How to configure and troubleshoot VIA with Suite B encryption?

Aruba Employee

Introduction  :  

Virtual Intranet Access (VIA) is part of the Aruba remote networks solution targeted for teleworkers and mobile users. VIA detects the users network environment (trusted and un-trusted) and automatically connects the user to their enterprise network. Trusted networks typically refers to a protected office network that allows users to directly access corporate intranet. Un-trusted networks are public Wi-Fi hotspots like airports, cafes, or home network.

The
VIA solution comes in two parts—VIA connection manager and the controller configuration.

Suite B is a new set of cryptographic algorithms that are approved by the US Government for use in classified communication. Suite B provides the highest levels of security available today in public, commercial algorithms.
Specifically, VIA provides support for:

  • RFC 4869—Suite B Cryptographic Suites for IPsec
  • AES-GCM 128/256 for bulk data transfer
  • ECDSA for digital signatures, including support for X.509v3 certificates using ECDSA keys with p256/p384 curves
  • ECDH for key agreement using p256/p384 curves
  • SHA-256 and SHA-384 for message digests

 

 

Prerequisites

Prior to moving forward with the controller configuration, the following prerequisites must first be accomplished:
 

  • Elliptic Curve Certificates will need to be generated using Windows Server 2008 R2. This version of Windows Server supports the creation of a PKI that will allow for a Certificate Authority to be implemented that supports Suite-B algorithms. The CA root, server, and user certificates will need to be generated prior to configuring the controller. Once created, the CA root and server EC certificates will be uploaded to the controller and used as part of the authentication process.

  • Verify that the controller to be configured supports Suite-B algorithms. While all Aruba 600 series controllers support Suite-B, not all 3000 or M3 series controllers do. Check the serial number on your controller and verify it against Table 3 on page 4 to determine if your controller supports Suite B.

  • If necessary, the controller will need to be upgraded to ArubaOS version 6.1.2.3 (or later). This version of ArubaOS is required to support Suite B.

  • The Advanced Cryptography License (ACR) will need to be installed onto the controller to support Suite- B algorithms

  • The Policy Enforcement Firewall for VIA (PEFV) license will need to be installed onto the controller to provide for policy enforcement when using the VIA client for secure communication with the controller.

  • If the controller will be installed behind a firewall device, the following ports must be allowed for traffic going to the IP address of the controller:
         -  TCP 443 – During the initializing phase, VIA uses HTTPS connections to perform trusted network & captive portal checks  
                                against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these    
                                checks.
         -  UDP 4500 – Required for IPSec transport

 

 

Configuration Steps

 

Many of the configuration steps are similar to normal VIA configuration steps except VIA Authentication Profile and VIA Connection Profile will be configured to provide Suite-B capabilities. Authentication will be certificate based using IKEv2. In order to provide for policy enforcement with VIA, the Aruba PEFV license is required to be installed onto the controller.

Step 1 : 
Configure Suite-B Client Address Pool & Select the IKE Server & CA Root Certs

Select the IKE server cert (must be capable of ECDSA)
(hostname)(config)# crypto-local isakmp server-certificate “cert name”

Add and select the CA cert assigned for VPN-clients (must be capable of EDCSA)
(hostname)(config)# crypto-local isakmp ca-certificate <cacert-name>



Step 2 : Modify the default-ikev2-dynamicmap to add Suite B transforms

(hostname)(config)# crypto dynamic-map default-ikev2-dynamicmap 10000
(hostname)(config-dynamic-map)# set transform-set “default-gcm128” “default-gcm256”     “default-1st-ikev2-transform” “default 3rd-ikev2-transfrom”

The two transforms related to Suite B are (IKE Policies)

“default-gcm128” = Default Suite-B 10008:  this policy defines the use of AES-128-GCM for data encryption with a SHA-256 hash for data integrity and elliptic curve 256 bit digital signatures (ECDSA) used for authentication

“default-gcm256” = Default Suite-B 10009: this policy defines the use of AES-256-GCM for data encryption with a SHA-384 hash for data integrity and elliptic curve 384 bit digital signatures (ECDSA) used for authentication


Step 3 : Create user role to be mapped to the VIA authentication profile

Step 4 : Create VIA Authentication profile

 

  • Select the user role created above as Default Role

  • Ensure that “Check certificate common name against AAA server” is unchecked (if checked if using internal DB it must have an entry corresponding to the CN)

  • Add the correct server group for VIA authentication (in the field this will most likely be internal)


Currently the most popular Radius servers do not support EAP-TLS over IKEV2 with EC certificates (currently all Suite B deployments use VIA and IKEV2 native certificate authentication on the controller, however another option is strongSwan but it’s not FIPS validated)

 

 

Step 5 : Create VIA Connection profile
 

  • Populate VIA Servers section with necessary configurations

  • Select the VIA authentication profile created in the “VIA Authentication Profiles” to provision section

  • Populate VIA tunneled networks

Federal customers will likely tunnel all networks as Suite B encryption is normally used to connect to classified networks
Enable IKEv2

(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
(hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2-proto

  • Select Default Suite-B 10008 (AES-GCM128) or Default Suite-B 10009 (AES-GCM256) for VIA IKE V2 Policy
(hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”

(hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2-policy “10008” or “10009”

 

  •  Enable “Use Suite B Cryptography”

   (hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”

   (hostname)(VIA Connection Profile “Suite-B-VIA”)# suiteb-crypto

 

  • Select “user-cert” for IKEv2 Authentication method (use eap-tls only if authenticating to an external server, which is currently not used in the filed)

    (hostname)(config)# aaa authentication via connection-profile “Suite-B-VIA”
  
    (hostname)(VIA Connection Profile “Suite-B-VIA”)# ikev2auth user-cert

 

  • Select “default-ikev2-dynamicmap/10000” for VIA IPSec V2 Crypto Map

    (hostname)(VIA Connection Profile “Suite-B-VIA”)# ipsecv2-cryptomap “default-ikev2-    dynamic map” number 10000

 

  • Select “Enable Supplicant”

    (hostname)(VIA Connection Profile “Suite-B-VIA”)# enable-supplicant

 

  • Use default /32 for “VIA Client Network Mask”
     

  • Enable “Validate Server Certificate”

   (hostname)(VIA Connection Profile “Suite-B-VIA”)# validate-server-cert

 

 

Client Configuration


There are three main items that will be executed to establish Suite-B communications with the controller:

  • Import elliptic curve certificates thru the use of the Microsoft Management Console (mmc.exe) program
  • Install the VIA client
  • Launch the VIA client, authenticate and load the VIA connection profile to support Suite-B connectivity

 

 

Troubleshooting

 

 

  •    Wireless client must have driver capable of Suite B encryption (on a driver only capable of AES the SSID will show up as unsecure)
               show user (SSID with Suite B encryption enabled):

(Aruba3600) #show user
Users
-----
    IP            MAC                         Name     Role                     Age(d:h:mAuth    VPN link  AP name      Roaming   Essid/Bssid/Phy                                                 Profile          Forward mode  Type
----------      ------------                     ------        ----                         ----------        ----       --------       -------             -------            ---------------                                                         -------            ------------             ----
172.16.2.8   44:6d:57:60:4d:b0  level99   SuiteB_Trusted      00:00:35    802.1x_suiteB   Pandora-135  Wireless  Pandora/d8:c7:c8:88:bd:a0/g-HT    Pandora_Trusted     tunnel       win7
172.16.2.11  70:de:e2:89:1f:77  sandee    Pandora_Trusted  16:11:29    802.1x               Pandora-135  Wireless  Pandora/d8:c7:c8:88:bd:b0/a-HT    Pandora_Trusted     tunnel       iPad
User Entries: 2/2



 

  • show user (VIA with Suite B encryption enabled):
(Aruba3600) #show user-table
Users
-----
    IP              MAC                          Name       Role             Age(d:h:m      Auth     VPN link       AP name        Roaming   Essid/Bssid/Phy                              Profile   Forward mode  Type   Host Name
----------            ------------                  ------        ----                 ----------            ----            --------             -------               -------         ---------------                                       -------       ------------             ----   ---------
10.10.130.10   44:6d:57:60:4d:b0  Users     Suite-B-VIA        00:01:53    VIA-VPN  10.10.130.253  Inception-105  Wireless  Inception/00:24:6c:ae:a6:30/g                       tunnel
10.10.130.253  44:6d:57:60:4d:b0  jconrad   Inception-Trusted  00:01:53    VIA-VPN                 Inception-105  Wireless  Inception/00:24:6c:ae:a6:30/g-HT  Trusted_Wireless       tunnel    Win 7
User Entries: 2/2
 Curr/Cum Alloc:2/565 Free:1/563 Dyn:3 AllocErr:0 FreeErr:0



 
  • show auth-tracebuf (SSID with Suite B enabled)

Suite B 128 bit encryption:
Sep 29 15:40:47  ap-up           *       00:1a:1e:8f:a5:41                                                   -   -    wpa2 aes-gcm-128
Sep 29 15:52:10  station-up     *       00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                    -   -    wpa2 aes-gcm-128


Sep 29 15:52:10  wpa2-akm1-key1             <-  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm1-key2             ->  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm1-key3             <-  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm1-key4             ->  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
 
Suite B 256 bit encryption:
Sep 29 15:40:47  ap-up           *       00:1a:1e:8f:a5:41                                                   -   -    wpa2 aes-gcm-256
Sep 29 15:52:10  station-up     *       00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                    -   -    wpa2 aes-gcm-256


Sep 29 15:52:10  wpa2-akm2-key1             <-  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm2-key2             ->  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm2-key3             <-  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133 
Sep 29 15:52:10  wpa2-akm2-key4             ->  00:19:7e:4c:01:8e  00:1a:1e:8f:a5:41                                        -   133




 

  • show auth-tracebuf (authentication failure):
Jun 25 11:37:14  station-up             *  00:24:d6:65:b6:1a  00:24:6c:ae:a6:39                   -    -    wpa2 aes-gcm-128
Jun 25 11:37:14  station-term-start     *  00:24:d6:65:b6:1a  00:24:6c:ae:a6:39                   300  -
Jun 25 11:37:45  station-term-end       *  00:24:d6:65:b6:1a  00:24:6c:ae:a6:39/Inception-802.1x  43   -   failure
Jun 25 11:37:45  eap-failure           <-  00:24:d6:65:b6:1a  00:24:6c:ae:a6:39/Inception-802.1x  -    4
Jun 25 11:37:45  station
-down           *  00:24:d6:65:b6:1a  00:24:6c:ae:a6:39                   -    -


 
  • In show datapath user/station/tunnel Suite B clients can be identified by the “G” flag
show datapath user (SSID with Suite B enabled)


(Aruba3600) #show datapath user
 
Datapath User Table Entries
---------------------------
 
Flags: P - Permanent, W - WEP, T- TKIP, A - AESCCM, G - AESGCM, V - ProxyArp to/for MN(Visitor),
       N - VPN, L - local, Y - Any IP user, R - Routed user, M - Media Capable,
       S - Src NAT with VLAN IP, E - L2 Enforced, O - VOIP user
 
       IP              MAC           ACLs    Contract   Location  Age    Sessions   Flags
---------------  -----------------  -------  ---------  --------  -----  ---------  -----
40.40.40.1       00:0B:86:61:A5:4C  2701/0      0/0     0         13045    0/65535  PL
60.60.60.1       00:0B:86:61:A5:4C  2701/0      0/0     0         5        5/65535  PL
10.4.120.156     00:0B:86:40:CC:80     7/0      0/0     1         1        5/65535  L
60.60.60.10      00:19:7E:4C:01:8E     3/0      0/0     1         5        0/65535  GE
10.4.120.239     00:19:7E:4C:01:8E     3/0      0/0     1         50       0/65535  GE
10.4.120.199     00:0B:86:61:A5:4C  2701/0      0/0     0         2        0/65535  PL
0.0.0.0          00:19:7E:4C:01:8E     3/0      0/0     1         0        0/65535  GE



  • show datapath station (SSID with Suite B enabled)

(Aruba3600) #show datapath station
 Datapath Station Table Statistics
---------------------------------
Current Entries      1
Pending Deletes      0
High Water Mark      1
Maximum Entries      16383
Total Entries        3
Allocation Failures  0
Max link length      1
 
Datapath Station Table Entries
------------------------------
 
Flags: W - WEP, T - TKIP, A - AESCCM, M - WMM N - .11n client
       P- Powersave, S - AMSDU, G - AESGCM
 
       MAC              BSSID       VLAN Bad Decrypts Bad Encrypts Cpu Qsz        Flags
----------------- ----------------- ---- ------------ ------------ --- ---------- -----
00:19:7E:4C:01:8E 00:1A:1E:8F:A5:41   60           25            0 16 16161616    MG



 

  • show datapath tunnel (SSID with Suite B enabled)
(Aruba3600) #show datapath tunnel
 
Datapath Tunnel Table Statistics
--------------------------------
Current Entries      13
Pending Deletes      0
High Water Mark      15
Maximum Entries      16383
Total Entries        17
Allocation Failures  0
Max link length      1
 
Datapath Tunnel Table Entries
-----------------------------
 
Flags: E - Ether encap,  I - Wi-Fi encap,  R - Wired tunnel,  F - IP fragment OK
       W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM - no mcast src filtering
       S - Single encrypt,  U - Untagged,  X - MUX,  1(cert-id) - 802.1X Term-PEAP
       2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Mcast,
       D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only
       C - Prohibit new calls, P - Permanent, m - Convert multicast
 
 #       Source       Destination    Prt  Type  MTU   VLAN       Acls           BSSID          Decaps     Encaps   Heartbeats Cpu QSz Flags
---  --------------  --------------  ---  ----  ----  ---- --------------  ----------------- ---------- ---------- ---------- --- --- -----
11   10.4.120.199    10.4.120.156    47   9000  1578  0    0    0    0     00:1A:1E:C0:FA:54     13755          0      13752   31   0 TES
12   10.4.120.199    10.4.120.156    47   8210  1578  60   0    0    1     00:1A:1E:8F:A5:51       232          0          0   29   0 IMSPG1(  1)
13   10.4.120.199    10.4.120.156    47   8310  1578  60   0    0    1     00:1A:1E:8F:A5:41       989        583          0   25   0 IMSPG1(  1)
10   SPI0093C000out  10.4.120.156    50   IPSE  1500  0                    routeDest 0001            0        200
9    SPIE7A28200 in  10.4.120.199    50   IPSE  1500  0                    routeDest 0001         2075          0

 

  • Show crypto commands:
show crypto isakmp sa peer <ip address>        (Phase 1)

(Aruba3600) # show crypto isakmp sa peer 10.10.130.253
 Initiator IP: 10.10.130.253
 Responder IP: 10.10.3.6
 Initiator: No
 Initiator cookie:ac9e35fb99f9036a Responder cookie:4e0259918e7e84e0
 SA Creation Date: Wed Jun 26 17:29:23 2013
 Life secs: 28800
 Initiator Phase1 ID: D=test D=Inception CN=Users CN=James O. Conrad
 Responder Phase1 ID: C=US S=VA L=Woodbridge O=Aruba_Networks OU=Federal_TAC CN=10.10.3.6 E=jconrad@arubanetworks.com
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES128 HashAlg:HMAC_SHA2_256_128 DHGroup:19
 Authentication Method: ECDSA with SHA-256 on the P-256 curve
 CFG Inner-IP 10.10.130.9
 IPSEC SA Rekey Number: 0
 VIA



  • Show crypto ipsec sa peer <ip address>  (Phase 2)
     

(Inception) #show crypto ipsec sa peer 10.10.130.253
 Initiator IP: 10.10.130.253
 Responder IP: 10.10.3.6
 Initiator: No
 SA Creation Date: Wed Jun 26 17:29:23 2013
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES-GCM 128 Authentication Alg:
 Encapsulation Mode Tunnel
 PFS: no
 IN SPI: 8593000, OUT SPI: C6CF13E6
 CFG Inner-IP 10.10.130.9
 Responder IP: 10.10.3.6


 

  • Enable debugging security
-  Logging level debugging security process authmgr
-  Logging level debugging security process ike

(Aruba3600) # show log security 400
Jun 26 18:50:11 :103063:  <DBUG> |ike|  10.10.130.253:50447-> IKE2_xchgIn
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478->  unsupported     ENCR_AES 128-BITS     ENCR_AES 192-BITS skipped     ENCR_AES 256-BITS skipped
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478-> PRF_HMAC_SHA2_256 unsupported     PRF_HMAC_SHA2_384 unsupported     AUTH_HMAC_SHA2_256_128
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478-> Aruba VIA detected
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478-> IKE_certGetKey: validating against CA cert Inception-CA-cert-suiteb
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478-> validate_issuer: trying certs:1 CA cert-chain Inception-CA-cert-suiteb blob:0x1020307c blob-len:534
Jun 26 18:50:45 :103063:  <DBUG> |ike|  10.10.130.253:51478-> IKE_certGetKey validated with Trusted Certs Inception-CA-cert-suiteb
Jun 26 18:50:46 :103063:  <DBUG> |ike|  10.10.130.253:51478-> IKE_initIPsecKey  in:1 dstport:51478  srcport:4500
Jun 26 18:50:46 :103063:  <DBUG> |ike|  10.10.130.253:51478-> pap_ikev2_auth_requests username: Users
Jun 26 18:50:46 :124448:  <DBUG> |authmgrVIA Authentication Profile is Suite-B-VIA
Jun 26 18:50:46 :132218:  <INFO> |authmgrSkipping certificate common name check for username=jconrad
Jun 26 18:50:46 :103063:  <DBUG> |ike|   get_ikev2_internal_ip pool Inception-VPN
Jun 26 18:50:46 :103063:  <DBUG> |ike|   get_ikev2_internal_ip Inner-ip from L2TP pool 10.10.130.5, DNS1:8.8.8.8, DNS2:8.8.4.4, WINS1:0.0.0.0, WINS2:0.0.0.0
MAC=00:00:00:00:00:00
Jun 26 18:50:46 :103082:  <INFO> |ikeIKEv2 Client-Authentication succeeded for 10.10.130.5 (External 10.10.130.253) for Suite-B-VIA
Jun 26 18:50:46 :103063:  <DBUG> |ike|   IKE_CUSTOM_useCert group ca-cert:Inception-CA-cert-suiteb bits: rsa:0 ec:256
Jun 26 18:50:46 :103063:  <DBUG> |ike|   IKE_CUSTOM_useCert: found valid Server-Cert:Inception-suiteb-server-cert
Jun 26 18:50:46 :103076:  <INFO> |ikeIKEv2 IPSEC Tunnel created for peer 10.10.130.253:51478
Jun 26 18:50:46 :124004:  <DBUG> |authmgrlic_check_acr_limit: Allowing. ACR license is available
Jun 26 18:50:46 :124244:  <DBUG> |authmgrAllow IPSEC Suite-B ACR license cookei:28
Jun 26 18:50:46 :103063:  <DBUG> |ike|   Suite-B vpn is permitted



 
  • Client that failed authentication
- Enabled “Check certificate common name against AAA server” in the VIA Authentication Profile

(Aruba3600) # show log security 400
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> asn_cert_ike_subj_string Cert-len:1341 Subject: /DC=test/DC=Inception/CN=Users/CN=James O. Conrad
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> IKE_certGetKey : cert CN:Users
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> IKE_certGetKey: validating against CA cert Inception-CA-cert-suiteb
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> validate_issuer: trying certs:1 CA cert-chain Inception-CA-cert-suiteb blob:0x1020307c blob-len:534
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> validate_issuer: returned status:0
Jun 26 19:59:03 :103063:  <DBUG> |ike|  10.10.130.253:61355-> IKE_certGetKey validated with Trusted Certs Inception-CA-cert-suiteb
Jun 26 19:59:03 :124448:  <DBUG> |authmgrVIA Authentication Profile is Suite-B-VIA
Jun 26 19:59:03 :124004:  <DBUG> |authmgrncfg_auth_server_group_authtype ip=10.10.130.253, method=VIA-VPN vpnflags:3
Jun 26 19:59:03 :124004:  <DBUG> |authmgrncfg_auth_server_group_authtype via_auth_profile:Suite-B-VIA
Jun 26 19:59:03 :124038:  <INFO> |authmgr|  Selected server Internal for method=VIA-VPN; user=Usersessid=Inception, domain=<>, server-group=internal
Jun 26 19:59:03 :133019:  <ERRS> |localdbUser Users was not found in the database
Jun 26 19:59:03 :133006:  <ERRS> |localdbUser Users Failed Authentication
Jun 26 19:59:03 :124004:  <DBUG> |authmgrLocal DB auth failed for user Users, error (User not found in UserDB)
Jun 26 19:59:03 :124003:  <INFO> |authmgrAuthentication result=Authentication failed(1), method=VIA-VPN, server=Internal, user=44:6d:57:60:4d:b0
Jun 26 19:59:03 :103063:  <DBUG> |ike|   *** ipc_auth_recv_packet user=Users, pass=******, result=1   ctx:10235c64, ctx-innerip:0.0.0.0 l2tp_pool:Inception-VPN
Jun 26 19:59:03 :103083:  <INFO> |ikeIKEv2 Client-Authentication failed for user: Users
Jun 26 19:59:03 :103063:  <DBUG> |ike|    unsupported     ESN_0  <-- R   Notify: AUTHENTICATION_FAILED (ESP spi=95f8ef5e)#SEND 84 bytes to


 

  • Client failed authentication
-  Authenticated with an RSA cert instead of an EC cert

Jun 26 20:56:12 :103063:  <DBUG> |ike|  10.10.130.253:61555->  exchange=IKE_SA_INIT msgid=0 len=386
Jun 26 20:56:12 :103063:  <DBUG> |ike|  10.10.130.253:61555-> IKE2_xchgIn
Jun 26 20:56:12 :103063:  <DBUG> |ike|  10.10.130.253:61555-> InTfm Using Policy 10008, setting IKE_SA lifetime to 28800 seconds
Jun 26 20:56:13 :103063:  <DBUG> |ike|  10.10.130.253:61555-> Aruba VIA detected
Jun 26 20:56:13 :103063:  <DBUG> |ike|  10.10.130.253:61555-> check_aruba_vid: VIA Auth Profile : Suite-B-VIA
Jun 26 20:56:13 :103063:  <DBUG> |ike|  10.10.130.253:61555-> ike2_state.c (6572): errorCode = ERR_CERT_NOT_EXPECTED_OID
Jun 26 20:56:13 :103091:  <INFO> |ike|  IKEv2 Digital Signature verification failed for peer 10.10.130.253:61555
Jun 26 20:56:13 :103063:  <DBUG> |ike|  10.10.130.253:61555-> ike2_state.c (6879): errorCode = ERR_CERT_NOT_EXPECTED_OID
Jun 26 20:56:13 :103063:  <DBUG> |ike|  10.10.130.253:61555->   <-- R   Notify: AUTHENTICATION_FAILED (IKE)#SEND 84 bytes to 10.10.130.253(61555) (359551.885)

 

Version history
Revision #:
1 of 1
Last update:
‎07-10-2014 03:53 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: