IKEv2 Authentication Error Tidbit

So I recently went down a rabbit hole the other day trying to figure out why I could not use my IOS PKI Certificate Authority (CA) in another FlexVPN scenario acting as the hub. As I attempted to bring up a FlexVPN session I continued to debug ikev2 packets (debug crypto ikev2 packet) and kept seeing this error:

Payload contents:

NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8

Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

Long story short, I was actually trying to use the CA trustpoint within my IKEv2 profile configuration that is used for signing certificates.

The fix is that you must configure a separate trustpoint to then have the CA enroll with itself, and that trustpoint must be configured within your IKEv2 profile. At this point the CA now has an identity certificate it can use in IKEv2 Authentication. As soon as this was done I was able to move forward. Hopefully this helps you, Cheers!


Recent Posts

See All

Troubleshooting FMC Policy Deployment Tidbit

In this tidbit I want to share some tips on how to troubleshoot FMC policy deployment errors. It is important to understand that the policy deployment is broken down into the following phases: Phase

HTTP Methods & Status Codes Tidbit

In this tidbit I want to touch on different types of HTTP Methods & the types of HTTP status codes you may encounter when consuming APIs in regard to automation. HTTP Methods: GET = get user info PATC

FMC & FTD Communication/Registration Tidbit

In this tidbit I want to cover the basics in regard to FTD & FMC registration. I also intend on covering how the two communicate with each other as this can be helpful when having registration issues