Solved: IKEV2 L2L proposal mismatch when multiple policys set

broadleon · ‎11-13-2018

Hi

I'm trying to add another Site to site vpn in a ikev2 configuration. However the debug on the router shows that the second connection coming in is matching against the first proposal.

GMT: IKEv2-ERROR:(SESSION ID = 588,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1:  AES-GCM-256 SHA512 DH_GROUP_
 --More-- 2048_256_MODP/Group 24
091495: *Nov 13 13:06:59.969 GMT:
091496: *Nov 13 13:06:59.969 GMT: Proposal 2:  AES-CBC-128 SHA1 SHA512 DH_GROUP_2048_256_MODP/Group 24
091497: *Nov 13 13:06:59.973 GMT:
091498: *Nov 13 13:06:59.973 GMT:
091499: *Nov 13 13:06:59.973 GMT: IKEv2-ERROR:(SESSION ID = 588,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1:  AES-CBC-256 SHA512 SHA512 DH_GROUP_2048_256_MODP/Group 24

I think the issue is:

:Searching Policy with fvrf 0, local address 192.168.1.2
091697: *Nov 13 13:09:35.260 GMT: IKEv2:Found Policy '236'

This is the wrong policy, it should be '127' but the fvrf is 0, and the local address will always be 192.168.1.2, this is because the ASA address attached to the router is where the incoming connection for the vpn is PASSING THROUGH, not coming from.

i think its to do with the match fvrf any, but im no expert on this matter

crypto ikev2 policy 236
 match fvrf any
 proposal 236
crypto ikev2 policy 127
 match fvrf any
 proposal 127

edit: Just clarify im behind a firewall (NAT-T)

Rob Ingram · ‎11-14-2018

E.g.

crypto ikev2 proposal PROP1
encryption aes-cbc-128
integrity sha256
group 19
crypto ikev2 proposal PROP2
encryption aes-gcm-256
prf sha512
group 19
crypto ikev2 policy IKEV2_POLICY
proposal PROP1
proposal PROP2

HTH

View solution in original post

Rob Ingram · ‎11-13-2018

Hi,
Can you provide your configuration for review?

broadleon · ‎11-13-2018

crypto ikev2 proposal 236
 encryption aes-cbc-256
 integrity sha512
 group 24
!
crypto ikev2 proposal 127
 encryption aes-gcm-256
 prf sha512
 group 24
!
crypto ikev2 policy 236
 match fvrf any
 proposal 236
!
crypto ikev2 policy 127
 match fvrf any
 proposal 127
!
crypto ikev2 keyring 236
 peer 236
  address 195.xxx.xxx.xxx
  pre-shared-key <----Key----->
!
crypto ikev2 keyring 127
 peer 127
  address 94.xxx.xxx.xxx
  pre-shared-key local <----Key----->
  pre-shared-key remote <----Key----->
!
crypto ikev2 profile 236
 match identity remote fqdn xxxxxxxxxxxxx
 identity local fqdn xxxxxxxxxxxxx
 authentication local pre-share
 authentication remote pre-share
 keyring local 236
 dpd 1000 2 periodic
!
crypto ikev2 profile 127
 match identity remote address 94.xxx.xxx.xxx 255.255.255.248
 identity local address 192.168.1.2
 authentication local pre-share
 authentication remote pre-share
 keyring local 127
 dpd 1000 2 periodic
!
crypto ipsec transform-set 236 esp-aes esp-sha512-hmac
 mode tunnel
crypto ipsec transform-set 127 esp-gcm 256
 mode tunnel
!
crypto ipsec profile 236
 set transform-set 236
 set ikev2-profile 236
!
crypto ipsec profile 127
 set transform-set 127
 set ikev2-profile 127
!
interface Tunnel127
 ip address 172.16.4.1 255.255.255.252
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 94.xxx.xxx.xxx
 tunnel protection ipsec profile 127
!
interface Tunnel236
 ip address 172.16.3.1 255.255.255.252
 ip mtu 1400
 zone-member security 236
 ip tcp adjust-mss 1360
 ip ospf 1 area 0
 tunnel source GigabitEthernet0/1
 tunnel mode ipsec ipv4
 tunnel destination 195.xxx.xxx.xxx
 tunnel protection ipsec profile 236
!

broadleon · ‎11-14-2018

I have found, removing:

match fvrf any

from Policy 127 will cause a match, however I feel there will be config issues with policy 236.

Rob Ingram · ‎11-14-2018

If you are concerned about issues with the other policy, instead of matching on fvrf you could match on address.

broadleon · ‎11-14-2018

But would not matching on a local address for both policies cause the same conflict when the local interface address is the same ?

Rob Ingram · ‎11-14-2018

I'm not sure I follow you.

Why match on source anything in the IKEv2 Policy. Define one IKEv2 Policy, reference both proposals (127,236) whatever the peers send it should match either and negotiate accordingly. Rely on the IKEv2 Profile to match the remote fqdn/address to complete IKEv2 SA negotiations.

broadleon · ‎11-14-2018

Can you give me a configuration example ?

Rob Ingram · ‎11-14-2018

E.g.

crypto ikev2 proposal PROP1
encryption aes-cbc-128
integrity sha256
group 19
crypto ikev2 proposal PROP2
encryption aes-gcm-256
prf sha512
group 19
crypto ikev2 policy IKEV2_POLICY
proposal PROP1
proposal PROP2

HTH

shehreyarkhan · ‎08-25-2020

Good, at least it solved my problem.

Thanks

Abiolafemi · ‎10-02-2020

Thank you so much, this hack saved my project.