cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10914
Views
10
Helpful
6
Replies

Issue with IKEv2 routes w using PSK and RADIUS

Radu Stefan
Level 1
Level 1

Hi,

I have a 881+7 (15.2(4)M2) connected to an ASR 1001 (03.07.01.S) via the Internet. The goal is to setup DVTI on the ASR, use FlexVPN on the CPE and inject crypto IKEv2 routes in the VRF on the PE for the protected subnets on the CPE while using pre-shared-keys for authentication and RADIUS to send back the attributes.

I can get the tunnel working fine but I cannot get the crypto routes.

My configs:

881+7 CPE:

crypto ikev2 keyring KEYRING-CPE

peer ASR

  address <ASR_IP>

  pre-shared-key abcd

!

crypto ikev2 profile IKEV2-PROFILE-CPE

match identity remote address <ISR_IP> 255.255.255.255

identity local fqdn cpe.ipsec.net

authentication remote pre-share

authentication local pre-share

keyring local KEYRING-CPE

dpd 30 2 periodic

!

crypto ipsec transform-set TFS-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set TFS-AES256-SHA-HMAC

set ikev2-profile IKEV2-PROFILE-CPE

!

crypto ikev2 client flexvpn FLEX

  peer 1 <ASR_IP>

  client inside Loopback0

  client connect Tunnel0

!

interface Loopback0

ip address <PROTECTED_CPE_SUBNET> 255.255.255.255

!

interface Tunnel0

ip address negotiated

tunnel source Dialer2

tunnel mode ipsec ipv4

tunnel destination dynamic

tunnel protection ipsec profile default

ASR PE:

aaa authorization network IPSEC-AUTHOR group AAA-GROUP-IPSEC-RADIUS

!

crypto ikev2 dpd 60 2 periodic

!

crypto ikev2 profile IKEV2-PROFILE-ASR

match fvrf FVRF

match identity remote fqdn domain ipsec.net

authentication remote pre-share

authentication local pre-share

keyring aaa IPSEC-AUTHOR

aaa authorization user psk list IPSEC-AUTHOR

virtual-template 1

!

crypto ipsec transform-set TFS-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac

mode tunnel

!

crypto ipsec profile default

set transform-set TFS-AES256-SHA-HMAC

set ikev2-profile RADU

responder-only

!

interface Virtual-Template1 type tunnel

no ip address

tunnel source GigabitEthernet0/0/3

tunnel mode ipsec ipv4

tunnel vrf FVRF

tunnel protection ipsec profile default

RADIUS username definition:

cpe.ipsec.net

        Tunnel-Password = abcd,

        Framed-IP-Address=172.16.0.254,

        Framed-IP-Netmask=255.255.255.254,

        cisco-avpair="ip:interface-config=vrf forwarding test",

        cisco-avpair="ip:interface-config=ip address 172.16.0.255 255.255.255.254",

        cisco-avpair="ipsec:route-set=interface",

        cisco-avpair="ipsec:route-set=prefix <PROTECTED_CPE_SUBNET>/32",

        cisco-avpair="ipsec:route-accept=any"

The tunnel interface is coming UP on the CPE, the virtual-access interface is UP on the ASR. I could use BGP to exchange routing information between PE and CPE but I want to use IKE.

I think the problem is because I don't know how to invoke an IKEv2 authorization policy on the CPE (in which I could configure an access-list for the <PROTECTED_SUBNET>). But on the CPE I have the following limitations:

I want to use PSK for authentication, but no RADIUS server is available. So, the only other option for PSK authentication is a locally defined keyring, as there is no way to use an locally defined username (local authentication) with a keyring.

Then how can I trigger an IKEv2 authorization policy under the IKEv2 profile?

CPE(config-ikev2-profile)#aaa authorization user psk list ?

  WORD  AAA list name


If I define a local aaa authorization list, then the whole authentication fails:

aaa authorization network default local

crypto ikev2 profile IKEV2-PROFILE-CPE

  aaa authorization user psk list default

*Dec 20 15:52:27.042 UTC: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed

And there is no way to trigger the autorization policy if I don't configure the command above, isn't it? I tried altering the default authorization policy with the access-list but it's not taken into account.

If I'm using a crypto map with an access-list and IKEv2, I can get the crypto route on the ASR. But I want to use FlexVPN on the CPE.

Is there a way to achieve this?

Also the IOS configuration guides are not of too much help

Thank you,

Radu

1 Accepted Solution

Accepted Solutions

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162

Not sure how your config looks like but here it says it can't find

crypto ikev2 authorization policy 87.84.214.31

<...>

Is it configured?

View solution in original post

6 Replies 6

olpeleri
Cisco Employee
Cisco Employee

Hello,

Instead of

aaa authorization user psk list default

U should have

aaa authorization group psk list default

If that's the case, you hit CSCtw74492

Cheers,

Olivier

Thanks for the reply Olivier!

I've tried with both user | group and the result is the same:

.Dec 21 09:12:42.295 UTC: IKEv2:Adding Proposal default to toolkit policy

.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):Using IKEv2 profile 'IKEV2-PROFILE-CPE'

.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID

.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE

.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY

.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH

.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP

.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE

.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NO_EVENT

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162

I don't think local authorization can work with PSK, since it is said here that  "Local AAA is not supported for AAA-based preshared keys."

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.

.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162

Not sure how your config looks like but here it says it can't find

crypto ikev2 authorization policy 87.84.214.31

<...>

Is it configured?

Thank you Olivier!!!

I see now where I was wrong and now it's working!

Merry Christmas to you, you saved my week

Radu

Excellent!

Can you mark the question has answered?

Merry Xmas and Happy new year!

I am trying to do something similar. Any chance you can share your working config?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: