cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
193
Views
0
Helpful
4
Replies
Beginner

AWS IKEv2 Issues

Has anyone managed to get a IKEv2 VPN up and running between AWS and a Cisco ASA. We can get the VPN up and working no issues with IKEv1 as soon as we swap the settings on the ASA to use IKEv2 the VPN doesn't work at all. These are new tunnells tried in both the London and N.Virginia region with no luck. The firewall is a Cisco ASA5515 running Software Version 9.9(1)2, looking in to the Debug logs we were getting the following errors:
(519): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(519): Next payload: VID, reserved: 0x0, length: 8(519): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTEDSecurity protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED(519): VID(519): Next payload: NONE, reserved: 0x0, length: 20(519):(519): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3(519):IKEv2-PROTO-7: (519): SM Trace-> SA: I_SPI=9EEBA335F2832CD6 R_SPI=4344D0E53111C5F5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENTIKEv2-PROTO-2: A supplied parameter is incorrectIKEv2-PROTO-2: Couldn't find matching SA
 
Below is the config we have used for IKEv1 and it works with no issues.
 
IKEv1 Config
access-list MSTEST_access_in extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS log debugging 
access-list MSTEST_access_in extended permit ip object-group MSTEST_local 10.168.0.0 255.255.0.0 log debugging inactive 
access-list OUTSIDE_cryptomap_1 extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS 

crypto map OUTSIDE_map 98 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 98 set pfs group5
crypto map OUTSIDE_map 98 set peer 3.8.26.18 
crypto map OUTSIDE_map 98 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 98 set security-association lifetime seconds 3600

crypto ikev1 policy 11
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

group-policy AWSPolicy internal
group-policy AWSPolicy attributes
 vpn-tunnel-protocol ikev1 

tunnel-group 3.8.26.18 type ipsec-l2l
tunnel-group 3.8.26.18 general-attributes
 default-group-policy AWSPolicy
tunnel-group 3.8.26.18 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold infinite

 

IKEv2 Config

access-list MSTEST_access_in extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS log debugging 
access-list MSTEST_access_in extended permit ip object-group MSTEST_local 10.168.0.0 255.255.0.0 log debugging inactive 
access-list OUTSIDE_cryptomap_1 extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS 

crypto map OUTSIDE_map 98 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 98 set pfs group5
crypto map OUTSIDE_map 98 set peer 3.8.26.18 
crypto map OUTSIDE_map 98 set ikev2 ipsec-proposal AWS_Test AES256 SHA256
crypto map OUTSIDE_map 98 set security-association lifetime seconds 3600

crypto ikev2 policy 98
 encryption aes-256 aes
 integrity sha256 sha
 group 2
 prf sha256 sha
 lifetime seconds 28800

group-policy AWSPolicy internal
group-policy AWSPolicy attributes
 vpn-tunnel-protocol ikev2 
 
tunnel-group 3.8.26.18 type ipsec-l2l
tunnel-group 3.8.26.18 general-attributes
 default-group-policy AWSPolicy
tunnel-group 3.8.26.18 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
Everyone's tags (3)
4 REPLIES 4
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: AWS IKEv2 Issues

Hi,
Can you provide the IPSec Proposal for the ASA?
Are you able to confirm what IKEv2 and IPSec algorthims AWS is using?

Can you remove the IKEv1 pre-shared key from the tunnel-group on your IKEv2 configuration.
Can you also provide the detailed crypto debugs for further analysis.
Beginner

Re: AWS IKEv2 Issues

Hi,

 

The IPSec proposals I've been using for the IKEv1 and IKEv2 are the following. 

 

IKEv1
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

IKEv2
crypto ipsec ikev2 ipsec-proposal AWS_Test
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal SHA256
 protocol esp encryption aes-256
 protocol esp integrity sha-256

As for the AWS side they accept the following. (https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CGRequirements)

 

Use the AES 128-bit encryption or AES 256-bit encryption function

RFC 3602

The encryption function is used to ensure privacy among both IKE and IPsec Security Associations.

Use the SHA-1 or SHA-256 hashing function

RFC 2404

This hashing function is used to authenticate both IKE and IPsec Security Associations.

Use Diffie-Hellman Perfect Forward Secrecy. The following groups are supported:

  • Phase 1 groups: 2, 14-18, 22, 23, and 24

  • Phase 2 groups: 2, 5, 14-18, 22, 23, and 24

RFC 2409

IKE uses Diffie-Hellman to establish ephemeral keys to secure all communication between customer gateways and virtual private gateways.

 

I have removed the IKEv1 pre shared key so I just have the following now.

tunnel-group 3.8.26.18 ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

I have attached the debug, not sure if that's the one you meant or not?

 

Many Thanks

Alex

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: AWS IKEv2 Issues

From the debug "IKEv2-PROTO-2: A supplied parameter is incorrect" implies a mis-configured parameter in the IKEv2 Policy. Are you able to confirm exactly what is configured in AWS, rather than what is supported? I've never used AWS, so I assume you define which parameters you wish to use?

Beginner

Re: AWS IKEv2 Issues

Thanks for your reply, unfortunately these are the only options you get when setting up a VPN in AWS. Not really any configuration options just having to go on what they say they support. 

AWS-VPN-Options.PNG