cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1407
Views
7
Helpful
23
Replies

Can't up ipsec beetween cisco asr1001 and c9300x

dijix1990
VIP
VIP

I stucked with ipsec configuration between cisco asr1001 and c9300x (asr1001-asr1001 works and c9300x-c9300x works)

My config for asr 1001

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.10
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.2 255.255.255.252
 tunnel source 172.17.9.10
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.9
 tunnel protection ipsec profile ipsec_profile

config for c9300x

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source 172.17.9.9
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

and debug file is included

1 Accepted Solution

Accepted Solutions

so, it's not because of platform (device which I use can AES GCM 256 by datasheets and exploitation). I think it's a bug, ASR1001 is too old platform for c9300X. I tested my config between ASR1001-X and C9300X and isr4331 and C9300x and it worked with aes-gcm 256.

For ASR1001 I used this config and it works (change TS to esp-aes esp-sha-hmac)

 

 

 

crypto ikev2 proposal ikev2_proposal
 encryption aes-cbc-256
 integrity sha512
 group 24

crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal

crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123

crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring

crypto ipsec transform-set ipsec_transform_set esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile

interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source TwentyFiveGigE1/0/3
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

 

 

 

View solution in original post

23 Replies 23

M02@rt37
VIP
VIP

Hello @dijix1990 

Please provide us these outputs on both side:

show crypto ikev2 sa

show crypto ipsec sa
show interface tunnel999
Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

ASR1001

asr1001#show crypto ikev2 sa
asr1001#show crypto ipsec sa

interface: Tunnel999
    Crypto map tag: Tunnel999-head-0, local addr 172.17.9.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.17.9.9 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.9.10, remote crypto endpt.: 172.17.9.9
     plaintext mtu 9198, path mtu 9198, ip mtu 9198, ip mtu idb GigabitEthernet0/0/3
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
asr1001# show interface tunnel999
Tunnel999 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.100.101.2/30
  MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 172.17.9.10, destination 172.17.9.9
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec_profile")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:04:19
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

9300X

c9300x-02# show crypto ikev2 sa
c9300x-02#show crypto ipsec sa

interface: Tunnel999
    Crypto map tag: Tunnel999-head-0, local addr 172.17.9.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.17.9.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.9.9, remote crypto endpt.: 172.17.9.10
     plaintext mtu 9142, path mtu 9198, ip mtu 9198, ip mtu idb TwentyFiveGigE1/0/3
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
c9300x-02# show interface tunnel999
Tunnel999 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.100.101.1/30
  MTU 17892 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 172.17.9.9, destination 172.17.9.10
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 9198 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec_profile")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:05:33
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     20 packets output, 1440 bytes, 0 underruns
     Output 0 broadcasts (0 IP multicasts)
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

 

on the 9300x side I can see that tunnel flap

Jan 13 14:43:16.405: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:16.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:43:21.446: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:23.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:43:46.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:46.416: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:16.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:16.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:21.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:23.684: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:46.404: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:46.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down

but on asr1001 in the log nothing

from debug (asr1001) I see this errors

Jan 13 13:59:08.472: IKEv2-ERROR:(SESSION ID = 23309,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jan 13 13:59:08.472: IKEv2-INTERNAL:(SESSION ID = 23309,SA ID = 1):SM Trace-> SA: I_SPI=BB37BE0121288ECF R_SPI=8668BD946D191F32 (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL_RECD_LOAD_IPSEC

 

Check mtu in both platform 

Is see mismatch

MHM

mtu is 9198 

it's direct link on the table

 

plaintext mtu 9142

This from what you share 

*****Recommend is deep study case before change any MTU.*****

MHM 

and? how can I change it?

BTW phys MTU

 

Current configuration : 168 bytes
!
interface TwentyFiveGigE1/0/3
 no switchport
 mtu 9198
 ip address 172.17.9.9 255.255.255.252
end

c9300x-02#ping 172.17.9.9 si 9198 df
Type escape sequence to abort.
Sending 5, 9198-byte ICMP Echos to 172.17.9.9, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

 

Ping 9198 is OK

Remove the IPsec profile from tunnel and see if it stable or not

MHM

yes, without ipsec tunnel works

tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile

 

I check your debug 
IKEv2 phaseII use  AES-GCM

MHM

Where can we see it? And why? It's new platform more secure

 

Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 2    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-GCM

Yes 128 instead of 256 and check 
and why it platform limit, this encrypt need hardware support it 

MHM 

Yes, c9300x has ipsec hardware encryption, by datasheet c9300x  can 100g ipsec

Try to check encryption between c9300x tomorrow, cisco recommend this switch as dc interconnect with very strong encryption