cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2624
Views
0
Helpful
4
Replies

Can't get IKE1 phase 2 between IOS-XE and strongswan

cbabcock05068
Level 1
Level 1

Hi All,


I'm not able to get a phase session up between a IOS-XE(hub) and strongswan client(spoke).  Phase 1 is perfect.  I'm using a dynamic map on the HUB.  All the transform sets match perfectly. I don't get it.  Any help would be greatly appreciated. Thanks!


Hub:

crypto keyring TESTKEY
  pre-shared-key address 0.0.0.0 0.0.0.0 key testkey
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
crypto isakmp profile TESTISA
   keyring TESTKEY
   match identity address 0.0.0.0
crypto ipsec transform-set AES-SHA256 esp-aes esp-sha-hmac
 mode transport
crypto dynamic-map DYNMAP 10
 set nat demux
 set transform-set AES-SHA256
 set isakmp-profile TESTISA
crypto map TESTMAP 10 ipsec-isakmp dynamic DYNMAP
 crypto map TESTMAP


Spoke:


 conn TEST
      esp=aes128-sha1!
      ike=aes128-sha1-modp1024
      forceencaps=yes
      left=%any
      right=52.202.115.201
      rightsubnet=52.202.115.201
      rightid=172.30.5.14
      authby=secret
      type=transport
      keyexchange=ikev1
      auto=start


I'm able to get ISAKMP phase 1 up but phase 2 fails.  Here's the debugs for ipsec:


*Oct  4 21:18:16.913: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.476: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1
*Oct  4 21:18:20.545: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 52.202.115.201/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/0,
    protocol= ESP, transform= esp-aes esp-sha-hmac  (Transport-UDP),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Oct  4 21:18:20.545: (ipsec_process_proposal)Map Accepted: DYNMAP, 10
*Oct  4 21:18:20.545: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct  4 21:18:20.545: IPSEC(ipsec_get_crypto_session_id):
Invalid Payload Id
*Oct  4 21:18:20.545: IPSEC(crypto_ipsec_create_ipsec_sas): Map found DYNMAP, 10
*Oct  4 21:18:20.546: [] -> [SADB TESTMAP:172.30.5.14]: message SADB root KMI message processing
*Oct  4 21:18:20.546: [SADB TESTMAP:172.30.5.14]: message = SADB root KMI message processing
*Oct  4 21:18:20.546: IPSEC(STATES): SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 10 dynamic seqno 10
*Oct  4 21:18:20.546: [SADB TESTMAP:172.30.5.14] -> [ACL automatic]: message ACL KMI create SA
*Oct  4 21:18:20.546: [ACL automatic]: message = ACL KMI create SA
*Oct  4 21:18:20.546: [ACL automatic]: state = ACL KMI create SA for PtoP
*Oct  4 21:18:20.546: [KMI Forward]: state = KMI Initializing
*Oct  4 21:18:20.546: [ACL automatic] -> [KMI Forward]: message Forward KMI message
*Oct  4 21:18:20.546: [KMI Forward]: message = Forward KMI message
*Oct  4 21:18:20.546: [KMI Forward]: state = create ident
*Oct  4 21:18:20.546: [Ident 80000048]: state = Ident Initialization
*Oct  4 21:18:20.546: [KMI Forward]: state = change priority
*Oct  4 21:18:20.546: [KMI Forward]: state = forward
*Oct  4 21:18:20.546: [KMI Forward] -> [Ident 80000048]: message Message - Create SA
*Oct  4 21:18:20.546: [Ident 80000048]: message = Message - Create SA
*Oct  4 21:18:20.546: [Ident 80000048]: state = Check redundant request
*Oct  4 21:18:20.546: [Ident 80000048]: state = Allocate Session
*Oct  4 21:18:20.546: [Session]: state = Session Initialization
*Oct  4 21:18:20.546: [Ident 80000048]: state = Insert Peer
*Oct  4 21:18:20.546: [Ident 80000048] -> [Session]: message Session Inserting Peer
*Oct  4 21:18:20.546: [Session]: message = Session Inserting Peer
*Oct  4 21:18:20.546: [Ident 80000048]: state = Allocate Sibling
*Oct  4 21:18:20.546: [Sibling]: state = Sibling Initialization
*Oct  4 21:18:20.546: [Ident 80000048]: state = Create In/Outbound SAs
*Oct  4 21:18:20.546: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL, static seqno 10, dynamic seqno 10
*Oct  4 21:18:20.546: [Ident 80000048]: state = Ident Set Replay
*Oct  4 21:18:20.546: [Ident 80000048]: state = Send SAs to sibling and install them
*Oct  4 21:18:20.546: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 7FE9FFB89E08
*Oct  4 21:18:20.546: [Ident 80000048] -> [Sibling]: message Message - Create Inbound SA
*Oct  4 21:18:20.546: [Sibling]: message = Message - Create Inbound SA
*Oct  4 21:18:20.546: [Sibling]: state = Hook Session
*Oct  4 21:18:20.546: [Sibling] -> [Session]: message Message - In Use
*Oct  4 21:18:20.546: [Session]: message = Message - In Use
*Oct  4 21:18:20.546: [Session]: state = Add Sibling to Session List
*Oct  4 21:18:20.546: [Sibling]: state = Fill Sibling with CE data
*Oct  4 21:18:20.546: [Sibling 41D2110]: state = Hook SA Struct to Sibling
*Oct  4 21:18:20.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.30.5.14, sa_proto= 50,
    sa_spi= 0x41D2110(69017872),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.546: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.56.20.207, sa_proto= 50,
    sa_spi= 0xC730EA35(3341871669),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.546: [Sibling 41D2110]: state = Install SPI
*Oct  4 21:18:20.549: [Sibling 41D2110]: request insert_spi got error
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Setting Error Flag
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Notify Ident
*Oct  4 21:18:20.549: IPSEC(send_delete_notify_kmi): Inbound/outbound installation failed, not sending DECR
*Oct  4 21:18:20.549: IPSEC(update_current_outbound_sa): updated peer 172.56.20.207 current outbound sa to SPI 0
*Oct  4 21:18:20.549: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.30.5.14, sa_proto= 50,
    sa_spi= 0x41D2110(69017872),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2141
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.549: IPSEC(delete_sa): SA found saving DEL kmi
*Oct  4 21:18:20.549: IPSEC(delete_sa): deleting SA,
  (sa) sa_dest= 172.56.20.207, sa_proto= 50,
    sa_spi= 0xC730EA35(3341871669),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2142
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 172.30.5.14:0, remote= 172.56.20.207:0,
    local_proxy= 172.30.5.14/255.255.255.255/256/0,
    remote_proxy= 172.56.20.207/255.255.255.255/256/18083
*Oct  4 21:18:20.549: IPSEC(send_delete_notify_kmi): not sending KEY_ENG_NOTIFY_DECR_COUNT
*Oct  4 21:18:20.549: [Sibling 41D2110] -> [Ident 80000048]: message Message - Delete SA [Ident 80000048] : busy in Send SAs to sibling and install them state
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Delete SPI
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Save Stats
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Delete SA
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Notify Session
*Oct  4 21:18:20.549: [Sibling 41D2110] -> [Session]: message Message - Not In Use
*Oct  4 21:18:20.549: [Session]: message = Message - Not In Use
*Oct  4 21:18:20.549: [Session]: state = Decr refcount, remove sibling from list
*Oct  4 21:18:20.549: [Session]: state = Check refcount
*Oct  4 21:18:20.549: [Session]: state = Session Delete
*Oct  4 21:18:20.549: [Session]: state = Session Teardown
*Oct  4 21:18:20.549: [Session]: state = Session End
*Oct  4 21:18:20.549: [Session]: deleting state machine
*Oct  4 21:18:20.549: [Sibling 41D2110]: state = Sibling End
*Oct  4 21:18:20.549: [Sibling 41D2110]: deleting state machine
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Select Outbound SA
*Oct  4 21:18:20.549: [Ident 80000048]: state = Ident has no SAs
*Oct  4 21:18:20.549: [Ident 80000048] -> [Ident 80000048]: message Message - Destroy yourself [Ident 80000048] : busy in Ident has no SAs state
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete SA
*Oct  4 21:18:20.549: [Ident 80000048]: state = Unset flow_installed
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Sibling
*Oct  4 21:18:20.549: [Ident 80000048] -> ??? : attempted to send message (destination deleted)
*Oct  4 21:18:20.549: [Ident 80000048]: state = Delete Outbound SA
*Oct  4 21:18:30.549: [Ident 80000048]: request ipsec_wait_for_delete_to_complete got error
*Oct  4 21:18:30.549: [Ident 80000048]: state = Delete notify KMI from ident
*Oct  4 21:18:30.549: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
*Oct  4 21:18:30.549: [KMI Forward]: state = success
*Oct  4 21:18:30.549: [KMI Forward]: deleting state machine
*Oct  4 21:18:30.549: [ACL automatic]: state = ACL KMI check result
*Oct  4 21:18:30.549: [Ident 80000048]: message = Message - Delete SA
*Oct  4 21:18:30.549: [Ident 80000048]: message = Message - Destroy yourself
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Mark Flow
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Save KMI
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete SAs
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Remove Flow
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Free Outbound SAs
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Notify KMI DECR/DELETE
*Oct  4 21:18:30.549: [Ident 80000048]: state = Ident Destroy Update Stats
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete Session
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: Delete TBAR
*Oct  4 21:18:30.549: [Ident 80000048]: state = Destroy: End
*Oct  4 21:18:30.549: [Ident 80000048]: deleting state machine
*Oct  4 21:18:30.549: [] -> [ACL automatic]: message ACL ident delete notify
*Oct  4 21:18:30.549: [ACL automatic]: message = ACL ident delete notify

4 Replies 4

JP Miranda Z
Cisco Employee
Cisco Employee

Hi cbabcock05068,

Is there any reason why you are using transport mode instead of tunnel mode?  I can see you did configure everything like if you are going to connect with L2TP/IPSEC. 

Can you test running tunnel mode and removing the ip nat demux from the crypto map?

Hope this info helps!!

Rate if helps you!! 

-JP-

Hey JP,

Yes.  This is the LAC/LNS for L2TP connections.  L2TP works perfectly without IPsec, but of course can't do that in production.  I can test in tunnel mode, but given that I'm using L2TP no point in using tunnel IMO.  Thanks.

Chris

Hi, I was wondering if you got this sorted. I am working on something similar.

hi, I faced with the same problem, how you fixed it?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: