Cisco Cisco IOS Software Release 15.3(2)T Technical Manual

*Jul 15 07:54:13: 

Although it is fairly common to set the tunnel source on a virtual tunnel interface (VTI), it is not necessary
here. Assume the tunnel source command is under a dynamic VTI (DVTI):

interface Virtual-Template1 type tunnel

 ip unnumbered GigabitEthernet0/0
 tunnel source GigabitEthernet0/0
 tunnel mode ipsec ipv4

 tunnel protection ipsec profile PROF

After authentication, if the Cisco IOS software tries to create virtual access interface that is cloned from a
virtual template, it returns an error:

*Aug  1 13:34:22 IKEv2:Allocated addr 192.168.0.9 from local pool POOL

*Aug  1 13:34:22 IKEv2:(SA ID = 1):Set received config mode data

*Aug  1 13:34:22 IKEv2:% DVTI create request sent for profile PROF with PSH 

   index 1

*Aug  1 13:34:22 IKEv2:

*Aug  1 13:34:24 IKEv2:Got a packet from dispatcher

*Aug  1 13:34:24 IKEv2:Processing an item off the pak queue

*Aug  1 13:34:24 IKEv2:Negotiation context locked currently in use

Two seconds after the failure, the Cisco IOS software receives a retransmitted IKE_AUTH from Android.
That packet is dropped.

Cisco Bug ID CSCui46418, "IOS Ikev2 ip address sent as identity for RSA authentication."
This bug is not a problem, as long as strongSwan can see a correct Subject Alternative Name (the IP
address) when it looks for the IKEID in the certificate in order to perform verification.

• 

Cisco Bug ID CSCui44976, "IOS PKI incorrectly displayed X509v3 extension Subject Alternative
Name."
This bug occurs only when there are multiple IP addresses in the Subject Alternative Name. Only the
last IP address is displayed, but that does not impact certificate usage. The whole certificate is sent
and processed correctly.

• 

Cisco Bug ID CSCui44783, "IOS ENH PKI ability to generate CSR with subject-alt-name extension."

• 

Cisco Bug ID CSCui44335, "ASA ENH Certificate x509 extensions displayed."

• 

• 

• 

• 

• 

Updated: Jan 21, 2016

Document ID: 116837