Solved: ASA 9.8.2 IKEV2 Route-based VPN VTI - BGP -Failed to remove peer correlation

mohamedoali · ‎02-22-2018

I'm currently trying to configure route-based VPN between ASA 9.8.2 and IOS router on IKEv2 - only experience issues on the ASA. I was able to successful get two IOS routers using route based VPNs using BGP with no issue. I'm not sure if my ASA configuration is enough? Please help.

---Errror Messages---

IKEv2-PLAT-1: (238): Process request attribute: Unable to get webvpn session
IKEv2-PLAT-1: Error processing config mode request attibute: 3
IKEv2-PLAT-1: Failed to build config mode reply
IKEv2-PROTO-1: (238): Auth exchange failed
IKEv2-PROTO-1: (238): Auth exchange failed
IKEv2-PROTO-1: Detected an invalid IKE SPI
IKEv2-PROTO-1: Couldn't find matching SA
IKEv2-PROTO-1: A supplied parameter is incorrect

IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued

---------------ASA Config---------------------

nterface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 5.5.5.6 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!

interface Tunnel1
nameif VTI
ip address 1.1.1.2 255.255.255.0
tunnel source interface OUTSIDE
tunnel destination 5.5.5.5
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE

router bgp 65001
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 1.1.1.1 remote-as 65000
neighbor 1.1.1.1 activate
neighbor 1.1.1.1 next-hop-self
network 192.168.1.0
no auto-summary
no synchronization
exit-address-family
!
route OUTSIDE 0.0.0.0 0.0.0.0 5.5.5.5 1

crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile IPSECPROFILE
set ikev2 ipsec-proposal TSET

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 24
prf sha256
lifetime seconds 86400
crypto ikev2 enable OUTSIDE

group-policy IKE internal
group-policy IKE attributes
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
tunnel-group 5.5.5.5 type ipsec-l2l
tunnel-group 5.5.5.5 general-attributes
default-group-policy IKE
tunnel-group 5.5.5.5 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

-----------IOS Router Config-----------------------

crypto ikev2 proposal IKE-PROP
encryption aes-cbc-256
integrity sha256
group 24
!
crypto ikev2 policy IKE-POLICY
proposal IKE-PROP
!
crypto ikev2 profile IKE-PROFILE
match address local interface GigabitEthernet0/0
match identity remote address 5.5.5.6 255.255.255.255
authentication remote pre-share key password
authentication local pre-share key password

crypto ipsec transform-set TRANSFORMSET esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile IKE-PROFILE
set transform-set TRANSFORMSET
!
crypto ipsec profile IKE-PROFILE2
set transform-set TRANSFORMSET
set ikev2-profile IKE-PROFILE

interface Tunnel1
ip address 1.1.1.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 5.5.5.6
tunnel protection ipsec profile IKE-PROFILE2

router bgp 65001
bgp log-neighbor-changes
neighbor 1.1.1.2 remote-as 65000
!
address-family ipv4
network 192.168.2.0
neighbor 1.1.1.2 activate
neighbor 1.1.1.2 next-hop-self
exit-address-family
!

mohamedoali · ‎02-26-2018

Solved. After going over the configuration, I updated the Ikev2 profile and ike-proposal on the router to Match the ASA.

View solution in original post

mohamedoali · ‎02-26-2018

Solved. After going over the configuration, I updated the Ikev2 profile and ike-proposal on the router to Match the ASA.

ecc · ‎04-10-2018

Hello!

I'm experiencing same issue. Can you provide more details in what you change regarding the Ikev2 proposal and profile?

Thanks!

mohamedoali · ‎04-15-2018

Make sure all Ikev2 transform set and proposal are exactly the same, this was my issues, if you have issues I can provide the working configs here.

mohamedoali · ‎04-15-2018

Make sure all Ikev2 transform set and proposal are exactly the same, this was my issues, if you have issues I can provide the working configs here.

robert morann · ‎04-26-2018

Hi mohamedoali,

First of all thanks for sharing your config. :)

I followed your config but i am still struggling to get the tunnel to come up keep getting :

Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: Internal Error
Local:2.2.2.2:500 Remote:1.1.1.1:500 Username:1.1.1.1 IKEv2 SA DOWN. Reason: local failure
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= __vti-crypto-map-5-0-1. Map Sequence Number = 65280.
IKEv2 was unsuccessful at setting up a tunnel. Map Tag = __vti-crypto-map-5-0-1. Map Sequence Number = 65280.
AAA retrieved default group policy (SGN_POLICY) for user = 1.1.1.1
Local:2.2.2.2:500 Remote:1.1.1.1:500 Username:1.1.1.1 IKEv2 SA UP. Reason: New Connection Established
Local:2.2.2.2:500 Remote:1.1.1.1:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 2.2.2.2-2.2.2.2 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 1.1.1.1-1.1.1.1 Protocol: 0 Port Range: 0-65535

I have attached my ASA confif and router config.

Any idea why I am getting stuck ?

Rob Ingram · ‎04-26-2018

Hi Alex,

On your ASA you have defined:

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds none

but on your Router you don't have prf enabled

crypto ikev2 proposal BT_VPN_PROP
encryption aes-cbc-256
integrity sha256
group 14

You might want to add or remove prf from one of the devices and try again. Also you might want to increase the lifetime.

If that fails, run ikev2 debugs and post here.

HTH

robert morann · ‎04-26-2018

Hi RJI,

Thanks for having a look at it. :)

I did correct the prf but I am still getting the same issue.

Attached you'will find the log of the router and everything looks fine but on the ASA debug crypto ikev2 prot is telling me :

IKEv2-PROTO-1: (56):
IKEv2-PROTO-1: (56): Detected unsupported failover version
IKEv2-PROTO-1: (56):
IKEv2-PROTO-1: decrypt queuedIKEv2-PROTO-1: Asynchronous request queued
IKEv2-PROTO-1:
IKEv2-PROTO-1: Detected an invalid IKE SPI
IKEv2-PROTO-1: Couldn't find matching SA
IKEv2-PROTO-1: A supplied parameter is incorrect

robert morann · ‎04-26-2018

Got it so silly of me .... it was in my notepad but the command di not go through.

I was missing tunnel mode ipsec ipv4 in the tunnel conf.

RJI Thanks again for your help :)