02-26-2017 07:06 AM
Hi all,
I have a VPN-tunnel between an 5505 and a 887VA router. All is working well bu after the session rekeys traffic will not traverse the tunnel anymore. Keepalive are still exchanged but not traffic. The ASA is behind a UBEE Nat router (at my place) and my logic says if the UBEE is still forwarding the keepalives it does not seem to play a role in this).
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
143152683 192.168.178.254/4500 123.123.123.123/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/237 sec
Child sa: local selector 10.34.0.0/0 - 10.34.255.255/65535
remote selector 10.2.0.0/0 - 10.2.255.255/65535
ESP spi in/out: 0x453d575f/0x4bb5a66d
ASA-01#
When I reset the runnel (clear crypto ikev2 sa) it works perfectly. I have an Observium server at my side polling devices at the other side so traffic is generated at 5 minute intervals at least.
ASA image : asa917-13-k8.bin
Router image : c880data-universalk9-mz.152-3.T.bin
The router has 2 more tunnels which work without interuption.
-----
Router config:
crypto ikev2 proposal PROPOSAL_AES_CBS_256
encryption aes-cbc-256
integrity sha512
group 14
crypto ikev2 proposal PROPOSAL_AES_CBS_256_SHA1 (<< the proposal the ASA-router are using)
encryption aes-cbc-256
integrity sha1
group 14 5
!
crypto ikev2 policy POLICY_IKEv2
proposal PROPOSAL_AES_CBS_256
proposal PROPOSAL_AES_CBS_256_SHA1
!
crypto ikev2 keyring KEYRING_MYHOME
peer ASA-MYHOME
address 12.34.12.34
pre-shared-key local $$$$$$$$$$$$
pre-shared-key remote €€€€€€€€€€€€€
!
!
crypto ikev2 profile PROFILE_MYHOME
match identity remote address 12.34.12.34 255.255.255.255
match identity remote address 192.168.178.254 255.255.255.255 (<-- had to be added due to NAT-T)
identity local address 123.123.123.123
authentication remote pre-share
authentication local pre-share
keyring local KEYRING_MYHOME
!
ip access-list extended home-MYHOME
permit ip 10.2.0.0 0.0.255.255 10.34.0.0 0.0.255.255
!
----
ASA config:
object network OBJ-NET-OTHERSIDE
subnet 10.2.0.0 255.255.0.0
object network OBJ-NET-MYHOME
subnet 10.34.0.0 255.255.0.0
access-list ACL-MYHOME-OTHERSIDE extended permit ip object OBJ-NET-MYHOME object OBJ-NET-OTHERSIDE
!
crypto ipsec ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1
!
crypto map IKEv2_OUTSIDE_MAP 1000 match address ACL-MYHOME-OTHERSIDE
crypto map IKEv2_OUTSIDE_MAP 1000 set peer 123.123.123.123
crypto map IKEv2_OUTSIDE_MAP 1000 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1
crypto map IKEv2_OUTSIDE_MAP interface outside
!
crypto ikev2 policy 1000
encryption aes-256
integrity sha512
group 14 5
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
!
tunnel-group 123.123.123.123 general-attributes
default-group-policy 123.123.123.123
tunnel-group 123.123.123.123 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
The ASA has been upgraded from a 9.1.6 image.
The router log show this:
043327: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):Unsupported DH group
043328: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):
043329: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):Error encountered while navigating State Machine
043330: Feb 26 15:24:28.933 PCTime: IKEv2:(SA ID = 1):No Result Transition table avail for CHILD_I_PROC / EV_INV_KE with return code 0.0.0.11
043331: Feb 26 15:25:07.851 PCTime: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=123.123.123.123, prot=50, spi=0x780EACCC(2014227660), srcaddr=12.34.12.34 interface=Dialer1
043332: Feb 26 15:25:07.851 PCTime: IKEv2:Failed to locate an item in the database
It seems somewhere I have to change / add the DH group. Originally I only used group 14 but added 5 as well.
Regards,
Marcel.
02-26-2017 11:46 AM
after inspecting the output of "sh crypto ikev2 sa det" I saw there was a difference in hashing methods and DH Groups. After removing several IKEv2 policies on the ASA and clear the tunnel, these were the same. Now let's see if this helps:
IKEv2 SAs:
Session-id:4, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
282283041 192.168.178.254/4500 123.123.123.123/4500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/878 sec
Session-id: 4
Status Description: Negotiation done
Local spi: 14D822B9D1D2137C Remote spi: 1D4C0BF4779988ED
Local id: 192.168.178.254
Remote id: 123.123.123.123
Local req mess id: 72 Remote req mess id: 0
Local next mess id: 72 Remote next mess id: 0
Local req queued: 72 Remote req queued: 0
Local window: 1 Remote window: 5
DPD configured for 10 seconds, retry 2
NAT-T is detected inside
Child sa: local selector 10.34.0.0/0 - 10.34.255.255/65535
remote selector 10.2.0.0/0 - 10.2.255.255/65535
ESP spi in/out: 0x88c1d8ec/0x92f1ab23
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
---------------
c887va-bhl-01#sh crypto ikev2 sa det
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
3 123.123.123.123/4500 12.34.12.34/4500 none/none DELETE
Encr: AES-CBC, keysize: 256, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/170635 sec
CE id: 2196, Session-id: 20
Status Description: Deleting IKE SA
Local spi: 0D6780C4EC4761B2 Remote spi: B14C13F680B2D671
Local id: 123.123.123.123
Remote id: 192.168.178.254
Local req msg id: 0 Remote req msg id: 584
Local next msg id: 1 Remote next msg id: 584
Local req queued: 0 Remote req queued: 584
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
NAT-T is detected outside
Cisco Trust Security SGT is disabled
Initiator of SA : No
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide