Hi all,


I have a VPN-tunnel between an 5505 and a 887VA router. All is working well bu after the session rekeys traffic will not traverse the tunnel anymore. Keepalive are still exchanged but not traffic. The ASA is behind a UBEE Nat router (at my place) and my logic says if the UBEE is still forwarding the keepalives it does not seem to play a role in this).


Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
143152683  192.168.178.254/4500    123.123.123.123/4500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/237 sec
Child sa: local selector  10.34.0.0/0 - 10.34.255.255/65535
          remote selector 10.2.0.0/0 - 10.2.255.255/65535
          ESP spi in/out: 0x453d575f/0x4bb5a66d
ASA-01#

When I reset the runnel (clear crypto ikev2 sa) it works perfectly. I have an Observium server at my side polling devices at the other side so traffic is generated at 5 minute intervals at least.


ASA image : asa917-13-k8.bin

Router image : c880data-universalk9-mz.152-3.T.bin


The router has 2 more tunnels which work without interuption.


-----

Router config:


crypto ikev2 proposal PROPOSAL_AES_CBS_256
 encryption aes-cbc-256
 integrity sha512
 group 14
crypto ikev2 proposal PROPOSAL_AES_CBS_256_SHA1 (<< the proposal the ASA-router are using)
 encryption aes-cbc-256
 integrity sha1
 group 14 5
!
crypto ikev2 policy POLICY_IKEv2
 proposal PROPOSAL_AES_CBS_256
 proposal PROPOSAL_AES_CBS_256_SHA1
!
crypto ikev2 keyring KEYRING_MYHOME
 peer ASA-MYHOME
  address 12.34.12.34
  pre-shared-key local $$$$$$$$$$$$
  pre-shared-key remote €€€€€€€€€€€€€
 !
!
crypto ikev2 profile PROFILE_MYHOME
 match identity remote address 12.34.12.34 255.255.255.255
 match identity remote address 192.168.178.254 255.255.255.255 (<-- had to be added due to NAT-T)
 identity local address 123.123.123.123
 authentication remote pre-share
 authentication local pre-share
 keyring local KEYRING_MYHOME
!
ip access-list extended home-MYHOME
 permit ip 10.2.0.0 0.0.255.255 10.34.0.0 0.0.255.255
!

----

ASA config:


object network OBJ-NET-OTHERSIDE
 subnet 10.2.0.0 255.255.0.0
object network OBJ-NET-MYHOME
 subnet 10.34.0.0 255.255.0.0

access-list ACL-MYHOME-OTHERSIDE extended permit ip object OBJ-NET-MYHOME object OBJ-NET-OTHERSIDE
!
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map IKEv2_OUTSIDE_MAP 1000 match address ACL-MYHOME-OTHERSIDE
crypto map IKEv2_OUTSIDE_MAP 1000 set peer 123.123.123.123
crypto map IKEv2_OUTSIDE_MAP 1000 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
crypto map IKEv2_OUTSIDE_MAP interface outside
!
crypto ikev2 policy 1000
 encryption aes-256
 integrity sha512
 group 14 5
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 123.123.123.123 general-attributes
 default-group-policy 123.123.123.123
tunnel-group 123.123.123.123 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

The ASA has been upgraded from a 9.1.6 image.


The router log show this:

043327: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):Unsupported DH group

043328: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):
043329: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):Error encountered while navigating State Machine

043330: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):No Result Transition table avail for CHILD_I_PROC / EV_INV_KE with return code 0.0.0.11

043331: Feb 26 15:25:07.851 PCTime: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=123.123.123.123, prot=50, spi=0x780EACCC(2014227660), srcaddr=12.34.12.34 interface=Dialer1
043332: Feb 26 15:25:07.851 PCTime: IKEv2:Failed to locate an item in the database

It seems somewhere I have to change / add the DH group. Originally I only used group 14 but added 5 as well.

Regards,


Marcel.