Re: ikev2 on C1101-4PLTEP with Cisco FTD - Page 2

jebankshrcu · ‎08-06-2024

Hi Team:

Am having a hard time to understand what went wrong. The site to site was working but I notice the output below:

FAB#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 160.238.160.18/500 200.32.190.146/500 none/none IN-NEG
Encr: Unknown - 0, PRF: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec

IPv6 Crypto IKEv2 SA

It was in a ready status before and working but now it does not want to establish

jebankshrcu · ‎08-09-2024

@MHM Cisco World are you talking on the firewall side for the lifetime byte? and yes am using aes-gcm on both sides

MHM Cisco World · ‎08-09-2024

Yes firewall side why you set lifetime in bytes?

And for second Q can you change SA for testing only.

Not all router support aes-gcm and some support it without hash.

So change SA to different and try again ping from router to ftd (lan to lan)

MHM

jebankshrcu · ‎08-09-2024

I will change the SA side right now and for the lifetime in bytes thats the default? Should I leave it blank? What does that do if I may ask?

MHM Cisco World · ‎08-09-2024

Yes please use blank

MHM

jebankshrcu · ‎08-09-2024

Are these the same as just AES? aes-192, aes-256

aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256

MHM Cisco World · ‎08-09-2024

Yes you are correct

MHM

jebankshrcu · ‎08-09-2024

I did the changes but nothing still

FABSPLRT#ping 192.168.1.251 source vlan20
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.251, timeout is 2 seconds:
Packet sent with a source address of 10.20.20.1
...
*Aug 9 21:12:30.369: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1926, length: 80
Payload contents:

*Aug 9 21:12:30.370: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 1926, length: 80
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 52
..
Success rate is 0 percent (0/5)
FABSPLRT#
*Aug 9 21:12:40.369: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1927, length: 80
Payload contents:

*Aug 9 21:12:40.370: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 1927, length: 80
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 52

*Aug 9 21:12:50.369: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: INITIATOR Message id: 1928, length: 80
Payload contents:

*Aug 9 21:12:50.370: IKEv2-PAK:(SESSION ID = 101,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE Message id: 1928, length: 80
Payload contents:
ENCR Next payload: NONE, reserved: 0x0, length: 52

jebankshrcu · ‎08-09-2024

this is the output from debug crypto ikev2

FABSPLRT#
FABSPLRT#

*Aug 9 21:16:00.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1947
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

*Aug 9 21:16:00.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received DPD/liveness query
*Aug 9 21:16:00.369: IKEv2:(SESSION ID = 101,SA ID = 1):Building packet for encryption.
*Aug 9 21:16:00.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending ACK to informational exchange

*Aug 9 21:16:00.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1947
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Aug 9 21:16:10.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1948
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

*Aug 9 21:16:10.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received DPD/liveness query
*Aug 9 21:16:10.369: IKEv2:(SESSION ID = 101,SA ID = 1):Building packet for encryption.
*Aug 9 21:16:10.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending ACK to informational exchange

*Aug 9 21:16:10.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1948
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Aug 9 21:16:20.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received Packet [From 200.32.233.146:500/To 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1949
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:

*Aug 9 21:16:20.369: IKEv2:(SESSION ID = 101,SA ID = 1):Received DPD/liveness query
*Aug 9 21:16:20.370: IKEv2:(SESSION ID = 101,SA ID = 1):Building packet for encryption.
*Aug 9 21:16:20.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending ACK to informational exchange

*Aug 9 21:16:20.370: IKEv2:(SESSION ID = 101,SA ID = 1):Sending Packet [To 200.32.233.146:500/From 160.238.137.18:500/VRF i0:f0]
Initiator SPI : 47DA3CE054C5B90D - Responder SPI : 253F32CFCCA3F92F Message id: 1949
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

MHM Cisco World · ‎08-11-2024

In router

Show crypto session

Show crypto ikev2 detail

Show crypto ipsec sa

Do this twice before ping and after ping

Share output as text file let me check

Thanks

MHM

ccieexpert · ‎08-11-2024

Please follow this as a sample:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

this is with certs but almost 99% applies to you except using pre-shared key..

run the debugs and get output and we can see what is failing and help you..

attach latest relevant configs