Re: AWS IKEv2 Issues

spenana · ‎08-16-2019

Has anyone managed to get a IKEv2 VPN up and running between AWS and a Cisco ASA. We can get the VPN up and working no issues with IKEv1 as soon as we swap the settings on the ASA to use IKEv2 the VPN doesn't work at all. These are new tunnells tried in both the London and N.Virginia region with no luck. The firewall is a Cisco ASA5515 running Software Version 9.9(1)2, looking in to the Debug logs we were getting the following errors:

(519): NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)(519): Next payload: VID, reserved: 0x0, length: 8(519): Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTEDSecurity protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED(519): VID(519): Next payload: NONE, reserved: 0x0, length: 20(519):(519): 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3(519):IKEv2-PROTO-7: (519): SM Trace-> SA: I_SPI=9EEBA335F2832CD6 R_SPI=4344D0E53111C5F5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENTIKEv2-PROTO-2: A supplied parameter is incorrectIKEv2-PROTO-2: Couldn't find matching SA

Below is the config we have used for IKEv1 and it works with no issues.

IKEv1 Config

access-list MSTEST_access_in extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS log debugging 
access-list MSTEST_access_in extended permit ip object-group MSTEST_local 10.168.0.0 255.255.0.0 log debugging inactive 
access-list OUTSIDE_cryptomap_1 extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS 

crypto map OUTSIDE_map 98 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 98 set pfs group5
crypto map OUTSIDE_map 98 set peer 3.8.26.18 
crypto map OUTSIDE_map 98 set ikev1 transform-set ESP-AES-256-SHA
crypto map OUTSIDE_map 98 set security-association lifetime seconds 3600

crypto ikev1 policy 11
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

group-policy AWSPolicy internal
group-policy AWSPolicy attributes
 vpn-tunnel-protocol ikev1 

tunnel-group 3.8.26.18 type ipsec-l2l
tunnel-group 3.8.26.18 general-attributes
 default-group-policy AWSPolicy
tunnel-group 3.8.26.18 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold infinite

IKEv2 Config

access-list MSTEST_access_in extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS log debugging 
access-list MSTEST_access_in extended permit ip object-group MSTEST_local 10.168.0.0 255.255.0.0 log debugging inactive 
access-list OUTSIDE_cryptomap_1 extended permit ip object-group MSTEST_local object-group PILOT_REMOTE_AWS 

crypto map OUTSIDE_map 98 match address OUTSIDE_cryptomap_1
crypto map OUTSIDE_map 98 set pfs group5
crypto map OUTSIDE_map 98 set peer 3.8.26.18 
crypto map OUTSIDE_map 98 set ikev2 ipsec-proposal AWS_Test AES256 SHA256
crypto map OUTSIDE_map 98 set security-association lifetime seconds 3600

crypto ikev2 policy 98
 encryption aes-256 aes
 integrity sha256 sha
 group 2
 prf sha256 sha
 lifetime seconds 28800

group-policy AWSPolicy internal
group-policy AWSPolicy attributes
 vpn-tunnel-protocol ikev2 
 
tunnel-group 3.8.26.18 type ipsec-l2l
tunnel-group 3.8.26.18 general-attributes
 default-group-policy AWSPolicy
tunnel-group 3.8.26.18 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Rob Ingram · ‎08-16-2019

Hi,
Can you provide the IPSec Proposal for the ASA?
Are you able to confirm what IKEv2 and IPSec algorthims AWS is using?

Can you remove the IKEv1 pre-shared key from the tunnel-group on your IKEv2 configuration.
Can you also provide the detailed crypto debugs for further analysis.

spenana · ‎08-16-2019

Hi,

The IPSec proposals I've been using for the IKEv1 and IKEv2 are the following.

IKEv1
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

IKEv2
crypto ipsec ikev2 ipsec-proposal AWS_Test
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal SHA256
 protocol esp encryption aes-256
 protocol esp integrity sha-256

As for the AWS side they accept the following. (https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html#CGRequirements)

Use the AES 128-bit encryption or AES 256-bit encryption function	RFC 3602	The encryption function is used to ensure privacy among both IKE and IPsec Security Associations.
Use the SHA-1 or SHA-256 hashing function	RFC 2404	This hashing function is used to authenticate both IKE and IPsec Security Associations.
Use Diffie-Hellman Perfect Forward Secrecy. The following groups are supported: Phase 1 groups: 2, 14-18, 22, 23, and 24 Phase 2 groups: 2, 5, 14-18, 22, 23, and 24	RFC 2409	IKE uses Diffie-Hellman to establish ephemeral keys to secure all communication between customer gateways and virtual private gateways.

I have removed the IKEv1 pre shared key so I just have the following now.

tunnel-group 3.8.26.18 ipsec-attributes
 isakmp keepalive threshold infinite
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

I have attached the debug, not sure if that's the one you meant or not?

Many Thanks

Alex

Rob Ingram · ‎08-20-2019

From the debug "IKEv2-PROTO-2: A supplied parameter is incorrect" implies a mis-configured parameter in the IKEv2 Policy. Are you able to confirm exactly what is configured in AWS, rather than what is supported? I've never used AWS, so I assume you define which parameters you wish to use?

spenana · ‎08-20-2019

Thanks for your reply, unfortunately these are the only options you get when setting up a VPN in AWS. Not really any configuration options just having to go on what they say they support.

slebbon · ‎03-02-2020

I know this is a bit old, but I've had this problem several times, always find this post, but now I finally discovered an answer!

AWS basically has 'strict' policy selection enabled.

This means the ASA must have the IKEv2 proposal listed 'first' and 'only' being the one that matches the policy settings (cypher, hash, DH group, etc) that are configured in AWS portal.

In other words: make sure that the HIGHEST PRIORITY policy matches AWS.

eg: for ikev2, use policy 1 not 98, and only provide a single parameter per attribute:

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 2
 prf sha256
 lifetime seconds 28800

Is this an AWS problem for not allowing 'negotiate', or an ASA problem for allowing only global and not 'per tunnel' policy settings? I'm not sure, but this is the way to get it working. Shouldn't be too restrictive, if you're other VPN tunnels can use the same crypto parameters, or they will all negotiate. Would become a big issue if having to make multiple AWS connections to separate instances where the security settings couldn't match for some reason.

oeortiz01 · ‎08-17-2020

VPN with AWS and Cisco has some issues that we discover in case 689651385. I put here the resumen of the case:

AWS supports IKE v2
VPN con AWS Will use the first policy that you configure on cisco ASA always, thats means if AWS have some parameters configured for ike you Will have the same in crypto ikev2 policy 1.
Parameters that you set up in ike should be the same in phase 2, thats mean that your crypto ipsec ikev2 ipsec-proposal <YourProposalName> should have the same parameters as crypto ikev2 policy 1.
If you use PFS on phase 2, DH Group shoul be same group as in phase 1. Ex. if you use DH group 2 on ike, DH group 2 should be in phase 2.
AWS only support 1 SA for VPN, that's means you only can put one address or network/subnet in the VPN.

I hope this help for all that have problems, keep in mind that this solutions works for Assure too.

Saludos Mx!