IKEv2 Authentication Error Tidbit

So I recently went down a rabbit hole the other day trying to figure out why I could not use my IOS PKI Certificate Authority (CA) in another FlexVPN scenario acting as the hub. As I attempted to bring up a FlexVPN session I continued to debug ikev2 packets (debug crypto ikev2 packet) and kept seeing this error:


Payload contents:

NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8

Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED


Long story short, I was actually trying to use the CA trustpoint within my IKEv2 profile configuration that is used for signing certificates.


The fix is that you must configure a separate trustpoint to then have the CA enroll with itself, and that trustpoint must be configured within your IKEv2 profile. At this point the CA now has an identity certificate it can use in IKEv2 Authentication. As soon as this was done I was able to move forward. Hopefully this helps you, Cheers!

0 comments

Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization