9.9 C
New York
Wednesday, November 27, 2024

Cisco ASA IKEv2+IPSec Distant Entry VPN


Goal: Use ASA to help native VPN consumer for RA on present variations of Android, Home windows 10/11 (and probably others) utilizing supported varieties resembling IKEv2/IPSec+EAP/MSCHAPv2 for authentication.

An ASA (ASA5516/9.12) is presently used for IKEv1/LT2P Distant Entry and IKEv1/IPSec L2L’s, working properly. It now must help IKEv2/IPSec for RA, as Android has eliminated help for LT2P (others will seemingly observe). If potential, want to keep away from utilizing AnyConnect, SSL-based or any non-free consumer software program. Would additionally want to make use of present native usernames on ASA for authentication as executed now with the IKEv1/LT2P, although (so far as I can inform) certificates are additionally required for IKEv2. Lastly, IKEv1/LT2P and IKEv1/IPSec L2L additionally must proceed to work.

I’ve not discovered on-line references or articles that particularly deal with this use case, although this one which describes IKEv2/EAP RA with Home windows native is the closest (nevertheless the configuration examples are a bit incomplete). This one covers IKEv2 RA, however is for IOS.

Quick model:

There’s a CA certificates and a cert for each the ASA and an Android consumer. Utilizing the native consumer with IKEv2/IPSec MSCHAPv2, will get so far as “Didn’t find an merchandise within the database”. My understanding of that is that it’s failing to match the consumer to a tunnel-group – although there may be each a tunnel group referred to as VPNGRP and DefaultRAGroup (which I assumed it could fall by means of to on this case). I had thought that the ikev2 remote-authentication eap query-identity would use EAP/PEAP/MSCHAPv2 because the peer’s ID.

Here is the ASA debug for the purpose the place it fails:

IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_PROC_ID
IKEv2-PROTO-7: (143): Obtained legitimate parameteres in course of id
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (143): Looking out coverage primarily based on peer's identification 'VPNGRP' of kind 'key ID'
IKEv2-PROTO-2: (143): Didn't find an merchandise within the database
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_AUTH_FAIL
IKEv2-PROTO-4: (143): Verification of peer's authentication information FAILED
IKEv2-PROTO-4: (143): Sending authentication failure notify
IKEv2-PROTO-7: Assemble Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-4: (143): Constructing packet for encryption.

Additionally, utilizing a Home windows native consumer, the peer identification kind that it tries to match is IPv4 deal with which presents the LAN deal with of the machine adapter (not very useful). I’ve tried peer-id-validate nocheck and isakmp identification key-id and auto and doesn’t change the error.

I imagine the actual concern is that I’ve reached the boundaries of my understanding of this configuration and I am simply not capable of finding any good references that designate how this specific use case may match. I may additionally be misunderstanding the position of the certificates on this configuration – I had thought that on this case it could exchange using a pre-shared-key string whereas persevering with to permit native/CHAP credentials to allow entry for a selected consumer… this can be an incorrect assumption too.

Any options or clarifications can be most appreciated. Thanks!

TL;DR:

Related ASA config:

ASA Model 9.12(4)58 
!
hostname host
domain-name foo.native

access-list acl_vpn_split prolonged allow ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 

crypto ipsec ikev1 transform-set set_aes-256-hmac esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set set_aes-256-hma_trans esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set set_aes-256-hma_trans mode transport

crypto ipsec ikev2 ipsec-proposal AESSHA256
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5

crypto ipsec profile VPNGRP
 set ikev2 ipsec-proposal AES256
 set trustpoint TP
crypto ipsec security-association pmtu-aging infinite

crypto dynamic-map cdm_vpnclient 10 set ikev1 transform-set set_aes-256-hmac set_aes-256-hma_trans
crypto dynamic-map cdm_vpnclient 10 set ikev2 ipsec-proposal AESSHA256 AES256 AES192
crypto map cm_outside 65535 ipsec-isakmp dynamic cdm_vpnclient
crypto map cm_outside interface exterior

crypto ca trustpoint TP
 enrollment terminal
 subject-name CN=host.foo.native, ...
 crl configure
crypto ca trustpool coverage
crypto ca certificates chain TP
 certificates 02
  ********
  stop
 certificates ca *
  ********
  stop
 
crypto isakmp nat-traversal 30

crypto ikev2 coverage 9
 encryption aes-256
 integrity sha256
 group 24
 prf sha
 lifetime seconds 86400
crypto ikev2 coverage 10
 encryption aes-256
 integrity sha256
 group 5
 prf sha
 lifetime seconds 86400
crypto ikev2 coverage 11
 encryption aes-256
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 86400
crypto ikev2 allow exterior
crypto ikev2 remote-access trustpoint TP

crypto ikev1 allow exterior
crypto ikev1 coverage 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
 
group-policy VPNGRP inner
group-policy VPNGRP attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec 
 password-storage allow
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list worth acl_vpn_split
 intercept-dhcp allow

dynamic-access-policy-record DfltAccessPolicy

tunnel-group DefaultRAGroup general-attributes
 address-pool pool_vpn
 authentication-server-group (exterior) LOCAL
 default-group-policy VPNGRP
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *
 ikev2 remote-authentication eap query-identity
 ikev2 local-authentication certificates TP
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2

tunnel-group VPNGRP kind remote-access
tunnel-group VPNGRP general-attributes
 address-pool pool_vpn
 authentication-server-group (exterior) LOCAL
 default-group-policy VPNGRP
tunnel-group VPNGRP ipsec-attributes
 ikev1 pre-shared-key *
 ikev2 remote-authentication eap query-identity
 ikev2 local-authentication certificates TP

username consumer password * nt-encrypted
username user2 password * encrypted

Full ASA debug:

IKEv2-PROTO-4: Obtained Packet [From 100.100.100.100:3316/To 200.200.200.200:500/VRF i0:f0]
Initiator SPI : 324F9A17F65A53FE - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Alternate REQUESTIKEv2-PROTO-5: Subsequent payload: SA, model: 2.0 Alternate kind: IKE_SA_INIT, flags: INITIATOR Message id: 0, size: 652
Payload contents:
 SA  Subsequent payload: KE, reserved: 0x0, size: 244
  final proposal: 0x2, reserved: 0x0, size: 136
  Proposal: 1, Protocol id: IKE, SPI measurement: 0, #trans: 15    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-CBC
    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-CBC
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA512
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA384
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA256
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA96
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA512
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA384
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA256
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA1
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
    final rework: 0x0, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
  final proposal: 0x0, reserved: 0x0, size: 104
  Proposal: 2, Protocol id: IKE, SPI measurement: 0, #trans: 11    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-GCM
    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-GCM
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA512
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA384
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA256
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA1
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
    final rework: 0x0, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
 KE  Subsequent payload: N, reserved: 0x0, size: 264
    DH group: 24, Reserved: 0x0

     28 6b 52 84 a9 50 f8 6e d2 fa 81 f7 3a d5 9a c8

     d4 af 3b a4 e6 78 91 4e 60 64 8a 45 9b 36 46 e3
 N  Subsequent payload: NOTIFY, reserved: 0x0, size: 36

     4c 21 c2 5d 36 15 f2 7c 80 4e c8 42 96 eb 30 41
     5c 60 1f dd 4b 6e 6e 82 2b 9d aa 73 68 32 bb 6c
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Subsequent payload: NOTIFY, reserved: 0x0, size: 28
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: NAT_DETECTION_SOURCE_IP

     c3 a2 2b 52 02 39 ed c4 d5 14 96 72 ce 1c eb 73
     97 d4 02 11
IKEv2-PROTO-7: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Subsequent payload: NOTIFY, reserved: 0x0, size: 28
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: NAT_DETECTION_DESTINATION_IP

     advert 5c fb 61 2c 9c 3f 94 0a b2 7f 7e da cc 70 7c
     bc e1 58 e5
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16431 NOTIFY(Unknown - 16431)  Subsequent payload: NOTIFY, reserved: 0x0, size: 16
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0

     00 02 00 03 00 04 00 05
IKEv2-PROTO-7: Parse Notify Payload: REDIRECT_SUPPORTED NOTIFY(REDIRECT_SUPPORTED)  Subsequent payload: NONE, reserved: 0x0, size: 8
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: REDIRECT_SUPPORTED

Decrypted packet:Information: 652 bytes
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_RECV_INIT
IKEv2-PROTO-4: (143): Checking NAT discovery
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_REDIRECT
IKEv2-PROTO-7: (143): Redirect test shouldn't be wanted, skipping it
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_CAC
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK_COOKIE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: IDLE Occasion: EV_CHK4_COOKIE_NOTIFY
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_VERIFY_MSG
IKEv2-PROTO-4: (143): Confirm SA init message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_INSERT_SA
IKEv2-PROTO-4: (143): Insert SA
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_PROC_MSG
IKEv2-PROTO-4: (143): Processing IKE_SA_INIT message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_DETECT_NAT
IKEv2-PROTO-7: (143): Course of NAT discovery notify
IKEv2-PROTO-7: (143): Processing nat detect src notify
IKEv2-PROTO-7: (143): Distant deal with not matched
IKEv2-PROTO-7: (143): Processing nat detect dst notify
IKEv2-PROTO-7: (143): Native deal with matched
IKEv2-PROTO-7: (143): Host is situated NAT exterior
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_INIT Occasion: EV_CHK_CONFIG_MODE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_SET_POLICY
IKEv2-PROTO-7: (143): Setting configured insurance policies
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_PKI_SESH_OPEN
IKEv2-PROTO-7: (143): Opening a PKI session
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_DH_KEY
IKEv2-PROTO-4: (143): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 24
IKEv2-PROTO-4: (143): Request queued for computation of DH key
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_DH_SECRET
IKEv2-PROTO-4: (143): [IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 24
IKEv2-PROTO-4: (143): Request queued for computation of DH secret
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GEN_SKEYID
IKEv2-PROTO-7: (143): Generate skeyid
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_BLD_INIT Occasion: EV_BLD_MSG
IKEv2-PROTO-4: (143): Producing IKE_SA_INIT message
IKEv2-PROTO-4: (143): IKE Proposal: 1, SPI measurement: 0 (preliminary negotiation),
Num. transforms: 4
(143):    AES-CBC(143):    SHA1(143):    SHA256(143):    DH_GROUP_2048_MODP_256_PRIME/Group 24IKEv2-PROTO-7: Assemble Vendor Particular Payload: DELETE-REASONIKEv2-PROTO-7: Assemble Vendor Particular Payload: (CUSTOM)IKEv2-PROTO-7: Assemble Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-7: Assemble Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-7: Assemble Notify Payload: IKEV2_FRAGMENTATION_SUPPORTEDIKEv2-PROTO-7: Assemble Vendor Particular Payload: FRAGMENTATION(143):
IKEv2-PROTO-4: (143): Sending Packet [To 100.100.100.100:3316/From 200.200.200.200:500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 0
(143): IKEv2 IKE_SA_INIT Alternate RESPONSEIKEv2-PROTO-5: (143): Subsequent payload: SA, model: 2.0 (143): Alternate kind: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE (143): Message id: 0, size: 599(143):
Payload contents:
(143):  SA(143):   Subsequent payload: KE, reserved: 0x0, size: 48
(143):   final proposal: 0x0, reserved: 0x0, size: 44
  Proposal: 1, Protocol id: IKE, SPI measurement: 0, #trans: 4(143):     final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-CBC
(143):     final rework: 0x3, reserved: 0x0: size: 8
    kind: 2, reserved: 0x0, id: SHA1
(143):     final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA256
(143):     final rework: 0x0, reserved: 0x0: size: 8
    kind: 4, reserved: 0x0, id: DH_GROUP_2048_MODP_256_PRIME/Group 24
(143):  KE(143):   Subsequent payload: N, reserved: 0x0, size: 264
(143):     DH group: 24, Reserved: 0x0
(143):
(143):      38 34 e5 68 3d fd b0 24 d8 04 01 e9 44 7e 13 02

(143):      35 95 24 e7 9f 66 d8 b3 27 69 4f 2c 14 a3 d2 27
(143):      f7 84 14 a6 fb 26 advert 6f de 17 1b 85 f4 5d 62 a1
(143):  N(143):   Subsequent payload: VID, reserved: 0x0, size: 68
(143):
(143):  VID(143):   Subsequent payload: VID, reserved: 0x0, size: 23
(143):
(143):      43 49 53 43 4f 2nd 44 45 4c 45 54 45 2nd 52 45 41
(143):      53 4f 4e
(143):  VID(143):   Subsequent payload: NOTIFY, reserved: 0x0, size: 59
(143):
(143):      43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29

(143):  NOTIFY(NAT_DETECTION_SOURCE_IP)(143):   Subsequent payload: NOTIFY, reserved: 0x0, size: 28
(143):     Safety protocol id: IKE, spi measurement: 0, kind: NAT_DETECTION_SOURCE_IP
(143):
(143):      e1 01 3d b1 46 f4 da 9c 34 97 15 7e 8e 23 a5 0c
(143):      76 cf 0a 75
(143):  NOTIFY(NAT_DETECTION_DESTINATION_IP)(143):   Subsequent payload: CERTREQ, reserved: 0x0, size: 28
(143):     Safety protocol id: IKE, spi measurement: 0, kind: NAT_DETECTION_DESTINATION_IP
(143):
(143):      fe d5 1f 3b 6e f2 ed 39 46 84 02 b1 ed 95 ab 6b
(143):      7a fc d3 15
(143):  CERTREQ(143):   Subsequent payload: NOTIFY, reserved: 0x0, size: 25
(143):     Cert encoding X.509 Certificates - signature
(143): CertReq information: 20 bytes
(143):  NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(143):   Subsequent payload: VID, reserved: 0x0, size: 8
(143):     Safety protocol id: Unknown - 0, spi measurement: 0, kind: IKEV2_FRAGMENTATION_SUPPORTED
(143):  VID(143):   Subsequent payload: NONE, reserved: 0x0, size: 20
(143):
(143):      40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
(143):
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_DONE
IKEv2-PROTO-4: (143): Accomplished SA init trade
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_CHK4_ROLE
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: INIT_DONE Occasion: EV_START_TMR
IKEv2-PROTO-4: (143): Beginning timer (30 sec) to attend for auth message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000000 CurState: R_WAIT_AUTH Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): Request has mess_id 1; anticipated 1 by means of 1

(143):
IKEv2-PROTO-4: (143): Obtained Packet [From 100.100.100.100:3318/To 200.200.200.200:500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 1
(143): IKEv2 IKE_AUTH Alternate REQUESTIKEv2-PROTO-5: (143): Subsequent payload: ENCR, model: 2.0 (143): Alternate kind: IKE_AUTH, flags: INITIATOR (143): Message id: 1, size: 368(143):
Payload contents:
IKEv2-PROTO-4: decrypt queued(143):
(143): Decrypted packet:(143): Information: 368 bytes
(143): REAL Decrypted packet:(143): Information: 299 bytes
 IDi  Subsequent payload: CERTREQ, reserved: 0x0, size: 14
    Id kind: key ID, Reserved: 0x0 0x0

     70 74 6e 6f 69 72
 CERTREQ  Subsequent payload: CFG, reserved: 0x0, size: 25
    Cert encoding X.509 Certificates - signature
CertReq information: 20 bytes
 CFG  Subsequent payload: SA, reserved: 0x0, size: 16
    cfg kind: CFG_REQUEST, reserved: 0x0, reserved: 0x0

   attrib kind: inner IP4 deal with, size: 0

   attrib kind: inner IP4 DNS, size: 0

 SA  Subsequent payload: TSi, reserved: 0x0, size: 124
  final proposal: 0x2, reserved: 0x0, size: 44
  Proposal: 1, Protocol id: ESP, SPI measurement: 4, #trans: 3    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-GCM
    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-GCM
    final rework: 0x0, reserved: 0x0: size: 8
    kind: 5, reserved: 0x0, id: Do not use ESN
  final proposal: 0x0, reserved: 0x0, size: 76
  Proposal: 2, Protocol id: ESP, SPI measurement: 4, #trans: 7    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-CBC
    final rework: 0x3, reserved: 0x0: size: 12
    kind: 1, reserved: 0x0, id: AES-CBC
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA512
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA384
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA256
    final rework: 0x3, reserved: 0x0: size: 8
    kind: 3, reserved: 0x0, id: SHA96
    final rework: 0x0, reserved: 0x0: size: 8
    kind: 5, reserved: 0x0, id: Do not use ESN
 TSi  Subsequent payload: TSr, reserved: 0x0, size: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS kind: TS_IPV4_ADDR_RANGE, proto id: 0, size: 16
    begin port: 0, finish port: 65535
    begin addr: 0.0.0.0, finish addr: 255.255.255.255
 TSr  Subsequent payload: NOTIFY, reserved: 0x0, size: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS kind: TS_IPV4_ADDR_RANGE, proto id: 0, size: 16
    begin port: 0, finish port: 65535
    begin addr: 0.0.0.0, finish addr: 255.255.255.255
IKEv2-PROTO-7: Parse Notify Payload: MOBIKE_SUPPORTED NOTIFY(MOBIKE_SUPPORTED)  Subsequent payload: NOTIFY, reserved: 0x0, size: 8
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: MOBIKE_SUPPORTED
IKEv2-PROTO-7: Parse Notify Payload: ADDITIONAL_IPV6_ADDRESS NOTIFY(ADDITIONAL_IPV6_ADDRESS)  Subsequent payload: NOTIFY, reserved: 0x0, size: 24
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: ADDITIONAL_IPV6_ADDRESS

     26 00 10 09 11 10 c4 d0 00 00 00 00 63 b2 fa 7d
IKEv2-PROTO-7: Parse Notify Payload: ADDITIONAL_IPV6_ADDRESS NOTIFY(ADDITIONAL_IPV6_ADDRESS)  Subsequent payload: NOTIFY, reserved: 0x0, size: 24
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: ADDITIONAL_IPV6_ADDRESS

     26 00 10 09 b1 87 18 f6 05 d9 4c e6 04 fb 59 56
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16417 NOTIFY(Unknown - 16417)  Subsequent payload: NOTIFY, reserved: 0x0, size: 8
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0
IKEv2-PROTO-7: Parse Notify Payload: Unknown - 16420 NOTIFY(Unknown - 16420)  Subsequent payload: NONE, reserved: 0x0, size: 8
    Safety protocol id: Unknown - 0, spi measurement: 0, kind: Unknown - 0

IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_RECV_AUTH
IKEv2-PROTO-4: (143): Stopping timer to attend for auth message
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_NAT_T
IKEv2-PROTO-4: (143): Checking NAT discovery
IKEv2-PROTO-4: (143): NAT OUTSIDE discovered
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHG_NAT_T_PORT
IKEv2-PROTO-4: (143): NAT detected float to init port 3318, resp port 4500
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_PROC_ID
IKEv2-PROTO-7: (143): Obtained legitimate parameteres in course of id
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_CHK_IF_PEER_CERT_NEEDS_TO_BE_FETCHED_FOR_PROF_SEL
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_WAIT_AUTH Occasion: EV_GET_POLICY_BY_PEERID
IKEv2-PROTO-4: (143): Looking out coverage primarily based on peer's identification 'VPNGRP' of kind 'key ID'
IKEv2-PROTO-2: (143): Didn't find an merchandise within the database
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_AUTH_FAIL
IKEv2-PROTO-4: (143): Verification of peer's authentication information FAILED
IKEv2-PROTO-4: (143): Sending authentication failure notify
IKEv2-PROTO-7: Assemble Notify Payload: AUTHENTICATION_FAILEDIKEv2-PROTO-4: (143): Constructing packet for encryption.
(143):
Payload contents:
(143):  NOTIFY(AUTHENTICATION_FAILED)(143):   Subsequent payload: NONE, reserved: 0x0, size: 8
(143):     Safety protocol id: IKE, spi measurement: 0, kind: AUTHENTICATION_FAILED
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_ENCRYPT_MSG
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_NO_EVENT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_OK_ENCRYPT_RESP
IKEv2-PROTO-7: (143): Motion: Action_Null
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: R_VERIFY_AUTH Occasion: EV_TRYSEND
(143):
IKEv2-PROTO-4: (143): Sending Packet [To 100.100.100.100:3318/From 200.200.200.200:4500/VRF i0:f0]
(143): Initiator SPI : 324F9A17F65A53FE - Responder SPI : 80B091E1278E373F Message id: 1
(143): IKEv2 IKE_AUTH Alternate RESPONSEIKEv2-PROTO-5: (143): Subsequent payload: ENCR, model: 2.0 (143): Alternate kind: IKE_AUTH, flags: RESPONDER MSG-RESPONSE (143): Message id: 1, size: 80(143):
Payload contents:
(143):  ENCR(143):   Subsequent payload: NOTIFY, reserved: 0x0, size: 52
(143): Encrypted information: 48 bytes
(143):
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: AUTH_DONE Occasion: EV_FAIL
IKEv2-PROTO-4: (143): Auth trade failed
IKEv2-PROTO-2: (143): Auth trade failed
IKEv2-PROTO-2: (143): Auth trade failed
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_ABORT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_CHK_PENDING_ABORT
IKEv2-PROTO-7: (143): SM Hint-> SA: I_SPI=324F9A17F65A53FE R_SPI=80B091E1278E373F (R) MsgID = 00000001 CurState: EXIT Occasion: EV_UPDATE_CAC_STATS
IKEv2-PROTO-4: (143): Abort trade
IKEv2-PROTO-4: (143): Deleting SA

In above, 100.100.100.100 is consumer, 200.200.200.200 is ASA.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles