IKEv2 Authentication Error Tidbit

So I recently went down a rabbit hole the other day trying to figure out why I could not use my IOS PKI Certificate Authority (CA) in another FlexVPN scenario acting as the hub. As I attempted to bring up a FlexVPN session I continued to debug ikev2 packets (debug crypto ikev2 packet) and kept seeing this error:

Payload contents:

NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8

Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

Long story short, I was actually trying to use the CA trustpoint within my IKEv2 profile configuration that is used for signing certificates.

The fix is that you must configure a separate trustpoint to then have the CA enroll with itself, and that trustpoint must be configured within your IKEv2 profile. At this point the CA now has an identity certificate it can use in IKEv2 Authentication. As soon as this was done I was able to move forward. Hopefully this helps you, Cheers!


Recent Posts

See All

Dual Hub FlexVPN Error Tidbit

Sharing an issue that took me some time to troubleshoot & figure out in my dual hub single cloud FlexVPN lab/post (see here: Configuring & Verifying FlexVPN Redundancy with Dual Hub & Single Cloud). S

FlexVPN Redundancy Tidbit

I want to cover the most commonly used FlexVPN redundancy designs since I intend on building out a few scenarios to play with for studying purposes. The most common designs include: Dual cloud approa

IKEv2 Configuration Payload Tidbit

In this tidbit I want to cover what IKEv2 configuration payloads are & why they are needed. So it is sometimes desirable for the hub in hub & spoke topologies to provide configuration data to the spo


© 2023 by Train of Thoughts. Proudly created with Wix.com