Re: IPSEC Config on IOS Router

CiscoPurpleBelt · ‎02-22-2019

So I am trying to t-shoot a IPSEC tunnel issue (goes down every now and then) between an ASA and Router. One thing when looking at remote side of router I notice Group numbers don't match such as under the ikev2 proposal config and then under the crypto map config. Don't they both have to be the same? See configs below (had to scrub do to security) in case something seems pretty off, maybe I did not make changes match.

Does anyone see anything incorrect?

crypto ikev2 proposal ikev2-TEST-prop
encryption aes-cbc-256
integrity sha384
group 22
!
crypto ikev2 policy ikev2-TEST-pol
match fvrf TEST_vrf
match address local X.X.X.247
proposal ikev2-TEST-prop
!
crypto ikev2 keyring TEST_Keyring
peer inscom
description TEST
address X.X.X.37
pre-shared-key local <pre-shared-key removed>
pre-shared-key remote <pre-shared-key removed>
!
crypto ikev2 profile X.X.X.ikev2-prof
description TEST profile
match fvrf TEST
match identity remote address X.X.X.37 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local TEST_Keyring
dpd 10 2 on-demand
ivrf TEST_vrf
!
crypto ipsec transform-set TEST_transform-aes esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map TEST_map local-address Loopback311
crypto map TEST_map 10 ipsec-isakmp
description TEST
set peer X.X.X.37
set transform-set TEST-transform-aes
set pfs group15
set ikev2-profile TEST-ikev2-prof
match address TEST_ACL
!
ip route vrf TEST_vrf 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1.79 X.X.X.10
!
ip access-list extended TEST_ACL
permit ip X.X.X.113.0 0.0.0.64 any
!
interface GigabitEthernet1/0/1.2978
encapsulation dot1Q 79
ip vrf forwarding TEST
ip address X.X.X.14 255.255.255.248
crypto map TEST_map
!
interface GigabitEthernet1/0/0.52
encapsulation dot1Q 251
ip vrf forwarding TEST_vrf
ip address X.X.X.6 255.255.255.248
ip mtu 1376
ip tcp adjust-mss 1336
!
interface Loopback311
description TEST loopback
ip vrf forwarding TEST_vrf
ip address X.X.X.246 255.255.255.255

Rob Ingram · ‎02-22-2019

Hi,
Yes the group's do need to match on both peer devices for the ikev2 proposal and the pfs group under the crypto map. If they do not match the tunnel will not come up.

EDIT: To clarify my above comment, which after re-reading may not be clear. The IKEv2 Proposal DH group on both devices (ASA and Router) must be the same in order for IKEv2 SA to be established. The PFS group must be the same on both devices (ASA and router) for PFS to work. The IKEv2 Proposal and PFS Group could be different as long as the peer device is configured the same....but you are unlikely to configure different groups, because why would you want to use a potentially weaker cipher. I use this Cisco post to identify which algorithms to use, DH groups 19, 14 and 21 are preferred (by cisco) nowadays.

HTH

Georg Pauwen · ‎02-22-2019

Hello,

try and change the DH and PFS groups as below (marked in bold). The ASA groups need to match, obviously.

Also, to be sure, check the NTP settings on both devices and make sure the clocks match...

If possible, post the ASA config as well...

crypto ikev2 proposal ikev2-TEST-prop
encryption aes-cbc-256
integrity sha384
group 5 2 14
!
crypto ikev2 policy ikev2-TEST-pol
match fvrf TEST_vrf
match address local X.X.X.247
proposal ikev2-TEST-prop
!
crypto ikev2 keyring TEST_Keyring
peer inscom
description TEST
address X.X.X.37
pre-shared-key local <pre-shared-key removed>
pre-shared-key remote <pre-shared-key removed>
!
crypto ikev2 profile X.X.X.ikev2-prof
description TEST profile
match fvrf TEST
match identity remote address X.X.X.37 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local TEST_Keyring
dpd 10 2 on-demand
ivrf TEST_vrf
!
crypto ipsec transform-set TEST_transform-aes esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map TEST_map local-address Loopback311
crypto map TEST_map 10 ipsec-isakmp
description TEST
set peer X.X.X.37
set transform-set TEST-transform-aes
set pfs group2
set ikev2-profile TEST-ikev2-prof
match address TEST_ACL
!
ip route vrf TEST_vrf 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1.79 X.X.X.10
!
ip access-list extended TEST_ACL
permit ip X.X.X.113.0 0.0.0.64 any
!
interface GigabitEthernet1/0/1.2978
encapsulation dot1Q 79
ip vrf forwarding TEST
ip address X.X.X.14 255.255.255.248
crypto map TEST_map
!
interface GigabitEthernet1/0/0.52
encapsulation dot1Q 251
ip vrf forwarding TEST_vrf
ip address X.X.X.6 255.255.255.248
ip mtu 1376
ip tcp adjust-mss 1336
!
interface Loopback311
description TEST loopback
ip vrf forwarding TEST_vrf
ip address X.X.X.246 255.255.255.255

Deepak Kumar · ‎02-23-2019

Hi,

Ikev2 is giving you the flexibility to add multiple parameters as a group under the single proposal. As below:

crypto ikev2 proposal ikev2-TEST-prop 
 encryption aes-cbc-256
 integrity sha384
 group 22 14 12

This is not compulsory having Phase1 DH group and PF group to be the same. Both are having different aim and purpose in the configuration. But both configuration must be some devices.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

paul driver · ‎02-23-2019

Hello

just like to add- Thr problem doesn’t seem the establishment of the isakmp-IPSec sa’s it’s sounds like an intermittent issue correct?

Areyou sure this isnt a physical issue regards the connectivity between the asa and rtr ?

That said possibly suggest to check also any IPSec idle timeout values being set or not

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CiscoPurpleBelt · ‎02-24-2019

I am not positive there is no physical issue, I don't handle the remote router but I can only assume these type of things have been checked. One thing to note is that when connection goes down, I am able to get it back up by simply refreshing/bouncing the connection.
Should I be making sure idle-timeouts are set the same if they are set?

Deepak Kumar · ‎02-24-2019

Hi,

As you say that "I am able to get it back up by simply refreshing/bouncing the connection."

Then I am assuming that there is DPD or Phase1 timer (lifetime) mismatch error. Have you verified that same? Phase1 lifetime must be higher than Phase 2.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

CiscoPurpleBelt · ‎02-25-2019

I can see lifetime values ( sa timing: remaining key lifetime (kB/sec): (1519895/23928) from sh crypto ipsec sa

and

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

from sh running-config all | include crypto

This output does not specify which tunnel this applies to so I assume it is globally applied to all?

When I look at "Session Details" from ASMD, I see Rekey Time Interval: 86400 seconds for IKEv2

and 28800 for IPSEC this is it correct?

Also I don't see how to verify DPD on ASA if it is supported? Having difficulty looking this up.

The below output is what I have as well.

ASA#sh running-config all | include isakmp
object service udp-isakmp pre-defined
service udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
service-object udp destination eq isakmp
crypto isakmp identity address
crypto isakmp nat-traversal 10
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 3600 retry 2

and

ASA# sh running-config all | include ipsec
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

Deepak Kumar · ‎02-25-2019

Hi,
Why that much DPD configurations?
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 300 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 10 retry 2
isakmp keepalive threshold 3600 retry 2

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

CiscoPurpleBelt · ‎02-25-2019

Good question I don't know. There are multiple IPSEC VPNs on this ASA, however there should only be 1 "isakmp keepalive threshold X retry X" statement and " service-object udp destination eq isakmp" statement correct?

Deepak Kumar · ‎02-25-2019

Hi,
Only on DPD configuration is required for any number of VPN connections. But I am not sure where and why are you using "service-object udp destination eq isakmp" statement? I have to look at your configuration before guide you.

Regards,
Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!