cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2052
Views
0
Helpful
4
Replies
cbabcock05068
Beginner

Can't get IKE1 phase 2 between IOS-XE and strongswan

Hi All,


I'm not able to get a phase session up between a IOS-XE(hub) and strongswan client(spoke).  Phase 1 is perfect.  I'm using a dynamic map on the HUB.  All the transform sets match perfectly. I don't get it.  Any help would be greatly appreciated. Thanks!


Hub:

crypto keyring TESTKEY
  pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile TESTISA
   keyring TESTKEY
   match identity address 0.0.0.0
crypto ipsec transform-set AES-SHA256 esp-aes esp-sha-hmac
 mode transport
crypto dynamic-map DYNMAP 10
 set nat demux
 set transform-set AES-SHA256
 set isakmp-profile TESTISA
crypto map TESTMAP 10 ipsec-isakmp dynamic DYNMAP
 crypto map TESTMAP


Spoke:


 conn TEST
      esp=aes128-sha1!
      ike=aes128-sha1-modp1024
      forceencaps=yes
      left=%any
      right=52.202.115.201
      rightsubnet=52.202.115.201
      rightid=172.30.5.14
      authby=secret
      type=transport
      keyexchange=ikev1
      auto=start


I'm able to get ISAKMP phase 1 up but phase 2 fails.  Here's the debugs for ipsec:


*Oct  4 21:18:16.913: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.476: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1
*Oct  4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 52.202.115.201/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct  4 21:18:20.545: (ipsec_process_proposal)Map Accepted: DYNMAP, 10
*Oct  4 21:18:20.545: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.545: IPSEC(ipsec_get_crypto_session_id):
Invalid Payload Id
*Oct  4 21:18:20.545: IPSEC(crypto_ipsec_create_ipsec_sas): Map found DYNMAP, 10
*Oct  4 21:18:20.546: [] -> [SADB TESTMAP:172.30.5.14]: message SADB root KMI message processing
*Oct  4 21:18:20.546: [SADB TESTMAP:172.30.5.14]: message = SADB root KMI message processing
*Oct  4 21:18:20.546: IPSEC(STATES): SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 10 dynamic seqno 10
*Oct  4 21:18:20.546: [SADB TESTMAP:172.30.5.14] -> [ACL automatic]: message ACL KMI create SA
*Oct  4 21:18:20.546: [ACL automatic]: message = ACL KMI create SA
*Oct  4 21:18:20.546: [ACL automatic]: state = ACL KMI create SA for PtoP
*Oct  4 21:18:20.546: [KMI Forward]: state = KMI Initializing
*Oct  4 21:18:20.546: [ACL automatic] -> [KMI Forward]: message Forward KMI message
*Oct  4 21:18:20.546: [KMI Forward]: message = Forward KMI message
*Oct  4 21:18:20.546: [KMI Forward]: state = create ident
*Oct  4 21:18:20.546: [Ident 80000048]: state = Ident Initialization
*Oct  4 21:18:20.546: [KMI Forward]: state = change priority
*Oct  4 21:18:20.546: [KMI Forward]: state = forward
*Oct  4 21:18:20.546: [KMI Forward] -> [Ident 80000048]: message Message - Create SA
*Oct  4 21:18:20.546: [Ident 80000048]: message = Message - Create SA
*Oct  4 21:18:20.546: [Ident 80000048]: state = Check redundant request
*Oct  4 21:18:20.546: [Ident 80000048]: state = Allocate Session
*Oct  4 21:18:20.546: [Session]: state = Session Initialization
*Oct  4 21:18:20.546: [Ident 80000048]: state = Insert Peer
*Oct  4 21:18:20.546: [Ident 80000048] -> [Session]: message Session Inserting Peer
*Oct  4 21:18:20.546: [Session]: message = Session Inserting Peer
*Oct  4 21:18:20.546: [Ident 80000048]: state = Allocate Sibling
*Oct  4 21:18:20.546: [Sibling]: state = Sibling Initialization
*Oct  4 21:18:20.546: [Ident 80000048]: state = Create In/Outbound SAs
*Oct  4 21:18:20.546: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL, static seqno 10, dynamic seqno 10
*Oct  4 21:18:20.546: [Ident 80000048]: state = Ident Set Replay
*Oct  4 21:18:20.546: [Ident 80000048]: state = Send SAs to sibling and install them
*Oct  4 21:18:20.546: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7FE9FFB89E08
*Oct  4 21:18:20.546: [Ident 80000048] -> [Sibling]: message Message - Create Inbound SA
*Oct  4 21:18:20.546: [Sibling]: message = Message - Create Inbound SA
*Oct  4 21:18:20.546: [Sibling]: state = Hook Session
*Oct  4 21:18:20.546: [Sibling] -> [Session]: message Message - In Use
*Oct  4 21:18:20.546: [Session]: message = Message - In Use
*Oct  4 21:18:20.546: [Session]: state = Add Sibling to Session List
*Oct  4 21:18:20.546: [Sibling]: state = Fill Sibling with CE data
*Oct  4 21:18:20.546: [Sibling 41D2110]: state = Hook SA Struct to Sibling
*Oct  4 21:18:20.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.30.5.14, sa_proto= 50,
    sa_spi= 0x41D2110(69017872),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.56.20.207, sa_proto= 50,
    sa_spi= 0xC730EA35(3341871669),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.546: [Sibling 41D2110]: state = Install SPI
*Oct  4 21:18:20.549: [Sibling 41D2110]: request insert_spi got error
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Setting Error Flag
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Notify Ident
*Oct  4 21:18:20.549: IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed, not sending DECR
*Oct  4 21:18:20.549: IPSEC(update_current_outbound_sa): updated peer 172.56.20.207 current outbound sa to SPI 0
*Oct  4 21:18:20.549: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.30.5.14, sa_proto= 50,
    sa_spi= 0x41D2110(69017872),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.549: IPSEC(delete_sa): SA found saving DEL kmi
*Oct  4 21:18:20.549: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.56.20.207, sa_proto= 50,
    sa_spi= 0xC730EA35(3341871669),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.549: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Oct  4 21:18:20.549: [Sibling 41D2110] -> [Ident 80000048]: message Message - Delete SA [Ident 80000048] : busy in Send SAs to sibling and install them state
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Delete SPI
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Save Stats
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Delete SA
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Notify Session
*Oct  4 21:18:20.549: [Sibling 41D2110] -> [Session]: message Message - Not In Use
*Oct  4 21:18:20.549: [Session]: message = Message - Not In Use
*Oct  4 21:18:20.549: [Session]: state = Decr refcount, remove sibling from list
*Oct  4 21:18:20.549: [Session]: state = Check refcount
*Oct  4 21:18:20.549: [Session]: state = Session Delete
*Oct  4 21:18:20.549: [Session]: state = Session Teardown
*Oct  4 21:18:20.549: [Session]: state = Session End
*Oct  4 21:18:20.549: [Session]: deleting state machine
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Sibling End
*Oct  4 21:18:20.549: [Sibling 41D2110]: deleting state machine
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Select Outbound SA
*Oct  4 21:18:20.549: [Ident 80000048]: state = Ident has no SAs
*Oct  4 21:18:20.549: [Ident 80000048] -> [Ident 80000048]: message Message - Destroy yourself [Ident 80000048] : busy in Ident has no SAs state
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete SA
*Oct  4 21:18:20.549: [Ident 80000048]: state = Unset flow_installed
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Sibling
*Oct  4 21:18:20.549: [Ident 80000048] -> ??? : attempted to send message (destination deleted)
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Outbound SA
*Oct  4 21:18:30.549: [Ident 80000048]: request ipsec_wait_for_delete_to_complete got error
*Oct  4 21:18:30.549: [Ident 80000048]: state = Delete notify KMI from ident
*Oct  4 21:18:30.549: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Oct  4 21:18:30.549: [KMI Forward]: state = success
*Oct  4 21:18:30.549: [KMI Forward]: deleting state machine
*Oct  4 21:18:30.549: [ACL automatic]: state = ACL KMI check result
*Oct  4 21:18:30.549: [Ident 80000048]: message = Message - Delete SA
*Oct  4 21:18:30.549: [Ident 80000048]: message = Message - Destroy yourself
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Mark Flow
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Save KMI
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete SAs
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Remove Flow
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Free Outbound SAs
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Notify KMI DECR/DELETE
*Oct  4 21:18:30.549: [Ident 80000048]: state = Ident Destroy Update Stats
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete Session
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete TBAR
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: End
*Oct  4 21:18:30.549: [Ident 80000048]: deleting state machine
*Oct  4 21:18:30.549: [] -> [ACL automatic]: message ACL ident delete notify
*Oct  4 21:18:30.549: [ACL automatic]: message = ACL ident delete notify

4 REPLIES 4
JP Miranda Z
Cisco Employee

Hi cbabcock05068,

Is there any reason why you are using transport mode instead of tunnel mode?  I can see you did configure everything like if you are going to connect with L2TP/IPSEC. 

Can you test running tunnel mode and removing the ip nat demux from the crypto map?

Hope this info helps!!

Rate if helps you!! 

-JP-

Hey JP,

Yes.  This is the LAC/LNS for L2TP connections.  L2TP works perfectly without IPsec, but of course can't do that in production.  I can test in tunnel mode, but given that I'm using L2TP no point in using tunnel IMO.  Thanks.

Chris

Hi, I was wondering if you got this sorted. I am working on something similar.

hi, I faced with the same problem, how you fixed it?

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (38%)

Content for Community-Ad