IPSEC between two Cisco 1000V routers not coming up

RichardBignellSantander · ‎05-01-2019

Hi all,

Sorry if this is the wrong place for this question. Im new to stackoverflow.

I'm trying to follow a guide for HA on azure but im falling at the first hurdle.

The youtube video links are expired so i had to fill the gaps on the config and may have made a mistake.

Here is the video which has some diagrams.

Cisco HA

Basically my ipsec tunnel will not establish between two routers.

Config from RTR1:

crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring ONE
peer 20.39.208.39
address 20.39.208.39
pre-shared-key cisco123
!
!
crypto ikev2 profile ONE
match identity remote address 20.39.208.39 255.255.255.255 (also tried any)
authentication remote pre-share
authentication local pre-share
keyring local ONE
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ONE
set transform-set azure-ipsec-proposal-set
set ikev2-profile ONE
!
interface Loopback0
ip address 10.255.3.1 255.255.255.255
!
interface Tunnel1
description to ONE
ip unnumbered Loopback0
ip tcp adjust-mss 1350
tunnel source 51.143.190.207 (tried both the interface and the IP)
tunnel mode ipsec ipv4
tunnel destination 20.39.208.39
tunnel protection ipsec profile ONE
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!

Config from RTR2:

crypto ikev2 proposal azure-proposal
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha1
group 2
!
crypto ikev2 policy azure-policy
proposal azure-proposal
!
crypto ikev2 keyring ONPREM
peer 51.143.190.207
address 51.143.190.207
pre-shared-key cisco123
!
!
crypto ikev2 profile ONPREM
match identity remote address 51.143.190.207 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ONPREM
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile ONPREM
set transform-set azure-ipsec-proposal-set
set ikev2-profile ONPREM
!
!
interface Loopback0
ip address 10.255.1.1 255.255.255.255
!
interface Tunnel1
description to ONPREM
ip unnumbered Loopback0
ip tcp adjust-mss 1350
tunnel source 20.39.208.39
tunnel mode ipsec ipv4
tunnel destination 51.143.190.207
tunnel protection ipsec profile ONPREM
!
interface GigabitEthernet1
ip address dhcp
negotiation auto
!

I used debug crypto isakmp and ipsec and the only error i saw was

"peer matches *none* of the profiles" which is why i tried "match identity any" but get the same result.

I have full connectivity between the routers and and ping and telnet between them on the relevant ports.

Any help will be appreciated.

Rik

Georg Pauwen · ‎05-01-2019

Hello,

at first glance you are missing the line marked in bold:

crypto ikev2 profile ONE
match address local interface <NameOfYourOutsideInterface>
match identity remote address 20.39.208.39 255.255.255.255 (also tried any)
authentication remote pre-share
authentication local pre-share
keyring local ONE

Also, what routing and what access lists do you have configured ? Post the entire running configs of both sides if possible...

RichardBignellSantander · ‎05-02-2019

Thanks for the suggestion.

I added the config below but im getting the same result.

crypto ikev2 profile ONE
 match address local interface GigabitEthernet1

Im wondering if the issue is that Azure routers grab the private ip for each interface which they then nat behind an Azure public so its not matching as its seeing a tunnel packet coming from a public IP.

See the debug here

CISCO-ONPREM#debug crypto isakmp
Crypto ISAKMP debugging is on
CISCO-ONPREM#debug crypto ipsec
Crypto IPSEC debugging is on
CISCO-ONPREM#ter mon
CISCO-ONPREM#
*May  2 09:08:53.667: ISAKMP: (0):peer matches *none* of the profiles
*May  2 09:08:57.848: IPSEC:(SESSION ID = 4158) (key_engine) request timer fired: count = 1,
  (identity) local= 10.0.0.4:0, remote= 20.39.208.39:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May  2 09:08:57.848: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.4:500, remote= 20.39.208.39:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*May  2 09:09:01.457: ISAKMP: (0):peer matches *none* of the profiles
*May  2 09:09:15.993: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.4:500, remote= 40.81.144.77:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*May  2 09:09:23.666: ISAKMP: (0):peer matches *none* of the profiles
CISCO-ONPREM#
*May  2 09:09:27.848: IPSEC:(SESSION ID = 4158) (key_engine) request timer fired: count = 2,
  (identity) local= 10.0.0.4:0, remote= 20.39.208.39:0,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0
*May  2 09:09:27.848: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 10.0.0.4:500, remote= 20.39.208.39:500,
    local_proxy= 0.0.0.0/0.0.0.0/256/0,
    remote_proxy= 0.0.0.0/0.0.0.0/256/0,
    protocol= ESP, transform= esp-aes 256 esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0un all
All possible debugging has been turned off

Here is the full config from each side:

ONPREM

version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CISCO-ONPREM
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
 rd 100:100
 !
 address-family ipv4
 exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name  *****
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
license udi pid CSR1000V sn  *****
no license smart enable
diagnostic bootup level minimal
!
!
!
username  *****
!
redundancy
!
crypto ikev2 proposal azure-proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy
 proposal azure-proposal
!
crypto ikev2 keyring ONE
 peer 20.39.208.39
  address 20.39.208.39
  pre-shared-key *****
 !
!
crypto ikev2 keyring TWO
 peer 40.81.144.77
  address 40.81.144.77
  pre-shared-key *****
 !
!
!
crypto ikev2 profile ONE
 match address local interface GigabitEthernet1
 match identity remote address 20.39.208.39 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local ONE
!
crypto ikev2 profile TWO
 match address local interface GigabitEthernet1
 match identity remote address 40.81.144.77 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local TWO
!
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ONE
 set transform-set azure-ipsec-proposal-set
 set ikev2-profile ONE
!
crypto ipsec profile TWO
 set transform-set azure-ipsec-proposal-set
 set ikev2-profile TWO
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.255.3.1 255.255.255.255
!
interface Loopback1
 ip address 10.255.3.2 255.255.255.255
!
interface Tunnel1
 description to ONE
 ip unnumbered Loopback0
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 20.39.208.39
 tunnel protection ipsec profile ONE
!
interface Tunnel2
 description to TWO
 ip unnumbered Loopback1
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 40.81.144.77
 tunnel protection ipsec profile TWO
!
interface GigabitEthernet1
 ip address dhcp
 negotiation auto
!
router bgp 65000
 bgp log-neighbor-changes
 bgp bestpath as-path multipath-relax
 neighbor 10.255.1.1 remote-as 65001
 neighbor 10.255.1.1 ebgp-multihop 3
 neighbor 10.255.1.1 update-source Loopback0
 neighbor 10.255.2.1 remote-as 65002
 neighbor 10.255.2.1 ebgp-multihop 3
 neighbor 10.255.2.1 update-source Loopback1
 !
 address-family ipv4
  network 10.0.1.0 mask 255.255.255.0
  neighbor 10.255.1.1 activate
  neighbor 10.255.1.1 route-map bgp out
  neighbor 10.255.2.1 activate
  neighbor 10.255.2.1 route-map bgp out
  maximum-paths 16
 exit-address-family
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 10.255.1.1 255.255.255.255 Tunnel1
ip route 10.255.2.1 255.255.255.255 Tunnel2
!
ip ssh rsa keypair-name sshkeys
!
!
ip prefix-list bgp seq 5 permit 10.0.1.0/24
!
!
route-map bgp permit 10
 match ip address prefix-list bgp
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 1
 length 0
line vty 2 4
!
!
end

ROUTER ONE

version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform console serial
!
hostname CISCOHUB1
!
boot-start-marker
boot-end-marker
!
!
vrf definition GS
 rd 100:100
 !
 address-family ipv4
 exit-address-family
!
logging persistent size 1000000 filesize 8192 immediate
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local none
!
!
!
!
!
aaa session-id common
!
!
!
!
!
!
!
ip domain name ****
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3000728434
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3000728434
 revocation-check none
 rsakeypair TP-self-signed-3000728434
!
!
crypto pki certificate chain TP-self-signed-3000728434
 certificate self-signed 01
  30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303030 37323834 3334301E 170D3139 30343239 30393136
  34335A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303037
  32383433 34308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
  0A028201 0100A50A EF289B44 7BDD7E51 3E4CF96C DF0F0605 FE3A202C 68572DC5
  E5F6EB0E 5B4A8844 1B3422A3 185FA349 0F082469 47ABE355 0284F9CF 5798B96C
  3358DCF7 8AD1934B 8EDABB7A 8E12C5AF 74F1740F 1F15C661 73C596F3 7A540D76
  F193B0D2 D97A088E 782FE6EA 950776CD 68DC0A93 2D5BEE3D D8C1FDAA E943B899
  965E800C 64FB8D24 3B6D6A2B B192C590 C6565310 4EB2786B 517983DD 7B7A1432
  FE9DD878 0E0F3768 8898994D 029ABDC9 EF129B59 97A36CB2 9FE323B0 A5AC51BF
  F6BCF1AE C5F1DD6A 38D0484B 0BDC1D5A DBC1BEFE 1EF6C390 C308DA07 BAE7DCF5
  AB84C14B 28934FFB DC4446CB 7BD3BBE3 66C9F572 B69A0952 38C0982D 0BE3557B
  E88189EA 56950203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
  301F0603 551D2304 18301680 141BD527 FE1550EA 8D8CE62F 3FA212ED C84FE91B
  0B301D06 03551D0E 04160414 1BD527FE 1550EA8D 8CE62F3F A212EDC8 4FE91B0B
  300D0609 2A864886 F70D0101 05050003 82010100 67698C64 DDDFE7A3 6CB0F5B5
  EB0E7E53 9DED521B 21DEEE6A B14E9F43 2C4F6078 6BE9DBBA 18E0684C AF3F52EE
  C61D08DB 4DE961D0 B8C57511 FE0D2DD8 1B7F335C 5850911E 582EBD7C B31F92E5
  2F82C54E 3CC1FACB 1EC95F3F 04268487 6E8201F7 59723959 1B5B419C CB118572
  0DA939CA E2159910 890B799E A7E88756 64BFF3FE 640133B5 F8487EAC C746F1E5
  C72FC639 F6BC2C97 56F64842 7C83F293 79727CC6 622EFC4C F5B5ABAA D7216DE7
  0932E360 A0EEB384 B79D977E 39C3864A D379FE90 958A277E 5250322A 89934C3A
  0EED9071 46A2D11D 19B28496 67610968 E4C2F1A3 FE59B448 1923D202 D0CC9139
  2D06116A D54F9392 4E7D8C01 25036B3F 73EE6009
        quit
!
license udi pid CSR1000V sn  ****
no license smart enable
diagnostic bootup level minimal
!
!
!
username  ****
!
redundancy
!
crypto ikev2 proposal azure-proposal
 encryption aes-cbc-256 aes-cbc-128 3des
 integrity sha1
 group 2
!
crypto ikev2 policy azure-policy
 proposal azure-proposal
!
crypto ikev2 keyring ONPREM
 peer 51.143.190.207
  address 51.143.190.207
  pre-shared-key  ****
 !
!
!
crypto ikev2 profile ONPREM
 match address local interface GigabitEthernet1
 match identity remote address 51.143.190.207 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local ONPREM
!
!
!
!
!
!
!
!
!
!
!
!
crypto ipsec transform-set azure-ipsec-proposal-set esp-aes 256 esp-sha-hmac
 mode tunnel
!
crypto ipsec profile ONPREM
 set transform-set azure-ipsec-proposal-set
 set ikev2-profile ONPREM
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.255.1.1 255.255.255.255
!
interface Tunnel1
 description to ONPREM
 ip unnumbered Loopback0
 ip tcp adjust-mss 1350
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 51.143.190.207
 tunnel protection ipsec profile ONPREM
!
interface GigabitEthernet1
 ip address dhcp
 negotiation auto
!
interface GigabitEthernet2
 ip address dhcp
 negotiation auto
!
router bgp 65001
 bgp log-neighbor-changes
 bgp bestpath as-path multipath-relax
 neighbor 10.255.3.1 remote-as 65000
 neighbor 10.255.3.1 ebgp-multihop 3
 neighbor 10.255.3.1 update-source Loopback0
 !
 address-family ipv4
  network 10.74.9.128 mask 255.255.255.128
  neighbor 10.255.3.1 activate
  neighbor 10.255.3.1 route-map bgp out
  maximum-paths 16
 exit-address-family
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 10.74.0.0 255.255.0.0 10.74.9.129
ip route 10.255.3.1 255.255.255.255 Tunnel1
!
ip ssh rsa keypair-name sshkeys
!
!
ip prefix-list bgp seq 5 permit 10.74.9.128/25
!
!
route-map bgpprepend permit 10
 match ip address prefix-list bgp
 set as-path prepend 65001 65001 65001
!
route-map bgp permit 10
 match ip address prefix-list bgp
!
!
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 1
 length 0
line vty 2 4
!
!
!
!
!
!
end