Ike V2 VPN with Certificate auth stopped work after upgrade error MSG "User Authentication Failed"

Here is update from Cisco TAC (below) which says that it is not possible to use SAN on Cisco IOS CA:

After replicating this on our lab and doing a lot of research we have found you cannot add the subject alternative name to a certificate create from the IOS CA.

Basically the command “subject-alt-name” is only intended to be used when doing a self sign certificate. As mention on the PKI configuration guide “This option is used to create a self-signed trustpoint certificate for the router that contains the trustpoint name in the Subject Alternative Name (subjectAltName) field. This Subject Alternative Name can be used only when the enrollment selfsigned command is specified for self-signed enrollment in the trustpoint policy.”

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-s/sec-pki-15-s-book.pdf

The only options left will be to use OpenSSL to add the field to the request but after trying it on our lab we found the IOS ca will just ignore that even when is properly added to the certificate request.

I do not have SAN configured in my certs- I will re-create certs today and report if it works with cisco router. Thanks for the hint. By any chance do you have any Apple reference document how client auth certs must look like?

Yes TAC it is Cisco official support -we have network built on cisco devices and buy service contracts for them which gives us the right to bug their specialists. Yes openssl is another option. Does not really fit in my original setup to have all on one router. The funny thing is I have virtual box on mac and windows10 running on it. Native windows10 vpn client stopped work as well with certificate authentication. Im not sure if it related somehow to upgrade to catalina or not but it was working about month ago...

I will need to check what will be proposal from catalina on the router. I would expect that if proposal changed then router will reply with “no proposal chosen” which is not the case. As I said on the router side I do not see anything suspicious or I miss it. is there any way to turn on vpn debug on catalina side? Debug on the router side is quite noisy because it is production vpn concentrator.

yep about the same I see on the cisco router side- My initial thoughts were that due to security "improvements" Catalina has some troubles with certificates/private key handling and unable to decrypt....

Not a solution just reading - Cisco AnyConnect broken because of luck of 32 bit support and other requirenments, cisco released 4.8 version as fix.

https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect48/release/notes/b_Release_Notes_AnyConnect_4_8.html?dtid=osscdc000283

This is what they said: Beginning with macOS Catalina release (10.15), the operating system will no longer support the executing of 32-bit binaries. Additionally, applications must be cryptographically notarized in order to be installed by the operating system. Cisco AnyConnect 4.8.00175 is the first version that officially supports operation on macOS Catalina and contains no 32-bit code.

Checkpoint VPN client broken as well, client will be available in December https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk163094

This is serious business impact as I see...

I really do not like this voodoo. I switched my operations to client-vpn-less methods. Can not risk to loose access to the remote equipment every time MS or Apple "improve" their systems. Normally they have to provide "White Paper" with the technical details what they are going to do, but what I see is really non professional approach. Ok I'm done with it. Thanks a lot for your help and ideas!

What I use- I have cisco routers everywhere (and in Azure too- they have CSR1000v- virtual router) and I built site2site VPNs between all these sites. I have 2 hosts on each site to which I can RDP or SSH and from that hosts I can get to the local and other sites, interconnected via site2site IPSec tunnels. This setup makes client2site vpn obsolete. These hosts used for "Supporting personnel" - regular users do not have VPN. File sharing done via "Cloud Drives". I'm network guy- do not know too much about MS apps- sorry- can not comment on that :-) We have Windows guys- they handled all these animals. I use cisco network equipment- Routers/switches/ASA-type firewalls are really stable with outstanding technical support from the company- use them from the time "before Internet" if I remember correctly- getting too old :-). Rest of the cisco products are just "Ok". I used clien2site to get to the remote equipment consoles/management- now I do it via "jump-hosts" :-)