topic Re: Ikev2 Tunnel status " Ready " in Network Security

Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 20:41:44 GMT

Dear Experts!

I am beginner with vpn configs. I am trying to make tunnel up and ive done all configuration required from my side. After all, it showing many tunnels with status "ready". I dont know what is the issue!

My device is cisco ISR4321/K9 ,, peer side is none cisco device.

below resulte of # sh cry ikev2 sa

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 20:49:45 GMT

Is this route based vpn?

Can you share crypto session details

MHM

Show

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 20:59:10 GMT

1- Is this route based vpn?

DID not get your question.

2- Can you share crypto session details?

Sure

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 21:07:16 GMT

dont see anything wrong except the lifetime one side use 300 other use more longest
can you match it
MHM

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 21:16:10 GMT

I have changed it many times, but still same status!

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 21:41:06 GMT

deb crypto ikev2 internal

deb crypto ikev2 packet

*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Process NAT discovery notify
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No NAT found
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_INIT Event: EV_CHK_CONFIG_MODE
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_SET_POLICY
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Setting configured policies
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_PKI_SESH_OPEN
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Opening a PKI session
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_KEY
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_SECRET
*Jan 17 22:33:03.484: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_RE_XMT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: unknown event
*Jan 17 22:33:03.485: IKEv2-PAK:(SESSION ID = 648,SA ID = 217):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_SECRET_RESP
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_SKEYID
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Generate skeyid
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No config data to send to toolkit:
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_BLD_MSG
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: DELETE-REASON
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCOVPN-REV-02
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Sending DRU Handshake
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(221): Sending custom vendor id : CISCO-DYNAMIC-ROUTE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.487: IKEv2-IN
Gtel_test#TERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.968: IKEv2-PAK:(SESSION ID = 572,SA ID = 182):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.968: IKEv2-INTERNAL:(SESSION ID = 572,SA ID = 182):SM Trace-> SA: I_SPI=9FAAF7B9595D4F3E R_SPI=E0AFC2801BC02625 (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_CHK_IKE_REKEY
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_REKEY_IKESA
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_INIT Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GET_IKE_POLICY
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:Adding Proposal PROP2 to toolkit policy
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SA ID = 184):Using IKEv2 profile 'IKEv2PROF2'
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_SET_POLICY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Setting configured policies
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GEN_DH_KEY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_NO_EVENT
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_BLD_MSG
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:Construct Notify Payload: SET_WINDOW_SIZE
Payload contents:
SA Next payload: N, reserved: 0x0, length: 52
last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
N Next payload: KE, reserved: 0x0, length: 36
KE Next payload: NOTIFY, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE

*Jan 17 22:33:04.020: IKEv2-PAK:(SESSION ID = 689,SA ID = 184):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER Message id: 0, length: 304
Payload contents:
ENCR Next payload: SA, reserved: 0x0, length: 276

*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_IKE Event: EV_INSERT_SA
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
Gtel_test#und
Gtel_test#undebug a
Gtel_test#undebug all

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 22:06:41 GMT

device# debug ikev2 error

can you share this
thanks

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 22:21:59 GMT

*Jan 17 23:14:14.712: IKEv2-ERROR:(SESSION ID = 2947,SA ID = 32):: Maximum number of retransmissions reached
*Jan 17 23:14:20.394: IKEv2-ERROR:(SESSION ID = 2952,SA ID = 37):: Maximum number of retransmissions reached

*Jan 17 23:14:25.845: IKEv2-ERROR:(SESSION ID = 2953,SA ID = 38):: Maximum number of retransmissions reached

*Jan 17 23:14:28.455: IKEv2-ERROR:(SESSION ID = 2958,SA ID = 44):: Maximum number of retransmissions reached

*Jan 17 23:14:32.425: IKEv2-ERROR:(SESSION ID = 2964,SA ID = 50):: Maximum number of retransmissions reached

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 22:25:49 GMT

https://community.cisco.com/t5/vpn/crypto-ikev2-stuck-in-neg-state-maximum-number-of/td-p/4697594

check this

MHM

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 22:50:12 GMT

#sh monitor event-trace crypto ikev2 error latest

*Jan 17 23:38:29.355: SA ID:120 SESSION ID:4080 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:36.896: SA ID:273 SESSION ID:4084 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:40.300: SA ID:316 SESSION ID:4087 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 22:58:54 GMT

so we solve this first error message ?
if Yes
can you share the phaseII config and transform set, I think there is mismatch NOW
MHM

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 23:09:09 GMT

#sh run | sec crypto

crypto ipsec transform-set XXX esp-3des esp-sha256-hmac
mode tunnel

# interested traffic #

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132

no crypto ipsec nat-transparency udp-encapsulation

crypto map CMAP 20 ipsec-isakmp
set peer X.X.1.132
set transform-set XXX
set pfs group21
set ikev2-profile IKEv2PROF2

interface g0/0/1
match address 102

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Wed, 17 Jan 2024 23:30:02 GMT

set pfs group21 <<- mustly PFS is issue here, can you change the group

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
I will assume that peer server IP is different
MHM

Re: Ikev2 Tunnel status " Ready "

Yahya — Wed, 17 Jan 2024 23:36:25 GMT

lets say we need my server in my company to reach at the two servers inside ISP company for some reason. However, peer ip is the gateway and I can ping it, but server ips are inside company that they are behind the peer X.X.1.132

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Thu, 18 Jan 2024 06:03:44 GMT

Sorry I dont get your last reply

Can you more elaborate

Thanks

MHM

Re: Ikev2 Tunnel status " Ready "

Yahya — Thu, 18 Jan 2024 06:28:36 GMT

Hi MHM,

Please see diagram for more details.

Thanks!

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Thu, 18 Jan 2024 18:17:26 GMT

Re: Ikev2 Tunnel status " Ready "

Yahya — Thu, 18 Jan 2024 18:48:18 GMT

I changed acl by using remote access to router, but lost connectivity immediatley .

I will check through console soon.

Thank you..

Re: Ikev2 Tunnel status " Ready "

Yahya — Fri, 19 Jan 2024 15:19:38 GMT

Hi MHM!

thank you for your kind support, I would say we still in same issue not solved yet. But let me share you configuration of my side to be clear.

## Phase1 ##

crypto ikev2 proposal Q50

encryption 3des

integrity sha256

group 21

***

crypto ikev2 policy P50
proposal Q50

crypto ikev2 keyring Keyring

peer ISP

address X.X.1.132

pre-shared-key local XXXXXX

pre-shared-key remote XXXXXX

***

crypto ikev2 profile IKEv2PROFILE

match identity remote address X.X.1.132 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local Keyring

***

## Phase 2 ##

crypto ipsec transform-set SETSET esp-3des esp-sha256-hmac

mode tunnel

***

## Interesting Traffic ##

ip access-list extended 102
1 permit ip host X.X.150.2 host X.X.129.59
2 permit ip host X.X.150.2 host X.X.129.200

***

no crypto ipsec nat-transparency udp-encapsulation

***

crypto map CCCC ipsec-isakmp
set peer X.X.1.132
set transform-set SETSET
set pfs group21
set ikev2-profile IKEv2PROFILE

***

interface gx/x/x

match address 102
crypto map CCCC

Re: Ikev2 Tunnel status " Ready "

MHM Cisco World — Fri, 19 Jan 2024 16:16:02 GMT

match address 102 <<- this must be under the crypto map not under the interface
MHM