Solved: Re: FlexVPN Hub & Spoke Problem

Matthew Needs · ‎02-06-2019

Hi Everyone,

I'm having some trouble with FlexVPN in a Hub & Spoke LAN-LAN topology with PSK & VRF's. I just need a basic hub and spoke setup that will support VRF-Lite. I don't need NHRP because I want to use the C867VAE at the spokes. I cant get the VPN to come up for some reason so any help would be really appreciated as I'm quite new to flexVPN?

Here are the sanitised configs for the hub and a spoke with ipsec/isakmp debugs. I have replaced all www public ip addresses with 172.16.16.X.

I'm seeing this error in the ipsec debugs but it doesn't make sense to me?

*Feb 6 16:22:08.441: IPSEC(ipsec_process_proposal): invalid local address 172.16.16.1
*Feb 6 16:22:08.441: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

*Feb 6 16:22:08.441: IPSEC(key_engine): failed to process KMI message 42

Thanks in advance!

HUB CONFIG

!
hostname HUB
!
boot-start-marker
boot system flash c1100-universalk9_ias.16.09.02.SPA.bin
boot-end-marker
!
!
vrf definition INET01
rd 1:1000
!
address-family ipv4
exit-address-family
!
vrf definition P1-C1
rd 1:2
!
address-family ipv4
exit-address-family
!
!
no aaa new-model
!
!
!
!
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
!
!
crypto ikev2 keyring P1-C1-KEY
peer Spokes
address 0.0.0.0 0.0.0.0
pre-shared-key local ##########
pre-shared-key remote ##########
!
!
!
crypto ikev2 profile P1-C1_IKE_1
match fvrf INET01
match identity remote any
identity local address 172.16.16.1
authentication remote pre-share
authentication local pre-share
keyring local P1-C1-KEY
ivrf P1-C1
!
crypto ikev2 dpd 30 5 on-demand
!
!
vlan internal allocation policy ascending
!
!
crypto logging session
!
!
!
!
!
!
crypto ipsec profile default
set ikev2-profile P1-C1_IKE_1
!
!
!
!
!
!
!
!
!
interface Loopback1
vrf forwarding P1-C1
ip address 10.0.3.17 255.255.255.255
!
interface GigabitEthernet0/0/0
vrf forwarding INET01
ip address 172.16.16.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
vrf forwarding INET01
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
switchport mode trunk
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface Virtual-Template1 type tunnel
vrf forwarding P1-C1
ip unnumbered Loopback1
tunnel source GigabitEthernet0/0/0
tunnel vrf INET01
tunnel protection ipsec profile default
!
interface Vlan1
no ip address
!
interface Vlan2
vrf forwarding P1-C1
ip address 10.0.2.3 255.255.255.240
standby 2 ip 10.0.2.1
standby 2 priority 50
standby 2 preempt
!
interface Vlan210
vrf forwarding P1-C1
ip address 10.0.1.5 255.255.255.224
standby 1 ip 10.0.1.3
standby 1 priority 50
standby 1 preempt
!
router bgp 65001
bgp log-neighbor-changes
bgp listen range 10.0.3.16/28 peer-group Spokes
!
address-family ipv4 vrf P1-C1
network 10.0.2.0 mask 255.255.255.240
neighbor Spokes peer-group
neighbor Spokes remote-as 65001
neighbor 10.0.2.2 remote-as 65001
neighbor 10.0.2.2 activate
neighbor 10.0.2.2 route-reflector-client
neighbor 10.0.2.2 next-hop-self all
neighbor 10.0.2.2 unsuppress-map ALL
exit-address-family
!
ip route vrf INET01 0.0.0.0 0.0.0.0 172.16.16.254
!
!
access-list 1 permit any
!
!
route-map ALL permit 10
match ip address 1
!

SPOKE CONFIG

!
hostname SPOKE
!
boot-start-marker
boot system flash c860vae2-advseck9-mz.SPA.157-3.M3.bin
boot-end-marker
!
!
vrf definition INET01
rd 1:1000
!
address-family ipv4
exit-address-family
!
!
vrf definition P1-C1
rd 1:2
!
address-family ipv4
exit-address-family
!
logging buffered 10000
!
no aaa new-model
wan mode dsl
clock timezone BST 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
!
!
!
!
!
!
no ip domain lookup
ip domain name swisp.co.uk
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
controller VDSL 0
!
!
crypto logging session
!
!
!
crypto ikev2 keyring P1-C1-KEY
peer Spokes
address 0.0.0.0 0.0.0.0
pre-shared-key local XXXXXXXXX
pre-shared-key remote XXXXXXXXX
!
!
!
crypto ikev2 profile P1-C1_IKE_1
match fvrf INET01
match identity remote address 172.16.16.1 255.255.255.255
identity local address 172.16.16.2
authentication remote pre-share
authentication local pre-share
keyring local P1-C1-KEY
ivrf P1-C1
!
crypto ikev2 dpd 30 5 on-demand
!
!
!
crypto ipsec profile default
set ikev2-profile P1-C1_IKE_1
!
!
!
!
interface Loopback1
vrf forwarding P1-C1
ip address 10.0.3.18 255.255.255.240
!
interface Tunnel2
vrf forwarding P1-C1
ip unnumbered Loopback1
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Dialer1
tunnel destination 172.16.16.1
tunnel path-mtu-discovery
tunnel vrf INET01
tunnel protection ipsec profile default
!
interface ATM0
no ip address
atm ilmi-keepalive
hold-queue 224 in
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface Vlan1
description ***LAN Network - 10.1.0.0/24***
vrf forwarding P1-C1
ip address 10.1.0.254 255.255.255.0
!
interface Dialer1
description *** Internet-DSL-Circuit - PSTN ***
vrf forwarding INET01
ip address 172.16.16.2 255.255.255.255
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin #############
ppp chap password ##############
!
router bgp 65001
bgp log-neighbor-changes
!
address-family ipv4 vrf P1-C1
network 10.1.0.0 mask 255.255.255.0
neighbor 10.0.3.17 remote-as 65001
neighbor 10.0.3.17 activate
exit-address-family
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route vrf INET01 0.0.0.0 0.0.0.0 Dialer1
ip ssh time-out 30
ip ssh version 2
!
dialer-list 1 protocol ip permit
!
!

DEBUGS

*Feb 6 16:22:08.238: IKEv2:Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 6 16:22:08.239: IKEv2:(SESSION ID = 216,SA ID = 1):Verify SA init message
*Feb 6 16:22:08.239: IKEv2:(SESSION ID = 216,SA ID = 1):Insert SA
*Feb 6 16:22:08.240: IKEv2:Searching Policy with fvrf 1, local address 172.16.16.1
*Feb 6 16:22:08.240: IKEv2:Using the Default Policy for Proposal
*Feb 6 16:22:08.240: IKEv2:Found Policy 'default'
*Feb 6 16:22:08.240: IKEv2:(SESSION ID = 216,SA ID = 1):Processing IKE_SA_INIT message
*Feb 6 16:22:08.240: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 6 16:22:08.241: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2103734684'
*Feb 6 16:22:08.241: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 6 16:22:08.241: IKEv2:not a VPN-SIP session
*Feb 6 16:22:08.241: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Feb 6 16:22:08.241: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Feb 6 16:22:08.243: IKEv2:(SESSION ID = 216,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Feb 6 16:22:08.253: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 6 16:22:08.254: IKEv2:(SESSION ID = 216,SA ID = 1):Request queued for computation of DH key
*Feb 6 16:22:08.254: IKEv2:(SESSION ID = 216,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Feb 6 16:22:08.267: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 6 16:22:08.267: IKEv2:(SESSION ID = 216,SA ID = 1):Request queued for computation of DH secret
*Feb 6 16:22:08.268: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 6 16:22:08.268: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 6 16:22:08.268: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 6 16:22:08.268: IKEv2:(SESSION ID = 216,SA ID = 1):Generating IKE_SA_INIT message
*Feb 6 16:22:08.269: IKEv2:(SESSION ID = 216,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*Feb 6 16:22:08.269: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 6 16:22:08.270: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2103734684'
*Feb 6 16:22:08.270: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 6 16:22:08.270: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Feb 6 16:22:08.270: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Feb 6 16:22:08.271: IKEv2:(SESSION ID = 216,SA ID = 1):Sending Packet [To 172.16.16.2:500/From 172.16.16.1:500/VRF i0:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 6 16:22:08.272: IKEv2:(SESSION ID = 216,SA ID = 1):Completed SA init exchange
*Feb 6 16:22:08.272: IKEv2:(SESSION ID = 216,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Feb 6 16:22:08.432: IKEv2:(SESSION ID = 216,SA ID = 1):Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Feb 6 16:22:08.434: IKEv2:(SESSION ID = 216,SA ID = 1):Stopping timer to wait for auth message
*Feb 6 16:22:08.434: IKEv2:(SESSION ID = 216,SA ID = 1):Checking NAT discovery
*Feb 6 16:22:08.434: IKEv2:(SESSION ID = 216,SA ID = 1):NAT not found
*Feb 6 16:22:08.434: IKEv2:(SESSION ID = 216,SA ID = 1):Searching policy based on peer's identity '172.16.16.2' of type 'IPv4 address'
*Feb 6 16:22:08.434: IKEv2:found matching IKEv2 profile 'P1-C1_IKE_1'
*Feb 6 16:22:08.434: IKEv2:% Getting preshared key from profile keyring P1-C1-KEY
*Feb 6 16:22:08.434: IKEv2:% Matched peer block 'Spokes'
*Feb 6 16:22:08.435: IKEv2:Searching Policy with fvrf 1, local address 172.16.16.1
*Feb 6 16:22:08.435: IKEv2:Using the Default Policy for Proposal
*Feb 6 16:22:08.435: IKEv2:Found Policy 'default'
*Feb 6 16:22:08.435: IKEv2:(SESSION ID = 216,SA ID = 1):Verify peer's policy
*Feb 6 16:22:08.435: IKEv2:(SESSION ID = 216,SA ID = 1):Peer's policy verified
*Feb 6 16:22:08.435: IKEv2:(SESSION ID = 216,SA ID = 1):Get peer's authentication method
*Feb 6 16:22:08.436: IKEv2:(SESSION ID = 216,SA ID = 1):Peer's authentication method is 'PSK'
*Feb 6 16:22:08.436: IKEv2:(SESSION ID = 216,SA ID = 1):Get peer's preshared key for 172.16.16.2
*Feb 6 16:22:08.436: IKEv2:(SESSION ID = 216,SA ID = 1):Verify peer's authentication data
*Feb 6 16:22:08.436: IKEv2:(SESSION ID = 216,SA ID = 1):Use preshared key for id 172.16.16.2, key len 12
*Feb 6 16:22:08.436: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 6 16:22:08.436: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 6 16:22:08.436: IKEv2:(SESSION ID = 216,SA ID = 1):Verification of peer's authenctication data PASSED
*Feb 6 16:22:08.437: IKEv2:(SESSION ID = 216,SA ID = 1):Processing INITIAL_CONTACT
*Feb 6 16:22:08.437: IKEv2:(SESSION ID = 216,SA ID = 1):Received valid config mode data
*Feb 6 16:22:08.437: IKEv2:Config data recieved:
*Feb 6 16:22:08.437: IKEv2:(SESSION ID = 216,SA ID = 1):Config-type: Config-request
*Feb 6 16:22:08.437: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv4-dns, length: 0
*Feb 6 16:22:08.437: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv4-dns, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv4-nbns, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv4-nbns, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv4-subnet, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv6-dns, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: ipv6-subnet, length: 0
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: app-version, length: 243, data: Cisco IOS Software, C860 Software (C860VAE2-ADVSECK9-M), Version 15.7(3)M3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Wed 01-Aug-18 15:36 by prod_rel_team
*Feb 6 16:22:08.438: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: split-dns, length: 0
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: banner, length: 0
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: config-url, length: 0
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: backup-gateway, length: 0
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Attrib type: def-domain, length: 0
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Set received config mode data
*Feb 6 16:22:08.439: IKEv2:(SESSION ID = 216,SA ID = 1):Processing IKE_AUTH message
*Feb 6 16:22:08.440: IKEv2:IPSec policy validate request sent for profile P1-C1_IKE_1 with psh index 1.

*Feb 6 16:22:08.440: IKEv2:(SESSION ID = 216,SA ID = 1):
*Feb 6 16:22:08.440: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 6 16:22:08.441: IPSEC(validate_proposal_request): proposal part #1
*Feb 6 16:22:08.441: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.16.1:0, remote= 172.16.16.2:0,
local_proxy= 172.16.16.1/255.255.255.255/47/0,
remote_proxy= 172.16.16.2/255.255.255.255/47/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 6 16:22:08.441: IPSEC(ipsec_process_proposal): invalid local address 172.16.16.1
*Feb 6 16:22:08.441: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

*Feb 6 16:22:08.441: IPSEC(key_engine): failed to process KMI message 42
*Feb 6 16:22:08.442: IKEv2-ERROR:(SESSION ID = 216,SA ID = 1):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-CBC-128 SHA96 Don't use ESN
*Feb 6 16:22:08.442:
*Feb 6 16:22:08.442:
*Feb 6 16:22:08.442: IKEv2-ERROR:(SESSION ID = 216,SA ID = 1):Expected Policies: : Failed to find a matching policy
*Feb 6 16:22:08.442: IKEv2-ERROR:(SESSION ID = 216,SA ID = 1):: Failed to find a matching policy
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):Sending no proposal chosen notify
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):Get my authentication method
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):My authentication method is 'PSK'
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):Get peer's preshared key for 172.16.16.2
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):Generate my authentication data
*Feb 6 16:22:08.443: IKEv2:(SESSION ID = 216,SA ID = 1):Use preshared key for id 172.16.16.1, key len 12
*Feb 6 16:22:08.443: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 6 16:22:08.444: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 6 16:22:08.444: IKEv2:(SESSION ID = 216,SA ID = 1):Get my authentication method
*Feb 6 16:22:08.444: IKEv2:(SESSION ID = 216,SA ID = 1):My authentication method is 'PSK'
*Feb 6 16:22:08.444: IKEv2:(SESSION ID = 216,SA ID = 1):Generating IKE_AUTH message
*Feb 6 16:22:08.444: IKEv2:(SESSION ID = 216,SA ID = 1):Constructing IDr payload: '172.16.16.1' of type 'IPv4 address'
*Feb 6 16:22:08.445: IKEv2:(SESSION ID = 216,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

*Feb 6 16:22:08.445: IKEv2:(SESSION ID = 216,SA ID = 1):Sending Packet [To 172.16.16.2:500/From 172.16.16.1:500/VRF i2:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Feb 6 16:22:08.446: IKEv2:(SESSION ID = 216,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Feb 6 16:22:08.446: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP. Peer 172.16.16.2:500 f_vrf: INET01 i_vrf: P1-C1 Id: 172.16.16.2
*Feb 6 16:22:08.446: IKEv2:(SESSION ID = 216,SA ID = 1):Session with IKE ID PAIR (172.16.16.2, 172.16.16.1) is UP
*Feb 6 16:22:08.447: IKEv2:(SESSION ID = 216,SA ID = 1):Initializing DPD, configured for 0 seconds
*Feb 6 16:22:08.447: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 6 16:22:08.447: IKEv2:(SESSION ID = 216,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 6 16:22:08.447: IKEv2:(SESSION ID = 216,SA ID = 1):No duplicate IKEv2 SA found
*Feb 6 16:22:08.448: IKEv2:(SESSION ID = 216,SA ID = 1):Starting timer (8 sec) to delete negotiation context

*Feb 6 16:22:08.483: IKEv2:(SESSION ID = 216,SA ID = 1):Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE

*Feb 6 16:22:08.484: IKEv2:(SESSION ID = 216,SA ID = 1):Building packet for encryption.

*Feb 6 16:22:08.484: IKEv2:(SESSION ID = 216,SA ID = 1):Sending Packet [To 172.16.16.2:500/From 172.16.16.1:500/VRF i2:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Feb 6 16:22:08.485: IKEv2:(SESSION ID = 216,SA ID = 1):Process delete request from peer
*Feb 6 16:22:08.485: IKEv2:(SESSION ID = 216,SA ID = 1):Processing DELETE INFO message for IPsec SA [SPI: 0x9B5ACAC]
*Feb 6 16:22:08.485: IKEv2:(SESSION ID = 216,SA ID = 1):Check for existing active SA

*Feb 6 16:22:08.517: IKEv2:(SESSION ID = 216,SA ID = 1):Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE

*Feb 6 16:22:08.517: IKEv2:(SESSION ID = 216,SA ID = 1):Building packet for encryption.

*Feb 6 16:22:08.518: IKEv2:(SESSION ID = 216,SA ID = 1):Sending Packet [To 172.16.16.2:500/From 172.16.16.1:500/VRF i2:f1]
Initiator SPI : 4C71818F782EBE8E - Responder SPI : 91FA4D1988E0A16B Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Feb 6 16:22:08.518: IKEv2:(SESSION ID = 216,SA ID = 1):Process delete request from peer
*Feb 6 16:22:08.519: IKEv2:(SESSION ID = 216,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x4C71818F782EBE8E RSPI: 0x91FA4D1988E0A16B]
*Feb 6 16:22:08.519: IKEv2:(SESSION ID = 216,SA ID = 1):Check for existing active SA
*Feb 6 16:22:08.519: IKEv2:(SESSION ID = 216,SA ID = 1):Delete all IKE SAs
*Feb 6 16:22:08.519: IKEv2:(SESSION ID = 216,SA ID = 1):Deleting SA
*Feb 6 16:22:08.520: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer 172.16.16.2:500 f_vrf: INET01 i_vrf: P1-C1 Id: 172.16.16.2

*Feb 6 16:22:09.329: IKEv2:Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : DD6F6BDBE4A7DEAF - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 6 16:22:09.330: IKEv2:(SESSION ID = 217,SA ID = 1):Verify SA init message
*Feb 6 16:22:09.330: IKEv2:(SESSION ID = 217,SA ID = 1):Insert SA
*Feb 6 16:22:09.331: IKEv2:Searching Policy with fvrf 1, local address 172.16.16.1
*Feb 6 16:22:09.331: IKEv2:Using the Default Policy for Proposal
*Feb 6 16:22:09.331: IKEv2:Found Policy 'default'
*Feb 6 16:22:09.331: IKEv2:(SESSION ID = 217,SA ID = 1):Processing IKE_SA_INIT message
*Feb 6 16:22:09.331: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 6 16:22:09.332: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2103734684'
*Feb 6 16:22:09.332: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 6 16:22:09.332: IKEv2:not a VPN-SIP session
*Feb 6 16:22:09.332: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Feb 6 16:22:09.332: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Feb 6 16:22:09.332: IKEv2:(SESSION ID = 217,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Feb 6 16:22:09.343: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 6 16:22:09.343: IKEv2:(SESSION ID = 217,SA ID = 1):Request queued for computation of DH key
*Feb 6 16:22:09.344: IKEv2:(SESSION ID = 217,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Feb 6 16:22:09.357: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 6 16:22:09.357: IKEv2:(SESSION ID = 217,SA ID = 1):Request queued for computation of DH secret
*Feb 6 16:22:09.358: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 6 16:22:09.358: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 6 16:22:09.358: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 6 16:22:09.358: IKEv2:(SESSION ID = 217,SA ID = 1):Generating IKE_SA_INIT message
*Feb 6 16:22:09.358: IKEv2:(SESSION ID = 217,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*Feb 6 16:22:09.359: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 6 16:22:09.359: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-2103734684'
*Feb 6 16:22:09.359: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 6 16:22:09.359: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Feb 6 16:22:09.360: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Feb 6 16:22:09.360: IKEv2:(SESSION ID = 217,SA ID = 1):Sending Packet [To 172.16.16.2:500/From 172.16.16.1:500/VRF i0:f1]
Initiator SPI : DD6F6BDBE4A7DEAF - Responder SPI : 8587B9E3095FF240 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 6 16:22:09.361: IKEv2:(SESSION ID = 217,SA ID = 1):Completed SA init exchange
*Feb 6 16:22:09.362: IKEv2:(SESSION ID = 217,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Feb 6 16:22:09.522: IKEv2:(SESSION ID = 217,SA ID = 1):Received Packet [From 172.16.16.2:500/To 172.16.16.1:500/VRF i0:f1]
Initiator SPI : DD6F6BDBE4A7DEAF - Responder SPI : 8587B9E3095FF240 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Rob Ingram · ‎02-06-2019

Hi Matt,
I replicated this in my lab as accurately as I could. If you remove the iVRF from the ikev2 profile on both ends, specify the virtual-template on the hub then the tunnel comes up. Routes in the iVRF P1-C1 are accessible from either peer.

SPOKE:-
crypto ikev2 profile P1-C1_IKE_1
no ivrf P1-C1

HUB:-
crypto ikev2 profile P1-C1_IKE_1
no ivrf P1-C1
virtual-template 1 mode auto

HTH

View solution in original post

Rob Ingram · ‎02-06-2019

Hi Matt,
I replicated this in my lab as accurately as I could. If you remove the iVRF from the ikev2 profile on both ends, specify the virtual-template on the hub then the tunnel comes up. Routes in the iVRF P1-C1 are accessible from either peer.

SPOKE:-
crypto ikev2 profile P1-C1_IKE_1
no ivrf P1-C1

HUB:-
crypto ikev2 profile P1-C1_IKE_1
no ivrf P1-C1
virtual-template 1 mode auto

HTH

Matthew Needs · ‎02-07-2019

Hello,

Thanks so much for your time on this. You've been very helpful indeed.. Funnily enough I was changing those very config lines yesterday afternoon in various different combinations in my lab.. but it didn't work for me at the time. However, as soon as you pointed out that your lab worked I changed the config but this time reloaded both ends. Boom! VPN comes up :).

Then I found that the VPN wasn't actually encrypting traffic.. I needed to correct an error in my BGP config and add the following to both routers in order to get FlexVPN to inject the remote subnets into IKEv2.

crypto ikev2 authorization policy P1-C1-AUTH-POL-01
route set interface

crypto ikev2 profile P1-C1_IKE_1
aaa authorization group psk list default P1-C1-AUTH-POL-01

I also set the tunnel mode to 'tunnel' rather than the default 'transport' as I read the FlexVPN is designed for tunnel mode.

crypto ipsec transform-set P1-C1-TRANS esp-aes esp-sha-hmac
mode tunnel

crypto ipsec profile default
set transform-set P1-C1-TRANS
set ikev2-profile P1-C1_IKE_1

Thanks again for all your help. Have a great day.. Long live the Cisco community!

Matt