Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4203
Views
0
Helpful
25
Replies

Ikev2 Tunnel status " Ready "

Go to solution
Yahya
Level 1
Level 1

‎01-17-2024 12:41 PM

Dear Experts!

I am beginner with vpn configs. I am trying to make tunnel up and ive done all configuration required from my side. After all, it showing many tunnels with status "ready".  I dont know what is the issue! 

My device is cisco ISR4321/K9 ,, peer side is none cisco device.

below resulte of # sh cry ikev2 saScreenshot 2024-01-17 233417.png

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-19-2024 09:02 AM

detail friend add it to command and share result 
MHM

View solution in original post

0 Helpful
25 Replies 25

Go to solution
MHM Cisco World
VIP
VIP

‎01-17-2024 12:49 PM

Is this route based vpn?

Can you share crypto session details 

MHM

Show 

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 12:59 PM

1- Is this route based vpn?

DID not get your question.

2- Can you share crypto session details? 

 Sure

 

 

 

Preview file
39 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-17-2024 01:07 PM

dont see anything wrong except the lifetime one side use 300 other use more longest 
can you match it 
MHM

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 01:16 PM

I have changed it many times, but still same status!

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to Yahya

‎01-17-2024 01:41 PM

deb crypto ikev2 internal

deb crypto ikev2 packet

 

*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Process NAT discovery notify
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No NAT found
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_INIT Event: EV_CHK_CONFIG_MODE
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_SET_POLICY
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Setting configured policies
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_PKI_SESH_OPEN
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Opening a PKI session
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_KEY
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_SECRET
*Jan 17 22:33:03.484: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_RE_XMT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: unknown event
*Jan 17 22:33:03.485: IKEv2-PAK:(SESSION ID = 648,SA ID = 217):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_SECRET_RESP
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_SKEYID
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Generate skeyid
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No config data to send to toolkit:
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_BLD_MSG
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: DELETE-REASON
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCOVPN-REV-02
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Sending DRU Handshake
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(221): Sending custom vendor id : CISCO-DYNAMIC-ROUTE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.487: IKEv2-IN
Gtel_test#TERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.968: IKEv2-PAK:(SESSION ID = 572,SA ID = 182):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.968: IKEv2-INTERNAL:(SESSION ID = 572,SA ID = 182):SM Trace-> SA: I_SPI=9FAAF7B9595D4F3E R_SPI=E0AFC2801BC02625 (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_CHK_IKE_REKEY
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_REKEY_IKESA
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_INIT Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GET_IKE_POLICY
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:Adding Proposal PROP2 to toolkit policy
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SA ID = 184):Using IKEv2 profile 'IKEv2PROF2'
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_SET_POLICY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Setting configured policies
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GEN_DH_KEY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_NO_EVENT
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_BLD_MSG
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:Construct Notify Payload: SET_WINDOW_SIZE
Payload contents:
SA Next payload: N, reserved: 0x0, length: 52
last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
N Next payload: KE, reserved: 0x0, length: 36
KE Next payload: NOTIFY, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE

*Jan 17 22:33:04.020: IKEv2-PAK:(SESSION ID = 689,SA ID = 184):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER Message id: 0, length: 304
Payload contents:
ENCR Next payload: SA, reserved: 0x0, length: 276

*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_IKE Event: EV_INSERT_SA
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
Gtel_test#und
Gtel_test#undebug a
Gtel_test#undebug all

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-17-2024 02:06 PM 

device# debug ikev2 error

can you share this 
thanks  

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 02:21 PM


*Jan 17 23:14:14.712: IKEv2-ERROR:(SESSION ID = 2947,SA ID = 32):: Maximum number of retransmissions reached
*Jan 17 23:14:20.394: IKEv2-ERROR:(SESSION ID = 2952,SA ID = 37):: Maximum number of retransmissions reached

*Jan 17 23:14:25.845: IKEv2-ERROR:(SESSION ID = 2953,SA ID = 38):: Maximum number of retransmissions reached

*Jan 17 23:14:28.455: IKEv2-ERROR:(SESSION ID = 2958,SA ID = 44):: Maximum number of retransmissions reached

*Jan 17 23:14:32.425: IKEv2-ERROR:(SESSION ID = 2964,SA ID = 50):: Maximum number of retransmissions reached

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 02:50 PM

#sh monitor event-trace crypto ikev2 error latest

*Jan 17 23:38:29.355: SA ID:120 SESSION ID:4080 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:36.896: SA ID:273 SESSION ID:4084 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:40.300: SA ID:316 SESSION ID:4087 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-17-2024 02:58 PM

so we solve this first error message ?
if Yes 
can you share the phaseII config and transform set,  I think there is mismatch NOW 
MHM

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 03:09 PM

#sh run | sec crypto

crypto ipsec transform-set XXX esp-3des esp-sha256-hmac
mode tunnel

# interested traffic #

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132

no crypto ipsec nat-transparency udp-encapsulation


crypto map CMAP 20 ipsec-isakmp
set peer X.X.1.132
set transform-set XXX
set pfs group21
set ikev2-profile IKEv2PROF2

interface g0/0/1
match address 102

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-17-2024 03:27 PM - edited ‎01-17-2024 03:30 PM

set pfs group21 <<- mustly PFS is issue here, can you change the group 

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
I will assume that peer server IP is different 
MHM

0 Helpful

Go to solution
Yahya
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2024 03:36 PM

lets say we need my server in my company to reach at the two servers inside ISP company for some reason. However, peer ip is the gateway and I can ping it, but server ips are inside company that they are behind the peer X.X.1.132

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Yahya

‎01-17-2024 10:03 PM

Sorry I dont get your last reply 

Can you more elaborate 

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card