10-05-2016 02:00 PM
Hi All,
I'm not able to get a phase session up between a IOS-XE(hub) and strongswan client(spoke). Phase 1 is perfect. I'm using a dynamic map on the HUB. All the transform sets match perfectly. I don't get it. Any help would be greatly appreciated. Thanks!
Hub:
crypto keyring TESTKEY
pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp profile TESTISA
keyring TESTKEY
match identity address 0.0.0.0
crypto ipsec transform-set AES-SHA256 esp-aes esp-sha-hmac
mode transport
crypto dynamic-map DYNMAP 10
set nat demux
set transform-set AES-SHA256
set isakmp-profile TESTISA
crypto map TESTMAP 10 ipsec-isakmp dynamic DYNMAP
crypto map TESTMAP
Spoke:
conn TEST
esp=aes128-sha1!
ike=aes128-sha1-modp1024
forceencaps=yes
left=%any
right=52.202.115.201
rightsubnet=52.202.115.201
rightid=172.30.5.14
authby=secret
type=transport
keyexchange=ikev1
auto=start
I'm able to get ISAKMP phase 1 up but phase 2 fails. Here's the debugs for ipsec:
*Oct 4 21:18:16.913: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 4 21:18:20.476: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1
*Oct 4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.30.5.14:0, remote= 172.56.20.207:0,
local_proxy= 52.202.115.201/255.255.255.255/256/0,
remote_proxy= 172.56.20.207/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Transport-UDP),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct 4 21:18:20.545: (ipsec_process_proposal)Map Accepted: DYNMAP, 10
*Oct 4 21:18:20.545: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 4 21:18:20.545: IPSEC(ipsec_get_crypto_session_id):
Invalid Payload Id
*Oct 4 21:18:20.545: IPSEC(crypto_ipsec_create_ipsec_sas): Map found DYNMAP, 10
*Oct 4 21:18:20.546: [] -> [SADB TESTMAP:172.30.5.14]: message SADB root KMI message processing
*Oct 4 21:18:20.546: [SADB TESTMAP:172.30.5.14]: message = SADB root KMI message processing
*Oct 4 21:18:20.546: IPSEC(STATES): SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 10 dynamic seqno 10
*Oct 4 21:18:20.546: [SADB TESTMAP:172.30.5.14] -> [ACL automatic]: message ACL KMI create SA
*Oct 4 21:18:20.546: [ACL automatic]: message = ACL KMI create SA
*Oct 4 21:18:20.546: [ACL automatic]: state = ACL KMI create SA for PtoP
*Oct 4 21:18:20.546: [KMI Forward]: state = KMI Initializing
*Oct 4 21:18:20.546: [ACL automatic] -> [KMI Forward]: message Forward KMI message
*Oct 4 21:18:20.546: [KMI Forward]: message = Forward KMI message
*Oct 4 21:18:20.546: [KMI Forward]: state = create ident
*Oct 4 21:18:20.546: [Ident 80000048]: state = Ident Initialization
*Oct 4 21:18:20.546: [KMI Forward]: state = change priority
*Oct 4 21:18:20.546: [KMI Forward]: state = forward
*Oct 4 21:18:20.546: [KMI Forward] -> [Ident 80000048]: message Message - Create SA
*Oct 4 21:18:20.546: [Ident 80000048]: message = Message - Create SA
*Oct 4 21:18:20.546: [Ident 80000048]: state = Check redundant request
*Oct 4 21:18:20.546: [Ident 80000048]: state = Allocate Session
*Oct 4 21:18:20.546: [Session]: state = Session Initialization
*Oct 4 21:18:20.546: [Ident 80000048]: state = Insert Peer
*Oct 4 21:18:20.546: [Ident 80000048] -> [Session]: message Session Inserting Peer
*Oct 4 21:18:20.546: [Session]: message = Session Inserting Peer
*Oct 4 21:18:20.546: [Ident 80000048]: state = Allocate Sibling
*Oct 4 21:18:20.546: [Sibling]: state = Sibling Initialization
*Oct 4 21:18:20.546: [Ident 80000048]: state = Create In/Outbound SAs
*Oct 4 21:18:20.546: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL, static seqno 10, dynamic seqno 10
*Oct 4 21:18:20.546: [Ident 80000048]: state = Ident Set Replay
*Oct 4 21:18:20.546: [Ident 80000048]: state = Send SAs to sibling and install them
*Oct 4 21:18:20.546: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7FE9FFB89E08
*Oct 4 21:18:20.546: [Ident 80000048] -> [Sibling]: message Message - Create Inbound SA
*Oct 4 21:18:20.546: [Sibling]: message = Message - Create Inbound SA
*Oct 4 21:18:20.546: [Sibling]: state = Hook Session
*Oct 4 21:18:20.546: [Sibling] -> [Session]: message Message - In Use
*Oct 4 21:18:20.546: [Session]: message = Message - In Use
*Oct 4 21:18:20.546: [Session]: state = Add Sibling to Session List
*Oct 4 21:18:20.546: [Sibling]: state = Fill Sibling with CE data
*Oct 4 21:18:20.546: [Sibling 41D2110]: state = Hook SA Struct to Sibling
*Oct 4 21:18:20.546: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.30.5.14, sa_proto= 50,
sa_spi= 0x41D2110(69017872),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
local_proxy= 172.30.5.14/255.255.255.255/256/0,
remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct 4 21:18:20.546: IPSEC(create_sa): sa created,
(sa) sa_dest= 172.56.20.207, sa_proto= 50,
sa_spi= 0xC730EA35(3341871669),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
local_proxy= 172.30.5.14/255.255.255.255/256/0,
remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct 4 21:18:20.546: [Sibling 41D2110]: state = Install SPI
*Oct 4 21:18:20.549: [Sibling 41D2110]: request insert_spi got error
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Setting Error Flag
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Notify Ident
*Oct 4 21:18:20.549: IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed, not sending DECR
*Oct 4 21:18:20.549: IPSEC(update_current_outbound_sa): updated peer 172.56.20.207 current outbound sa to SPI 0
*Oct 4 21:18:20.549: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.30.5.14, sa_proto= 50,
sa_spi= 0x41D2110(69017872),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
local_proxy= 172.30.5.14/255.255.255.255/256/0,
remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct 4 21:18:20.549: IPSEC(delete_sa): SA found saving DEL kmi
*Oct 4 21:18:20.549: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 172.56.20.207, sa_proto= 50,
sa_spi= 0xC730EA35(3341871669),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
local_proxy= 172.30.5.14/255.255.255.255/256/0,
remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct 4 21:18:20.549: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Oct 4 21:18:20.549: [Sibling 41D2110] -> [Ident 80000048]: message Message - Delete SA [Ident 80000048] : busy in Send SAs to sibling and install them state
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Delete SPI
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Save Stats
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Delete SA
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Notify Session
*Oct 4 21:18:20.549: [Sibling 41D2110] -> [Session]: message Message - Not In Use
*Oct 4 21:18:20.549: [Session]: message = Message - Not In Use
*Oct 4 21:18:20.549: [Session]: state = Decr refcount, remove sibling from list
*Oct 4 21:18:20.549: [Session]: state = Check refcount
*Oct 4 21:18:20.549: [Session]: state = Session Delete
*Oct 4 21:18:20.549: [Session]: state = Session Teardown
*Oct 4 21:18:20.549: [Session]: state = Session End
*Oct 4 21:18:20.549: [Session]: deleting state machine
*Oct 4 21:18:20.549: [Sibling 41D2110]: state = Sibling End
*Oct 4 21:18:20.549: [Sibling 41D2110]: deleting state machine
*Oct 4 21:18:20.549: [Ident 80000048]: state = Delete Select Outbound SA
*Oct 4 21:18:20.549: [Ident 80000048]: state = Ident has no SAs
*Oct 4 21:18:20.549: [Ident 80000048] -> [Ident 80000048]: message Message - Destroy yourself [Ident 80000048] : busy in Ident has no SAs state
*Oct 4 21:18:20.549: [Ident 80000048]: state = Delete SA
*Oct 4 21:18:20.549: [Ident 80000048]: state = Unset flow_installed
*Oct 4 21:18:20.549: [Ident 80000048]: state = Delete Sibling
*Oct 4 21:18:20.549: [Ident 80000048] -> ??? : attempted to send message (destination deleted)
*Oct 4 21:18:20.549: [Ident 80000048]: state = Delete Outbound SA
*Oct 4 21:18:30.549: [Ident 80000048]: request ipsec_wait_for_delete_to_complete got error
*Oct 4 21:18:30.549: [Ident 80000048]: state = Delete notify KMI from ident
*Oct 4 21:18:30.549: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Oct 4 21:18:30.549: [KMI Forward]: state = success
*Oct 4 21:18:30.549: [KMI Forward]: deleting state machine
*Oct 4 21:18:30.549: [ACL automatic]: state = ACL KMI check result
*Oct 4 21:18:30.549: [Ident 80000048]: message = Message - Delete SA
*Oct 4 21:18:30.549: [Ident 80000048]: message = Message - Destroy yourself
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Mark Flow
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Save KMI
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete SAs
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Remove Flow
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Free Outbound SAs
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Notify KMI DECR/DELETE
*Oct 4 21:18:30.549: [Ident 80000048]: state = Ident Destroy Update Stats
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete Session
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete TBAR
*Oct 4 21:18:30.549: [Ident 80000048]: state = Destroy: End
*Oct 4 21:18:30.549: [Ident 80000048]: deleting state machine
*Oct 4 21:18:30.549: [] -> [ACL automatic]: message ACL ident delete notify
*Oct 4 21:18:30.549: [ACL automatic]: message = ACL ident delete notify
10-06-2016 07:07 AM
Hi cbabcock05068,
Is there any reason why you are using transport mode instead of tunnel mode? I can see you did configure everything like if you are going to connect with L2TP/IPSEC.
Can you test running tunnel mode and removing the ip nat demux from the crypto map?
Hope this info helps!!
Rate if helps you!!
-JP-
10-06-2016 10:46 AM
Hey JP,
Yes. This is the LAC/LNS for L2TP connections. L2TP works perfectly without IPsec, but of course can't do that in production. I can test in tunnel mode, but given that I'm using L2TP no point in using tunnel IMO. Thanks.
Chris
02-12-2017 10:38 PM
Hi, I was wondering if you got this sorted. I am working on something similar.
11-04-2020 11:19 PM
hi, I faced with the same problem, how you fixed it?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide