Re: converting isakmp tunnels to Ikev2 and tunnels are not coming up

Mark1110 · ‎02-25-2023

Hello, i have isakmp working tunnels and when i convert them to ikev2. They are not coming up. As soon as i config new ikev2 tunnel profile to tunnel interface ospf neighborship went down and having below errors. There is no issue with isakmp tunnels. Having below config on both sides.

error

*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired

*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47

Configuration:

SiteA#
crypto ikev2 proposal prop-1
encryption aes-cbc-256

integrity sha512
group 24

crypto ikev2 policy policy-1
match fvrf DMVPN
match address local 1.1.1.1
proposal prop-1

crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!

crypto ikev2 profile IKEv2-Profile-1
match fvrf DMVPN
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1

crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1

interface Tunnel10
description tunnel to SiteB
bandwidth 50000
vrf forwarding PRIVATE_CORE
ip address 10.10.10.1 255.255.255.252
no ip redirects
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source GigabitEthernet0/0/5(1.1.1.1)
tunnel destination 2.2.2.2
tunnel key 10
tunnel vrf DMVPN
tunnel protection ipsec profile IPSEC-Profile-1 shared
end

*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired

=----------------------------------------------------------

SiteB#

crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha512
group 24

crypto ikev2 policy policy-1
match address local 2.2.2.2
proposal prop-1

crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!

crypto ikev2 profile IKEv2-Profile-1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1

crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1

interface Tunnel10
description tunnel to siteA
bandwidth 50000
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1440
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source Vlan105(2.2.2.2)
tunnel destination 1.1.1.1
tunnel key 10
tunnel protection ipsec profile IPSEC-Profile-1 shared
end

error

*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47

MHM Cisco World · ‎02-25-2023

PRIVATE_CORE<<- try change the match under profile and policy with PRIVATE_CORE.

Mark1110 · ‎02-25-2023

Hi @MHM Cisco World , i just tried by changing for both policy and profile. still having same result. not sure whats wrong. do you want some other results to check ?

MHM Cisco World · ‎02-25-2023

Yes please

Show crypto ikev2

Show ipsec sa

Mark1110 · ‎02-25-2023

Not showing any details for

SiteB#sh crypto ikev2 sa
SiteB#

For sh crypto ipsec sa showing details for other isakmp tunnel. not showing any details for ikev2 tunnel.

Mark1110 · ‎02-25-2023

not sure why my ikev2 policy showing below

SiteB#sh crypto ikev2 authorization policy policy-1
No authorization policy exists with name policy-1
SiteB#

MHM Cisco World · ‎02-25-2023

debg crypto ikev2 packet

please share this

Mark1110 · ‎02-25-2023

only showing below

SiteB#debug crypto ikev2 packet
IKEv2 packet debugging is on

*Feb 25 22:40:45.382: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47
SiteB#
SiteB#
SiteB#
*Feb 25 22:41:51.478: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47
*Feb 25 22:42:58.862: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47

MHM Cisco World · ‎02-25-2023

thanks now disable debug. no need any more.
I will run lab use same config you use and try troubleshooting form my side.

Mark1110 · ‎02-25-2023

okay. Thank you @MHM Cisco World

MHM Cisco World · ‎02-25-2023

crypto ikev2 profile IKEv2-Profile-1 <<- please add identify local address in both side

second match the MTU of tunnel for OSPF run without error

thanks
MHM

Mark1110 · ‎02-25-2023

I just added match address local on both router under crypto ikev2 profile IKEv2-Profile-1. ip mtu is 1440 both sides. still same result. not sure whats wrong with ikev2 config.

MHM Cisco World · ‎02-26-2023

hostname IOU2
!
ip vrf ISP
rd 1:100
!
ip vrf ikev2
rd 1:200
!
crypto ikev2 proposal mhm
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy mhm
match fvrf ISP
match address local 1.1.1.1
proposal mhm
!
crypto ikev2 keyring mhm
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key mhm
!
crypto ikev2 profile mhm-ikev2
match fvrf ISP
match identity remote address 0.0.0.0
identity local address 1.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local mhm
!
crypto ipsec transform-set mhm esp-des
mode transport
!
crypto ipsec profile mhm
set transform-set mhm
set ikev2-profile mhm-ikev2
!
interface Tunnel0
ip vrf forwarding ikev2
ip address 5.0.0.1 255.255.255.0
ip mtu 1440
tunnel source Ethernet0/0
tunnel destination 2.2.2.2
tunnel key 5
tunnel vrf ISP
tunnel protection ipsec profile mhm
!
interface Ethernet0/0
ip vrf forwarding ISP
ip address 1.1.1.1 255.255.255.0
!
router ospf 5 vrf ikev2
network 5.0.0.0 0.0.0.255 area 0
!
ip route vrf ISP 0.0.0.0 0.0.0.0 1.1.1.2

hostname IOU1
!
crypto ikev2 proposal mhm
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy mhm
match address local 2.2.2.2
proposal mhm
!
crypto ikev2 keyring mhm
peer any
address 0.0.0.0 0.0.0.0
pre-shared-key mhm
!
crypto ikev2 profile mhm-ikev2
match identity remote address 0.0.0.0
identity local address 2.2.2.2
authentication remote pre-share
authentication local pre-share
keyring local mhm
!
crypto ipsec transform-set mhm esp-des
mode transport
!
crypto ipsec profile mhm
set transform-set mhm
set ikev2-profile mhm-ikev2
!
interface Tunnel0
ip address 5.0.0.2 255.255.255.0
ip mtu 1440
tunnel source Ethernet0/0
tunnel destination 1.1.1.1
tunnel key 5
tunnel protection ipsec profile mhm
!
interface Ethernet0/0
ip address 2.2.2.2 255.255.255.0
!
router ospf 5
network 5.0.0.0 0.0.0.255 area 0
!
ip route 0.0.0.0 0.0.0.0 2.2.2.1

I run lab as you see, I use two VRF in IOU2 and using ikev2 with VTI, and I success

so please can you share the config of both router (full config )

Mark1110 · ‎02-26-2023

Thank you @MHM Cisco World . its weird. I will provide you my config tomorrow.

Mark1110 · ‎04-20-2023

Hi @MHM Cisco World , Found the issue

I was using tunnel protection ipsec profile IPSEC-Profile-1 shared command. As soon as i removed shared word on both side its working now. Thank you so much for your help.

thanks,

Mark