GETVPN w/ IKEv2 and gkm new set up not working

jonwoh · ‎12-15-2018

Hi,

I'm trying to configure GETVPN w/ IKEv2 instead of gdoi, but IKE is stuck in IN-NEG and then failing after a while. debug output doesn'n give me much to work with and niether "the internet" anyone here hit the same issue or know what I'm doing wrong?

I'm using ISR4K on both KS an GM

On KS side show crypto ikev2 sa detailed looks ok

On GM side show crypto ikev2 sa detatiled gives this output:

----- Auth sign: PSK, Auth verify: Unknown - 0

----- Remote id:

Routing is OK.

Here is some relevant configurations:

-----------------------------------------------------------

KS

!
crypto ikev2 keyring IKEv2
peer ks
address 172.26.0.0 255.255.0.0
pre-shared-key local labb
pre-shared-key remote labb
!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy IKEv2-POLICY
proposal IKEv2-PROPOSAL
!
crypto ikev2 profile IKEv2-PROFILE
match identity remote any
identity local email ks@rsv.se
authentication remote pre-share
authentication local pre-share
keyring local IKEv2
dpd 30 3 on-demand
!
!
crypto ipsec transform-set TEK esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TEK
set ikev2-profile IKEv2-PROFILE
!
!
crypto gkm group SKV-KLIENT-PROD
identity number 1
server local
no gdoi
gikev2 IKEv2-PROFILE
rekey algorithm aes 256
rekey sig-hash algorithm sha512
rekey retransmit 40 number 3
rekey authentication mypubkey rsa GETVPNKEY
rekey transport unicast
sa ipsec 1
   profile IPSEC-PROFILE
   match address ipv4 skv-klient-prod
   no replay
address ipv4 172.26.0.252

!

interface Loopback0
ip address 172.26.0.252 255.255.255.255
!

ip access-list extended skv-klient-prod
deny ip 172.27.4.0 0.0.3.255 any
deny ip any 172.27.4.0 0.0.3.255
permit ip any any

!

---------------------------------------------------------

GM

!
ip vrf skv-klient-prod
rd 50000:1
!

!
crypto ikev2 keyring IKEv2
peer ks
address 172.26.0.0 255.255.0.0
pre-shared-key local labb
pre-shared-key remote labb
!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy IKEv2-POLICY
proposal IKEv2-PROPOSAL
!
crypto ikev2 profile IKEv2-PROFILE
match identity remote any
identity local email gm@rsv.se
authentication remote pre-share
authentication local pre-share
keyring local IKEv2
dpd 30 3 on-demand
!
!
crypto ipsec transform-set TEK esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TEK
set ikev2-profile IKEv2-PROFILE
!
!
crypto gkm group SKV-KLIENT-PROD
identity number 1
server address ipv4 172.26.0.252
client protocol gikev2 IKEv2-PROFILE
client registration interface Loopback0
!

!
crypto map SKV-KLIENT-PROD-MAP 10 gdoi
set group SKV-KLIENT-PROD
!

interface Loopback0
description GM-registration-source
ip address 172.26.0.2 255.255.255.255
!

interface GigabitEthernet0/0/1
ip address 172.27.0.2 255.255.255.254
ip access-group wan-in in
!
interface GigabitEthernet0/0/1.101
encapsulation dot1Q 101
ip vrf forwarding skv-klient-prod
ip address 172.27.4.2 255.255.255.254
no ip redirects
no ip proxy-arp
crypto map SKV-KLIENT-PROD-MAP
!

-------------------------------------------------------------------

TobiasHilbert · ‎12-10-2019

Hi jonwoh

Did you solve your problem?

I have a similar problem with the GM not registering when using IKEv2 and Register interface within vrf.

With gdoi and ikev1 its working fine.

kind regards

Tobias

jonwoh · ‎12-10-2019

Hi,

I did finally get it to work but I don't really remember all the details on how.
But I think it had something to do with the use of next generation crypto in my IKEv2 setup and som where in my hardware setup I had something not supporting that. old platform or old IOS, can't remember which. (I know I wrote that I was just running ISR4k's but I'm not sure that was the whole truth and nothing but the truth. I have a vague memory of a pair of ASR1004's)
Once that was fixed it worked fine.

Reg.
Jonas