Solved: ASA5510 to SherWeb IKEv2 configuration

pl03119481 · ‎06-22-2019

Hello guys,

I'm trying to set up an IKEv2 Tunnel between my ASA5510 and SherWeb Tunnel, below is their instruction webpage:

http://support.sherweb.com/Faqs/Show/how-to-connect-to-performance-cloud-via-virtual-private-network

At the bottom are the parameters of which they use. However, their DH group setting is messed up so I had to choose phase 1 with group14 and phase 2 group 2 14 for it to work on my other Fortigate firewall. The Tunnel between Fortigate and SherWeb is up and successful, so parameters should be correct.

The Cisco ASA previously had other tunnels, below is possibly related configs:

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer ZZZ.ZZZ.ZZZ.ZZZ
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal 3DES
crypto map outside_map 1 set ikev2 pre-shared-key *****

So building 2 tunnels on the same interface seems impossible, I read somewhere else that I can set another sequence number with another peer add, hence,

below is the new config that I put in the CLI:

object network NETWORK_OBJ_xxx.xxx.xxx.xxx_24
subnet xxx.xxx.xxx.xxx 255.255.255.0
access-list VPN-Sherweb-Traffic extended permit ip object NETWORK_OBJ_yyy.yyy.yyy.yyy_24 object NETWORK_OBJ_xxx.xxx.xxx.xxx
nat (Inside_3,outside) source static NETWORK_OBJ_yyy.yyy.yyy.yyy_24 NETWORK_OBJ_yyy.yyy.yyy.yyy_24 destination static NETWORK_OBJ_xxx.xxx.xxx.xxx_24 NETWORK_OBJ_xxx.xxx.xxx.xxx_24 no-proxy-arp route-lookup
crypto ipsec ikev2 ipsec-proposal SherWeb-VPN-Transform
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map outside_map 2 match address VPN-Sherweb-Traffic
crypto map outside_map 2 set pfs group14
crypto map outside_map 2 set peer XXX.XXX.XXX.XXX
crypto map outside_map 2 set ikev2 ipsec-proposal SherWeb-VPN-Transform
crypto map outside_map 2 set ikev2 pre-shared-key *****
crypto map outside_map 2 set security-association lifetime seconds 28800

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14 2
prf sha256
lifetime seconds 28800
group-policy GroupPolicy_XXX.XXX.XXX.XXX internal
group-policy GroupPolicy_XXX.XXX.XXX.XXX attributes
vpn-tunnel-protocol ikev2
tunnel-group XXX.XXX.XXX.XXX type ipsec-l2l
tunnel-group XXX.XXX.XXX.XXX general-attributes
default-group-policy GroupPolicy_XXX.XXX.XXX.XXX
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

For security reasons, x stands for the remote private subnet, X stands for remote public IP add, y stands for the local private subnet, Z stands for remote public IP add that is not relevant.

However, the tunnel doesn't seem to come up.

Debug info is shown below:

REN-ASA5510# debug crypto ikev2 platform 255
REN-ASA5510# no IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xE1EC1AB3, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (145): SENT PKT [IKE_SA_INIT] [70.118.121.60]:500->[199.244.77.101]:500 InitSPI=0x5a1bca07486624a6 RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
5a 1b ca 07 48 66 24 a6 58 c9 09 1a 90 f5 42 dd | Z...Hf$.X.....B.
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
00 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [XXX.XXX.XXX.XXX]:500->[YYY.YYY.YYY.YYY]:500 InitSPI=0x5a1bca07486624a6 RespSPI=0x58c9091a90f542dd MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (145): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xE1EC1AB3 error FALSE
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xBB594AF0, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (146): SENT PKT [IKE_SA_INIT] [70.118.121.60]:500->[199.244.77.101]:500 InitSPI=0xc503ff4491a1d88b RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
c5 03 ff 44 91 a1 d8 8b b6 08 5f 69 1b 06 c6 79 | ...D......_i...y
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
00 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [XXX.XXX.XXX.XXX]:500->[YYY.YYY.YYY.YYY]:500 InitSPI=0xc503ff4491a1d88b RespSPI=0xb6085f691b06c679 MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (146): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xBB594AF0 error FALSE
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0x7BB5D86A, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (147): SENT PKT [IKE_SA_INIT] [70.118.121.60]:500->[199.244.77.101]:500 InitSPI=0x73575d9c48193b3c RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
73 57 5d 9c 48 19 3b 3c 02 fb 12 34 03 2f 86 b0 | sW].H.;<...4./..
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
00 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [XXX.XXX.XXX.XXX]:500->[YYY.YYY.YYY.YYY]:500 InitSPI=0x73575d9c48193b3c RespSPI=0x02fb1234032f86b0 MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (147): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0x7BB5D86A error FALSE
IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: my_auth_method = 2
IKEv2-PLAT-2: no tunnel group specified: skipping peer auth settings
IKEv2-PLAT-2: supported_peers_auth_method = 11
IKEv2-PLAT-2: P1 ID = 0
IKEv2-PLAT-2: Translating IKE_ID_AUTO to = 255
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-5: INVALID PSH HANDLE
IKEv2-PLAT-2: Received PFKEY SPI callback for SPI 0xC62D618C, error FALSE
IKEv2-PLAT-2:
IKEv2 received all requested SPIs from CTM to initiate tunnel.
IKEv2-PLAT-2: tp_name set to:
IKEv2-PLAT-2: tg_name set to:
IKEv2-PLAT-2: tunn grp type set to: L2L
IKEv2-PLAT-5: New ikev2 sa request admitted
IKEv2-PLAT-5: Incrementing outgoing negotiating sa count by one
IKEv2-PLAT-3: (148): SENT PKT [IKE_SA_INIT] [XXX.XXX.XXX.XXX]:500->[YYY.YYY.YYY.YYY]:500 InitSPI=0x4a735ef11ea0278a RespSPI=0x0000000000000000 MID=00000000

IKEv2 Recv RAW packet dump
4a 73 5e f1 1e a0 27 8a 11 ff 6f d0 8f 65 f2 93 | Js^...'...o..e..
29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 | ) " .......$....
00 00 00 0e | ....
IKEv2-PLAT-3: RECV PKT [IKE_SA_INIT] [XXX.XXX.XXX.XXX]:500->[YYY.YYY.YYY.YYY]:500 InitSPI=0x4a735ef11ea0278a RespSPI=0x11ff6fd08f65f293 MID=00000000
IKEv2-PLAT-5: Negotiating SA request deleted
IKEv2-PLAT-5: Decrement count for outgoing negotiating
IKEv2-PLAT-2: (148): PSH cleanup
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xC62D618C error FALSE

Also when I type: show crypto ikev2 sa details. There is no SAs shown to me. Also within the other debug crypto ikev2 protocol 255 commands, I found "NO PROPOSAL CHOSEN"

I read some other instructions and had an idea about how IKEv2 configuration puts pieces together to function properly. But I have 1 more question about the normal config process: I did not see the association of ikev2 policy and crypto map. Does the system goes to check if every policy fits? or did I miss something?

Mohammed al Baqari · ‎06-22-2019

The messages are stating that there is key mismatch. Check your keys again.

View solution in original post

Mohammed al Baqari · ‎06-22-2019

The messages are stating that there is key mismatch. Check your keys again.

pl03119481 · ‎06-23-2019

Hello,

I've changed the key to a very simple string which I can't type error. But the same line of debugging still appears. I then searched ikev2 config examples and deleted crypto map pre-shared-key but the debugging message still isn't changed. I wonder what else could be wrong leading to this result?

Also, I noticed during the configuration there are 3 possible places for me to type in the key in CLI.

crypto map outside_map 2 set pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes local-authentication pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes remote-authentication pre-shared-key *****

I wonder what's the difference between these 3? On both the Fortigate and SherWeb interface, I had only to type in once this key.

Sheraz.Salim · ‎06-23-2019

In your debug output you see this message

REN-ASA5510# no IKEv2-PLAT-2: Received PFKEY Acquire SA for SPI 0x0, error FALSE

where mean could be a typo error in presharekey between two firewalls. also see the link

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

please do not forget to rate.

pl03119481 · ‎06-23-2019

Hello,

I've changed the key to a very simple string which I can't type error. But the same line of debugging still appears. I then searched ikev2 config examples and deleted crypto map pre-shared-key but the debugging message still isn't changed. I wonder what else could be wrong leading to this result?

Also, I noticed during the configuration there are 3 possible places for me to type in the key in CLI.

crypto map outside_map 2 set pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes local-authentication pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes remote-authentication pre-shared-key *****

I wonder what's the difference between these 3? On both the Fortigate and SherWeb interface, I had only to type in once this key.

Deepak Kumar · ‎06-23-2019

Hi,

It seems pre-shared key mismatch at both ends. It is advised to change pre-shared key with a new one so you can avoid any typo or hidden error.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

pl03119481 · ‎06-23-2019

Hello,

I've changed the key to a very simple string which I can't type error. But the same line of debugging still appears. I then searched ikev2 config examples and deleted crypto map pre-shared-key but the debugging message still isn't changed. I wonder what else could be wrong leading to this result?

Also, I noticed during the configuration there are 3 possible places for me to type in the key in CLI.

crypto map outside_map 2 set pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes local-authentication pre-shared-key *****
tunnel-group XXX.XXX.XXX.XXX ipsec-attributes remote-authentication pre-shared-key *****
I wonder what's the difference between these 3? On both the Fortigate and SherWeb interface, I had only to type in once this key.

Sheraz.Salim · ‎06-23-2019

curious have you give this command on the ASA.

crypto ikev2 enable outside

!

and make sure you have configured your VPN in this way. You dont have to give pre-sharedkey 3 times. see the template for IKEV2

!

asa1(config)#crypto ikev2 policy 1

!

asa1(config-ikev2-policy)#encryption aes

!

asa1(config-ikev2-policy)#integrity sha

!

asa1(config-ikev2-policy)#group 2

!

asa1(config-ikev2-policy)#prf sha

!

asa1(config-ikev2-polocy)#lifetime seconds 86400

!

asa1(config)#crypto ikev2 enable outside

!

asa1(config)#crypto ipsec ikev2 ipsec-proposal ikev2-proposal

!

asa1(config-ipsec-proposal)#protocol esp encryption aes

!

asa1(config-ipsec-proposal)#protocol esp integrity sha-1

!

asa1(config)# access-list ikev2-list extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0

!

asa1(config)#tunnel-group 10.10.10.2 type ipsec-l2l

!

asa1(config)#tunnel-group 10.10.10.2 ipsec-attributes

!

asa1(config-tunnel-ipsec)#ikev2 local-authentication pre-shared-key this_is_a_key

!

asa1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key this_is_a_key

!

asa1(config)#crypto map ikev2-map 1 match address ikev2-list

!

asa1(config)#crypto map ikev2-map 1 set peer 10.10.10.2

!

asa1(config)#crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal

!

asa1(config)#crypto map ikev2-map interface outside

please do not forget to rate.

pl03119481 · ‎06-23-2019

Thanks for the reply,

Yes I had the ikev2 enable outside command in place, and I also deleted the crypto map ikev2-map 2 set pre-shared-key command. Yet I still don't see a good change.