Solved: Re: Can't up ipsec beetween cisco asr1001 and c9300x

dijix1990 · ‎01-13-2024

I stucked with ipsec configuration between cisco asr1001 and c9300x (asr1001-asr1001 works and c9300x-c9300x works)

My config for asr 1001

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.10
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.2 255.255.255.252
 tunnel source 172.17.9.10
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.9
 tunnel protection ipsec profile ipsec_profile

config for c9300x

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source 172.17.9.9
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

and debug file is included

dijix1990 · ‎01-14-2024

so, it's not because of platform (device which I use can AES GCM 256 by datasheets and exploitation). I think it's a bug, ASR1001 is too old platform for c9300X. I tested my config between ASR1001-X and C9300X and isr4331 and C9300x and it worked with aes-gcm 256.

For ASR1001 I used this config and it works (change TS to esp-aes esp-sha-hmac)

crypto ikev2 proposal ikev2_proposal
 encryption aes-cbc-256
 integrity sha512
 group 24

crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal

crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123

crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring

crypto ipsec transform-set ipsec_transform_set esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile

interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source TwentyFiveGigE1/0/3
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

View solution in original post

M02@rt37 · ‎01-13-2024

Hello @dijix1990

Please provide us these outputs on both side:

show crypto ikev2 sa

show crypto ipsec sa

show interface tunnel999

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

dijix1990 · ‎01-13-2024

ASR1001

asr1001#show crypto ikev2 sa
asr1001#show crypto ipsec sa

interface: Tunnel999
    Crypto map tag: Tunnel999-head-0, local addr 172.17.9.10

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.17.9.9 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.9.10, remote crypto endpt.: 172.17.9.9
     plaintext mtu 9198, path mtu 9198, ip mtu 9198, ip mtu idb GigabitEthernet0/0/3
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
asr1001# show interface tunnel999
Tunnel999 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.100.101.2/30
  MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 172.17.9.10, destination 172.17.9.9
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1500 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec_profile")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:04:19
  Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

9300X

c9300x-02# show crypto ikev2 sa
c9300x-02#show crypto ipsec sa

interface: Tunnel999
    Crypto map tag: Tunnel999-head-0, local addr 172.17.9.9

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 172.17.9.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.17.9.9, remote crypto endpt.: 172.17.9.10
     plaintext mtu 9142, path mtu 9198, ip mtu 9198, ip mtu idb TwentyFiveGigE1/0/3
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
c9300x-02# show interface tunnel999
Tunnel999 is up, line protocol is down
  Hardware is Tunnel
  Internet address is 10.100.101.1/30
  MTU 17892 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel linestate evaluation down - linestate protection reg down
  Tunnel source 172.17.9.9, destination 172.17.9.10
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 9198 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec_profile")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 00:05:33
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 20
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     20 packets output, 1440 bytes, 0 underruns
     Output 0 broadcasts (0 IP multicasts)
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

dijix1990 · ‎01-13-2024

on the 9300x side I can see that tunnel flap

Jan 13 14:43:16.405: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:16.411: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:43:21.446: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:23.269: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:43:46.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:43:46.416: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:16.407: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:16.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:21.877: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:23.684: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down
Jan 13 14:44:46.404: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to up
Jan 13 14:44:46.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel999, changed state to down

but on asr1001 in the log nothing

from debug (asr1001) I see this errors

Jan 13 13:59:08.472: IKEv2-ERROR:(SESSION ID = 23309,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jan 13 13:59:08.472: IKEv2-INTERNAL:(SESSION ID = 23309,SA ID = 1):SM Trace-> SA: I_SPI=BB37BE0121288ECF R_SPI=8668BD946D191F32 (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL_RECD_LOAD_IPSEC

MHM Cisco World · ‎01-13-2024

Check mtu in both platform

Is see mismatch

MHM

dijix1990 · ‎01-13-2024

mtu is 9198

it's direct link on the table

MHM Cisco World · ‎01-13-2024

plaintext mtu 9142

This from what you share

*****Recommend is deep study case before change any MTU.*****

MHM

dijix1990 · ‎01-13-2024

and? how can I change it?

BTW phys MTU

Current configuration : 168 bytes
!
interface TwentyFiveGigE1/0/3
 no switchport
 mtu 9198
 ip address 172.17.9.9 255.255.255.252
end

c9300x-02#ping 172.17.9.9 si 9198 df
Type escape sequence to abort.
Sending 5, 9198-byte ICMP Echos to 172.17.9.9, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

MHM Cisco World · ‎01-13-2024

Ping 9198 is OK

Remove the IPsec profile from tunnel and see if it stable or not

MHM

dijix1990 · ‎01-13-2024

yes, without ipsec tunnel works

tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec_profile

MHM Cisco World · ‎01-13-2024

I check your debug
IKEv2 phaseII use AES-GCM

MHM

dijix1990 · ‎01-13-2024

Where can we see it? And why? It's new platform more secure

MHM Cisco World · ‎01-13-2024

Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 2    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-GCM

Yes 128 instead of 256 and check
and why it platform limit, this encrypt need hardware support it

MHM

dijix1990 · ‎01-13-2024

Yes, c9300x has ipsec hardware encryption, by datasheet c9300x can 100g ipsec

dijix1990 · ‎01-13-2024

Try to check encryption between c9300x tomorrow, cisco recommend this switch as dc interconnect with very strong encryption