topic GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo Alto in Network Security

GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo Alto

mkrishnan — Thu, 14 Dec 2023 21:49:57 GMT

Platform

My end : Cisco ASR1001

Far end : Palo Alto

I am trying to establish GRE over IPSEC tunnel with a customer using Palo Alto which fails when Palo Alto tries to initiate (role initiator) and Asr1001 is the responder. When the roles are switched (that is every time the tunnel goes down , the tunnel negotiation is initiated by tunnel reset at ASR1001) then tunnel comes up. Appreciate any help, Thank you

Debug logs shows:

Cisco end:

Nov 29 17:44:27.250: IKEv2:(SESSION ID = 64303,SA ID = 2):IPSec policy validate request sent for profile Paradise with psh index 2.

Nov 29 17:44:27.250: IKEv2:(SESSION ID = 64303,SA ID = 2):

Nov 29 17:44:27.254: IKEv2:(SESSION ID = 64303,SA ID = 2):(SA ID = 2):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

Nov 29 17:44:27.255: IKEv2-ERROR:(SESSION ID = 64303,SA ID = 2):: There was no IPSEC policy found for received TSNov 29 17:44:27.255: IKEv2:(SESSION ID = 64303,SA ID = 2):Sending TS unacceptable notify

Palo Alto end:

023-12-06 15:16:58.127 -0400 [DEBG]: processing isakmp packet
2023-12-06 15:16:58.127 -0400 [DEBG]: ===
2023-12-06 15:16:58.127 -0400 [DEBG]: 137 bytes message received from 216.16X.XXX.5X
2023-12-06 15:16:58.127 -0400 [DEBG]: { 5: }: [IKE Initiator] response message_id 1 expected 1
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 69.17.1xx.x0[500] - 216.16X.XXX.5X[500]:0x5607e608e760 vendor id payload ignored
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 69.17.194.x0[500] - 216.16X.XXX.5X[500]:0x5607e608e760 received notify type NO_PROPOSAL_CHOSEN
2023-12-06 15:16:58.128 -0400 [INFO]: { 5: }: 69.1X.XXX.XX[500] - 216.16X.XXX.5X[500]:0x7fcbf4037610 authentication result: success
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: update response message_id 0x1
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: ikev2_process_child_notify(0x7fcbf4025018, 0x7fcc112a18b0), notify type NO_PROPOSAL_CHOSEN
2023-12-06 15:16:58.128 -0400 [PWRN]: { 5: }: 14 is not a child notify type
2023-12-06 15:16:58.128 -0400 [PERR]: { 5: }: 69.1X.XXX.XX[500] - 216.16X.XXX.5X[500]:0x7fcbf4037610 received Notify type NO_PROPOSAL_CHOSEN, failed establishing child_sa
2023-12-06 15:16:58.128 -0400 [PNTF]: { 5: }: ====> IKEv2 CHILD SA NEGOTIATION FAILED AS INITIATOR, non-rekey; gateway ike-vpn-fw02-ibasis-sig <====
====> Failed SA: 69.1X.XXX.XX[500]-216.16X.XXX.5X[500] message id:0x00000001 parent SN:2494 <==== Error code 19
2023-12-06 15:16:58.128 -0400 [DEBG]: { 5: }: SA established: state INI_IKE_AUTH_RCVD, caller initiator_ike_sa_auth_cont, attach 1
2023-12-06 15:16:58.128 -0400 [PNTF]: { 5: }: ====> IKEv2 IKE SA NEGOTIATION SUCCEEDED AS INITIATOR, non-rekey; gateway ike-vpn-fw02-ibasis-sig <====
====> Established SA: 69.1X.XXX.XX[500]-216.16X.XXX.5X[500] SPI:8dc026cee9b9e51d:5f7739109410fcd4 SN:2494 lifetime 86400 Sec <====

Attached config for Cisco ASR and palto Alto

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

Rob Ingram — Fri, 15 Dec 2023 08:08:41 GMT

@mkrishnan PFS is enabled on the ASR (group 19), but is PFS group 19 also enabled on the Palo Alto side?

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 08:15:15 GMT

Can I see config of ASR1k?

Also there is mode ipv4 why you need to use gre over ipsec?

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

Marius Gunnerud — Fri, 15 Dec 2023 08:25:51 GMT

It is difficult to determine what the issue is with the limited information here. But from the error message it looks like the ASR is complaining about the encryption domain / traffic selector (TS) when the Palo Alto initiates the connection. Did you previously have this set up as a crypto map policy?

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 15:18:25 GMT

Thank you for the response.

Yes sorry I attached VTI setup instead of GREoIPSEC , and forgot to mention, in VTI setup tunnels comes up with out any issues even when peer roles are switched

ASR1K cnfig:

interface Tunnel203
description Parad-Voice
vrf forwarding IBASIS-PUBLIC
ip address xxx.xxx.172.158 255.255.255.254
tunnel source xxx.xxx.184.22
tunnel destination xx.xx.194.66
tunnel protection ipsec profile Parad
end

IPSEC profile Parad
IKEv2 Profile: Parad
Security association lifetime: 4608000 kilobytes/28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group19
Mixed-mode : Disabled
Transform sets={
Paradise: { esp-gcm } ,
}
IKEv2 profile: Parad
Ref Count: 5
Match criteria:
Fvrf: global
Local address/interface: none
Identities:
address xx.xx.194.66 255.255.255.255
Certificate maps: none
Local identity: address xxx.xxx.184.22
Remote identity: none
Local authentication method: pre-share
Remote authentication method(s): pre-share
EAP options: none
Keyring: Paradise
Trustpoint(s): none
Lifetime: 86400 seconds
DPD: disabled
NAT-keepalive: disabled
Ivrf: IBASIS-PUBLIC
Virtual-template: none
mode auto: none
AAA AnyConnect EAP authentication mlist: none
AAA EAP authentication mlist: none
AAA Accounting: none
AAA group authorization: none
AAA user authorization: none
PPK Dynamic: 0 PPK Required : 0 PPK Instance ID:

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 15:23:46 GMT

Thanks for the response.

From the original setup , its always GREoIPSEC until I decided to test with VTI, there was no encryption domains involved as we run BGP over this tunnel for exchanging prefixes

Thats where I am not sure, when ASR1K initiate the tunnel negotiations, the tunnel comes up but when Palo Alto initiates in the messages its sending TS for validation which is non-existent in the ipsec policy ASR1K end , hence it fails with TS unacceptable

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 15:25:49 GMT

Thanks for the response.

Yes PFS is enabled both ends with same group

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 15:40:12 GMT

Hello friend

I was want to see config policy key profile of ikev2

Until that time

Remote identity: none

Are you dont use any remote identity for ikev2 profile?

That explain why when palo initiate the traffic there is no response from ASR

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 15:47:20 GMT

In IKEV2 profile, ASR1K doesn't give the option to add remote identity only local identity while allows matching identity for remote as below:

M077-C1001-1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

IKEv2 profile commands:
aaa Specify AAA related configs
anyconnect Enable profile for anyconnect profile download
authentication Set authentication method
config-exchange config-exchange options
description Specify a description of this profile
dpd Enable IKE liveness check for peers
dynamic Indicates the IKEv2 profile settings are dynamic
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use ---> local
initial-contact initial-contact processing options
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer -- -> remote
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
ppk Post Quantum Key server instance ID
reconnect Enable profile for auto re-connect
redirect IKEv2 Redirect Mechanism for load-balancing
shutdown shutdown the IKEv2 profile
virtual-template Specify the virtual-template for dynamic interface creation.

Thanks

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 16:00:49 GMT

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

Yes set remote identity using public IP of tunnel destiantion.

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 16:06:49 GMT

yes its already there in the config

identities:
address xx.xx.194.66 255.255.255.255 -- this is the remote identity

in the profile that that you are seeing just remote identity in the available commands

Local identity: address xxx.xxx.184.22
Remote identity: none --- this is not available under

M077-C1001-1(config-ikev2-profile)#identity ?
local Specify the local IKE identity to use for the negotiation (no option to choose remote here only local)

While match identity allows remote identity to be configured

M077-C1001-1(config-ikev2-profile)#match identity ?
remote Remote identity

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 16:18:21 GMT

Identity for yout ASR

Match identity remote for Palo

Use match identity under profile

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 16:24:26 GMT

Not sure I understand you correctly, I already did that Profile has the remote identity under identities

identities:
address xx.xx.194.66 255.255.255.255 -- this is the remote identity (this is Palo Alto)

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 16:35:12 GMT

friend the identity is used for your LOACL
match identity is used for Peer
NOTE:- if you config misconfig Palo IP with identity command remove it

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 16:46:51 GMT

Thanks for the explanation but it seems I configured local and remote identities correctly

M077-C1001-1(config-ikev2-profile)#identity local add
M077-C1001-1(config-ikev2-profile)#identity local address xxx.xxx.187.52 -- ASR1K end

M077-C1001-1(config-ikev2-profile)#match identity remote address xx.xx.194.70 255.255.255.255 -- palo alto
% Already found same 'match identity' statement in this profile

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 16:50:46 GMT

That why I ask you are you use palo in identity command (not match identity)?

You can see in your debug the profile and policy not match.

Can you copy paste the command (show run) and hide the public IP.

Let me check all

Thanks

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 17:01:12 GMT

crypto ikev2 profile Parad
match identity remote address xx.xx.194.70 255.255.255.255
identity local address xxx.xxx.187.52
authentication remote pre-share
authentication local pre-share
keyring local Parad
ivrf IBASIS-PUBLIC
!

crypto ipsec profile Parad
set security-association lifetime seconds 28800
set transform-set Parad
set pfs group14
set ikev2-profile Parad
reverse-route static
!

crypto ipsec transform-set Parad esp-gcm
mode tunnel

Thanks

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Fri, 15 Dec 2023 17:18:29 GMT

That all config there is no config of policy?

Also tunnel use ivrf IBASIS-PUBLIC

There is no fvrf so

keyring local Parad <- this must without any fvrf
ivrf IBASIS-PUBLIC <- this ivrf is correct but I never see anyone use it under ikev2 profile' remove it and try

MHM

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

mkrishnan — Fri, 15 Dec 2023 17:33:22 GMT

crypto ikev2 proposal Parad
encryption aes-gcm-128
prf sha256
group 14

crypto ikev2 policy POLICY1
proposal PROPOSAL1
proposal Parad
proposal
proposal

keyring local Parad <- this must without any fvrf

As per debug, psk is shared and authentication is successful , so this has no effect on the issue being reported by ASR1K
ivrf IBASIS-PUBLIC <- this ivrf is correct but I never see anyone use it under ikev2 profile' remove it and try

Again ,ivrf has no bearing on the issue being reported by ASR1K as this is for our internal routing back to our end device

I am more curious to understand , why ASR1K is getting TS in the messages from Palo Alto when there is no encryption domain/ACL are defined on both ends to validate the interesting traffic as GREoIPSEC is not configured the way IPSEC tunnels are setup (crypto iskamp)

Similarly when ASR1K is initiating , this TS issue is no longer there the tunnel is established ( what is influencing roles Initiator/responder) so this makes me think when ASR1K initiates its not sending any TS messages to be validated by PALO ALTO and tunnel is established

Re: GRE over IPSEC-Sending TS unacceptable notify-Cisco ASR1001-Palo A

MHM Cisco World — Sat, 16 Dec 2023 08:04:46 GMT

Hi friend
I try lab config (with out iVRF) and face issue the IKEv2 GREoIPSec not work at all
show crypto ipsec sa
show error pkt count increase when I ping from LAN to LAN over tunnel
I think you face same issue
and then clear all config and add it again and it work (same config)
so what maybe cause this issue
1- you run crypto map under the tunnel interface, I read in cisco guide the IOS XE face issue if tunnel source use crypto map and tunnel use crypto profile
2- you use VTI and then change to GREoIPSec using same tunnel config.

how I troubleshooting my lab
show crypto ike2 profile (same as your there is no remote identity !!)
show crypto ike2 session (this include more info that show crypto ikev2 sa)
show crypto ipsec sa

crypto ikev2 proposal prop
encryption 3des
integrity md5
group 14
!
crypto ikev2 policy pol
match address local 100.0.0.1
proposal prop
!
crypto ikev2 keyring key
peer R2
address 100.0.0.2
pre-shared-key mhm
!
!
!
crypto ikev2 profile prof
match identity remote address 100.0.0.2 255.255.255.255
identity local address 100.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 10 2 periodic
!
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
crypto ipsec profile MHM
set transform-set mhm
set ikev2-profile prof
!
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.2
tunnel protection ipsec profile MHM

crypto ikev2 proposal prop
encryption 3des
integrity md5
group 14
!
crypto ikev2 policy pol
match address local 100.0.0.2
proposal prop
!
crypto ikev2 keyring key
peer R1
address 100.0.0.1
pre-shared-key mhm
!
!
!
crypto ikev2 profile prof
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local key
dpd 10 2 periodic
!
!
!
crypto ipsec transform-set mhm esp-des
mode tunnel
!
crypto ipsec profile MHM
set transform-set mhm
set ikev2-profile prof
!
!
!
!
!
!
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 100.0.0.1
tunnel protection ipsec profile MHM