protocol id: Unknown - 0, spi measurement: 0, kind: IKEV2_FRAGMENTATION_SUPPORTED
(143): VID(143): Subsequent payload: NONE, reserved: 0x0, size: 20
(143):
(143): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(143):
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_DONE
IKEv2-PROTO-4: (143): Accomplished SA init trade
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_CHK4_ROLE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_START_TMR
IKEv2-PROTO-4: (143): Beginning timer (30 sec) to attend for auth message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_WAIT_AUTH Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): Request has mess_id 1; anticipated 1 by means of 1
(143):
IKEv2-PROTO-4: (143): Obtained Packet [From 100.100.100.100:3318/To 200.200.200.200:500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 1
(143): IKEv2 IKE_AUTH Alternate REQUESTIKEv2-PROTO-5: (143): Subsequent payload: ENCR, model: 2.0 (143): Alternate kind: IKE_AUTH, flags: INITIATOR (143): Message id: 1, size: 368(143):
Payload contents:
IKEv2-PROTO-4: decrypt queued(143):
(143): Decrypted packet:(143): Information: 368 bytes
(143): REAL Decrypted packet:(143): Information: 299 bytes
IDi Subsequent payload: CERTREQ, reserved: 0x0, size: 14
Id kind: key ID, Reserved: 0x0 0x0
70 74 6e 6f 69 72
CERTREQ Subsequent payload: CFG, reserved: 0x0, size: 25
Cert encoding X.509 Certificates - signature
CertReq information: 20 bytes
CFG Subsequent payload: SA, reserved: 0x0, size: 16
cfg kind: CFG_REQUEST, reserved: 0x0, reserved: 0x0
attrib kind: inner IP4 deal with, size: 0
attrib kind: inner IP4 DNS, size: 0
SA Subsequent payload: TSi, reserved: 0x0, size: 124
final proposal: 0x2, reserved: 0x0, size: 44
Proposal: 1, Protocol id: ESP, SPI measurement: 4, #trans: 3 final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-GCM
final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-GCM
final rework: 0x0, reserved: 0x0: size: 8
kind: 5, reserved: 0x0, id: Do not use ESN
final proposal: 0x0, reserved: 0x0, size: 76
Proposal: 2, Protocol id: ESP, SPI measurement: 4, #trans: 7 final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-CBC
final rework: 0x3, reserved: 0x0: size: 12
kind: 1, reserved: 0x0, id: AES-CBC
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA512
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA384
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA256
final rework: 0x3, reserved: 0x0: size: 8
kind: 3, reserved: 0x0, id: SHA96
final rework: 0x0, reserved: 0x0: size: 8
kind: 5, reserved: 0x0, id: Do not use ESN
TSi Subsequent payload: TSr, reserved: 0x0, size: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS kind: TS_IPV4_ADDR_RANGE, proto id: 0, size: 16
begin port: 0, finish port: 65535
begin addr: 0.0.0.0, finish addr: 255.255.255.255
TSr Subsequent payload: NOTIFY, reserved: 0x0, size: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS kind: TS_IPV4_ADDR_RANGE, proto id: 0, size: 16
begin port: 0, finish port: 65535
begin addr: 0.0.0.0, finish addr: 255.255.255.255
IKEv2-PROTO-7: Parse Notify Payload: MOBIKE_SUPPORTED NOTIFY(MOBIKE_SUPPORTED) Subsequent payload: NOTIFY, reserved: 0x0, size: 8
Safety protocol id: Unknown - 0, spi measurement: 0, kind: MOBIKE_SUPPORTED
IKEv2-PROTO-7: Parse Notify Payload: ADDITIONAL_IPV6_ADDRESS NOTIFY(ADDITIONAL_IPV6_ADDRESS) Subsequent payload: NOTIFY, reserved: 0x0, size: 24
Safety protocol id: Unknown - 0, spi measurement: 0, kind: ADDITIONAL_IPV6_ADDRESS
26 00 10 09 11 10 c4 d0 00 00 00 00 63 b2 fa 7d
IKEv2-PROTO-7: Parse Notify Payload: ADDITIONAL_IPV6_ADDRESS NOTIFY(ADDITIONAL_IPV6_ADDRESS) Subsequent payload: NOTIFY, reserved: 0x0, size: 24
Safety protocol id: Unknown - 0, spi measurement: 0, kind: ADDITIONAL_IPV6_ADDRESS
26 00 10 09 b1 87 18 f6 05 d9 4c e6 04 fb 59 56
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16417 NOTIFY(Unknown - 16417) Subsequent payload: NOTIFY, reserved: 0x0, size: 8
Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16420 NOTIFY(Unknown - 16420) Subsequent payload: NONE, reserved: 0x0, size: 8
Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_RECV_AUTH
IKEv2-PROTO-4: (143): Stopping timer to attend for auth message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_NAT_T
IKEv2-PROTO-4: (143): Checking NAT discovery
IKEv2-PROTO-4: (143): NAT OUTSIDE discovered
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (143): NAT detected float to init port 3318, resp port 4500
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_PROC_ID
IKEv2-PROTO-7: (143): Obtained legitimate parameteres in course of id
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (143): Looking out coverage primarily based on peer's identification 'VPNGRP' of kind 'key ID'
IKEv2-PROTO-2: (143): Didn't find an merchandise within the database
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_AUTH_FAIL
IKEv2-PROTO-4: (143): Verification of peer's authentication information FAILED
IKEv2-PROTO-4: (143): Sending authentication failure notify
IKEv2-PROTO-7: Assemble Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-4: (143): Constructing packet for encryption.
(143):
Payload contents:
(143): NOTIFY(AUTHENTICATION_FAILED)(143): Subsequent payload: NONE, reserved: 0x0, size: 8
(143): Safety protocol id: IKE, spi measurement: 0, kind: AUTHENTICATION_FAILED
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_TRYSEND
(143):
IKEv2-PROTO-4: (143): Sending Packet [To 100.100.100.100:3318/From 200.200.200.200:4500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 1
(143): IKEv2 IKE_AUTH Alternate RESPONSEIKEv2-PROTO-5: (143): Subsequent payload: ENCR, model: 2.0 (143): Alternate kind: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (143): Message id: 1, size: 80(143):
Payload contents:
(143): ENCR(143): Subsequent payload: NOTIFY, reserved: 0x0, size: 52
(143): Encrypted information: 48 bytes
(143):
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: AUTH_DONE Occasion: EV_FAIL
IKEv2-PROTO-4: (143): Auth trade failed
IKEv2-PROTO-2: (143): Auth trade failed
IKEv2-PROTO-2: (143): Auth trade failed
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_ABORT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (143): Abort trade
IKEv2-PROTO-4: (143): Deleting SA
In above, 100.100.100.100
is consumer, 200.200.200.200
is ASA.