VPN site-to-site AWS-ISR4451

albertomaring89 · ‎08-11-2022

Hello!

I’m trying to set up a vpn towards aws, but it doesn’t work, I don’t see phase 1 being ready.
AWS has sent me logs where they say there is a problem in the proposal:

2022-08-10 07:53:48 UTC IKE_SA established between x.x.x.x and x.x.x.x
2022-08-10 07:53:48 UTC received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
2022-08-10 07:53:48 UTC configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/ECP_521/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_521/NO_EXT_SEQ
2022-08-10 07:53:48 UTC no acceptable proposal found
2022-08-10 07:53:48 UTC failed to establish CHILD_SA, keeping IKE_SA

and this is my proposal setup on the ISR4451 router side:

crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 21
no crypto ikev2 proposal default

I also did a crypto debug ikev2 bug, and this is the output:

Aug 11 21:15:10.122: IKEv2-ERROR:(SESSION ID = 4655,SA ID = 1):: Create child exchange failed
Aug 11 21:15:14.129: IKEv2-ERROR:(SESSION ID = 4611,SA ID = 1):
Aug 11 21:15:40.243: IKEv2-ERROR:(SESSION ID = 4598,SA ID = 1):
Aug 11 21:15:44.129: IKEv2-ERROR:(SESSION ID = 4611,SA ID = 1):
Aug 11 21:16:10.245: IKEv2-ERROR:(SESSION ID = 4598,SA ID = 1):
Aug 11 21:16:14.129: IKEv2-ERROR:(SESSION ID = 4611,SA ID = 1):
Aug 11 21:16:40.248: IKEv2-ERROR:(SESSION ID = 4598,SA ID = 1):
Aug 11 21:16:44.131: IKEv2-ERROR:(SESSION ID = 4611,SA ID = 1):
Aug 11 21:17:10.245: IKEv2-ERROR:(SESSION ID = 4598,SA ID = 1):
Aug 11 21:17:45.418: IKEv2-ERROR:(SESSION ID = 4611,SA ID = 1):
Aug 11 21:18:04.628: IKEv2-ERROR:(SESSION ID = 4656,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA256 SHA384 SHA512 Don't use ESN

ESP: Proposal 2: AES-GCM-256 Don't use ESN

Aug 11 21:18:04.629: IKEv2-ERROR:(SESSION ID = 4656,SA ID = 1):: Failed to find a matching policy
Aug 11 21:18:11.533: IKEv2-ERROR:(SESSION ID = 4598,SA ID = 2):

Regards!

MHM Cisco World · ‎08-11-2022

there are not only one proposal there are two or more,
the IKEv2 policy not match the AWS peer and hence your Router select wrong proposal

share config I notice ESP and ESP is in phaseII not in PhaseI, so let me check

albertomaring89 · ‎08-11-2022

Thanks for your answer

I share you the config

sh run | beg ikev2
crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-256
integrity sha256 sha384 sha512
group 21
no crypto ikev2 proposal default
!
crypto ikev2 policy POLICY1
match fvrf PVT_CLOUD
match address local x.x.x.x
proposal PROPOSAL1
no crypto ikev2 policy default
!
crypto ikev2 keyring KEYRING1
peer x.x.x.x
address x.x.x.x
pre-shared-key PPQq57
!
peer x.x.x.x
address x.x.x.x
pre-shared-key ioWnzR
!
!
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf PVT_CLOUD
match address local x.x.x.x
match identity remote address x.x.x.x 255.255.255.255
match identity remote address x.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
lifetime 28800
dpd 10 10 on-demand
ivrf LAN_CUSTUMER

crypto isakmp keepalive 10 10
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set ipsec-prop-vpn-05aa5d7740871ab0a-1 esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec transform-set ipsec-prop-vpn-05aa5d7740871ab0a-0 esp-aes esp-sha256-hmac
mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-05aa5d7740871ab0a-0
set transform-set ipsec-prop-vpn-05aa5d7740871ab0a-0
set pfs group14
set ikev2-profile IKEV2-PROFILE
!
crypto ipsec profile ipsec-vpn-05aa5d7740871ab0a-1
set transform-set ipsec-prop-vpn-05aa5d7740871ab0a-1
set pfs group21
set ikev2-profile IKEV2-PROFILE

interface Tunnel1
ip vrf forwarding LAN_CUSTUMER
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1379
tunnel source x.x.x.x
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel vrf PVT_CLOUD
tunnel protection ipsec profile ipsec-vpn-05aa5d7740871ab0a-0
ip virtual-reassembly
!
interface Tunnel2
ip vrf forwarding LAN_CUSTUMER
ip address x.x.x.x 255.255.255.252
ip tcp adjust-mss 1379
tunnel source x.x.x.x
tunnel mode ipsec ipv4
tunnel destination x.x.x.x
tunnel vrf PVT_CLOUD
tunnel protection ipsec profile ipsec-vpn-05aa5d7740871ab0a-1
ip virtual-reassembly

MHM Cisco World · ‎08-11-2022

crypto ikev2 profile IKEV2-PROFILE
match fvrf PVT_CLOUD
match address local x.x.x.x <<- this is tunnel IP or tunnel source IP ??

albertomaring89 · ‎08-11-2022

is tunnel source IP

interface Tunnel1
ip vrf forwarding LAN_CUSTUMER
ip address 169.0.0.1 255.255.255.252
ip tcp adjust-mss 1379
tunnel source 1.1.1.1
tunnel mode ipsec ipv4
tunnel vrf PVT_CLOUD
tunnel protection ipsec profile ipsec-vpn-05aa5d7740871ab0a-0
ip virtual-reassembly
end

interface Loopback110
ip vrf forwarding PVT_CLOUD
ip address 1.1.1.1 255.255.255.255
end

crypto ikev2 profile IKEV2-PROFILE
match fvrf PVT_CLOUD
match address local 1.1.1.1

MHM Cisco World · ‎08-11-2022

crypto ikev2 policy POLICY1
match fvrf PVT_CLOUD
match address local x.x.x.x <<- this for phase I
proposal PROPOSAL1
no crypto ikev2 policy default
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf PVT_CLOUD
match address local x.x.x.x <<- this for phase II but it include only Tun1 IP not Tun2 so Tun2 select default, remove it
match identity remote address x.x.x.x 255.255.255.255
match identity remote address x.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
lifetime 28800
dpd 10 10 on-demand
ivrf LAN_CUSTUMER