Solved: Re: Cisco 1921 to WatchGuard T20 No Phase 2 Security Associations

WizJ · ‎10-25-2022

Just FYI networking is not my strong suit. I do software development, so I apologize if i do not know terminology or ask a stupid question. So i am trying to use this Cisco as a test for a Site to Site Vpn tunnel for a real time HL7 project i am coding. From all the posts here i was able to get it functioning with a static ip address and working as a DHCP server. When i run a diagnostic on the VPN from the WatchGuard T20 i get the error:

Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

Cisco Configuration:

Current configuration : 3120 bytes
!
! Last configuration change at 19:19:52 UTC Tue Oct 25 2022
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoConVpn
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 **********
!
no aaa new-model

!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CondorDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 71.10.216.1 71.10.216.2 4.4.4.4 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ******** privilege 15 secret 5
!
redundancy
!
crypto ikev2 proposal Wg
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 14
!
!
crypto ikev2 keyring Wg
peer Wg
address XX.XXX.XXX.XXX <--- WatchGuard Static IP
pre-shared-key local test
pre-shared-key remote test
!
!
!
crypto ikev2 profile Wg
match address local interface GigabitEthernet0/0
match identity remote address XX.XXX.XXX.XXX <--- WatchGuard Static IP 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Wg
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key test address XX.XXX.XXX.XXX <--- Cisco Static IP
crypto isakmp key test address XX.XXX.XXX.XXX <--- WatchGuard Static IP
crypto isakmp profile 1
! This profile is incomplete (no match identity statement)
crypto isakmp profile toWg
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile 1
set transform-set MYSET
set pfs group14
set isakmp-profile 1
!
crypto ipsec profile Wg
set transform-set MYSET
set pfs group14
set ikev2-profile Wg
!
!
!
crypto map MYMAP 1 ipsec-isakmp
set peer XX.XXX.XXX.XXX <--- WatchGuard Static IP
set transform-set MYSET
set pfs group14
match address 100
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address XX.XXX.XXX.XXX <--- Cisco Static IP 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map MYMAP
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 XX.XXX.XXX.XXX <--- Modem Gateway
!
ipv6 ioam timestamp
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.0.0.0 0.255.255.255 10.0.1.0 0.0.0.255
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
end

I was having an Issue finishing Phase 1 now i am stuck on Phase 2.

WatchGuard Diagnostics showing:

*** WG Diagnostic Report for Gateway "toCisco" ***
Created On: Tue Oct 25 14:29:35 2022

[Conclusion]
Tunnel Name: CiscoTunnel
tunnel route#1(10.0.1.0/24<->192.168.1.0/24) - Not established
Unable to find any active Phase 2 Security Associations (SAs) for tunnel route (10.0.1.0/24<->192.168.1.0/24).
Recommendation: Confirm whether either side is currently sending traffic through the tunnel.

[Gateway Summary]
Gateway "toCisco" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "toCisco") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Disabled Keepalive: Enabled
Local ID<->Remote ID: {IP_ADDR(XX.XXX.XXX.XXX <--- WatchGuard Static IP) <-> IP_ADDR(XX.XXX.XXX.XXX <--- Cisco Static IP)}
Local GW_IP<->Remote GW_IP: {XX.XXX.XXX.XXX <--- WatchGuard Static IP <-> XX.XXX.XXX.XXX <--- Cisco Static IP}
Outgoing Interface: eth0 (ifIndex=4)
ifMark=0x10000
linkStatus=2 (0:unknown, 1:down, 2:up)

[Tunnel Summary]
"1" tunnel(s) are found using the previous gateway

Name: "CiscoTunnel" Enabled
PFS: "Enabled" DH-Group: "14"
Number of Proposals: "1"
Proposal "ESP-AES-SHA1"
ESP:
EncryptAlgo: "AES" KeyLen: "32(bytes)"
AuthAlgo: "SHA"
LifeTime: "28800(seconds)" LifeByte: "0(kbytes)"
Number of Tunnel Routes: "1"
#1
Direction: "BOTH"
"10.0.1.0/24<->192.168.1.0/24"

[Run-time Info (gateway IKE_SA)]
Name: "toCisco" (IfStatus: 0x80000002)
IKE SAID: "0x7d6481eb" State: "MATURE"
Created: Tue Oct 25 12:27:16 2022
My Address: XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 Peer Address: XX.XXX.XXX.XXX <--- Cisco Static IP:500
InitCookie: "f40c1dd9f710d1b8" RespCookie: "f049a6c5eb494869"
LifeTime: "86400(seconds)" LifeByte: "0(kbtyes)" DPD: "Enabled"
Serial Number: 63
msgIdSend: 248 msgIdRecv: 0

[Run-time Info (tunnel IPSEC_SA)]
"0" IPSEC SA(s) are found under tunnel "CiscoTunnel"

[Run-time Info (tunnel IPSEC_SP)]
"1" IPSEC SP(s) are found under tunnel "CiscoTunnel"
#1
Tunnel Endpoint: "XX.XXX.XXX.XXX <--- WatchGuard Static IP->XX.XXX.XXX.XXX <--- Cisco Static IP"
Tunnel Selector: 10.0.1.0/24 -> 192.168.1.0/24 Proto: ANY
Created On: Tue Oct 25 13:27:05 2022
Gateway Name: "toCisco"
Tunnel Name: "CiscoTunnel"

[Address Pairs in Firewalld]
Address Pairs for tunnel "CiscoTunnel"
Direction: BOTH
10.0.1.0/24 <-> 192.168.1.0/24

[Policy checker result]
Tunnel name: CiscoTunnel
#1 tunnel route 10.0.1.0/24<->192.168.1.0/24
No policy checker results for this tunnel(no P2SA found or some other error)

[Related Logs]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)'DPD request' message created successfully. length:76
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Sent out DPD request message (msgId=247) from XX.XXX.XXX.XXX <--- WatchGuard Static IP:500 to XX.XXX.XXX.XXX <--- Cisco Static IP:500 for 'toCisco' gateway endpoint successfully.
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ikeSA(0x146412f8)'s msgIdSend is updated: 247 -> 248
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)******** RECV an IKE packet at XX.XXX.XXX.XXX <--- WatchGuard Static IP:500(socket=14 ifIndex=4) from Peer XX.XXX.XXX.XXX <--- Cisco Static IP:500 ********
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received IKEv2 "INFO response" message with message-ID:247 length:76 SPI[i=f40c1dd9f710d1b8 r=f049a6c5eb494869]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 1 payloads [ ENCR(sz=48)]
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Got IKE policy 'toCisco' from ikeSA(0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)"INFO response" message has 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)IKEv2 "INFO response"'s decrypted message contains 0 payloads []
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)dispatch the received INFO response message - IkeSA(0x146412f8)'s state=MATURE
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)Received the DPD response from XX.XXX.XXX.XXX <--- Cisco Static IP:500 for gateway(toCisco), msgId=247
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)ike2_P1StatusChange: notify ikePcy(toCisco ver#2)'s status becomes "UP" (ikeSA=0x146412f8)
<158>Oct 25 14:29:26 iked[2882]: (XX.XXX.XXX.XXX <--- WatchGuard Static IP<->XX.XXX.XXX.XXX <--- Cisco Static IP)stop the retry object(0x146434e8) for the previous request message(name=DPD request, msgId=247)

Been stuck on this for a couple hours now. Any help would be greatly appreciated.

Rob Ingram · ‎10-26-2022

@WizJ well the screenshot from the watchguard says the IPsec phase 2 settings are ESP AES/SHA with PFS 14 are selected right?

So change the cisco router transform set to use AES/SHA

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel

However the cisco logs previously stated "Oct 26 17:59:45.812: IKEv2-ERROR:(SESSION ID = 10,SA ID = 3):Received Policies:
: Failed to find a matching policyESP: Proposal 1: AES-CBC-256 SHA96 Don't use ESN"

So has the watchguard settings changed?

Either way the ciphers used need to match on both devices. The other phase 2 option on the watchguard is AES256/SHA256 - so if you attempt to use those settings, you'd have to change the cisco transform set to use AES256/SHA256.

View solution in original post

Rob Ingram · ‎10-26-2022

@WizJ looks like your NAT ACL "1" would translate all traffic from 192.168.1.0/24 behind the Gi0/0 interface. You should change the NAT ACL to deny traffic from 192.168.1.0/24 to 10.0.1.0/24, therefore this traffic would not be translated over the VPN - you'd then permit the rest of the traffic from 192.168.1.0/24.

Example:

no access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

WizJ · ‎10-26-2022

Thank you for your response Rob. I will make the changes you suggested and report back.

WizJ · ‎10-26-2022

Ok so i made those changes and now have a different error. Running the diagnostic from the WatchGuard gives me an error:

Tunnels were deleted due to a keep-alive negotiation failure. Check the connetion between local and remote gateway endpoints.

I also turned on isakmp and ipsec debug on the Cisco and the only message i had was

ISAKMP: (0) Peer matches *none* of the profiles

Again thank you for your help with this.

Rob Ingram · ‎10-26-2022

@WizJYou've configured an IKEV2 profile, but aren't referencing it under the crypto map

crypto map MYMAP 1 ipsec-isakmp
 set ikev2-profile Wg

What debugs did you enable on the cisco router? IKEv2 or ISAKMP? Provide the full debug of IKEv2 so we can see everything.

You can also get rid of the ISAKMP profiles as they are incomplete and would never work.

WizJ · ‎10-26-2022

I will add the reference for the map. I only enabled isakmp and ipsec. I will enable ikev2 and give you the full debug.

WizJ · ‎10-26-2022

I had this error before not matching an IKEv2 profile which is why I created the profile. It fixed that error. Recently i made changes to the profile (in desperation) and removed the static ip of the WG router and put in its private ip. Im pretty sure i have butchered the profile. Here is the Debug of IKEv2.

Oct 26 16:14:44.894: IKEv2:Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 7CBC814A781CAE5F - Responder SPI : 0000000000000000 Message id:0
IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16418) VID

Oct 26 16:14:44.894: IKEv2:(SESSION ID = 5,SA ID = 1):Verify SA init message
Oct 26 16:14:44.894: IKEv2:(SESSION ID = 5,SA ID = 1):Insert SA
Oct 26 16:14:44.894: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 16:14:44.894: IKEv2:Using the Default Policy for Proposal
Oct 26 16:14:44.894: IKEv2:Found Policy 'default'
Oct 26 16:14:44.894: IKEv2:(SESSION ID = 5,SA ID = 1):Processing IKE_SA_INIT message
Oct 26 16:14:44.894: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 16:14:44.894: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 16:14:44.894: IKEv2:Failed to retrieve Certificate Issuer list
Oct 26 16:14:44.898: IKEv2:(SESSION ID = 5,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Oct 26 16:14:45.050: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 16:14:45.050: IKEv2:(SESSION ID = 5,SA ID = 1):Request queued for computation of DH key
Oct 26 16:14:45.050: IKEv2:(SESSION ID = 5,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Oct 26 16:14:45.242: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Oct 26 16:14:45.242: IKEv2:(SESSION ID = 5,SA ID = 1):Request queued for computation of DH secret
Oct 26 16:14:45.242: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Oct 26 16:14:45.242: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Oct 26 16:14:45.242: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Oct 26 16:14:45.242: IKEv2:(SESSION ID = 5,SA ID = 1):Generating IKE_SA_INIT message
Oct 26 16:14:45.242: IKEv2:(SESSION ID = 5,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_2048_MODP/Group 14
Oct 26 16:14:45.242: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Oct 26 16:14:45.242: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Oct 26 16:14:45.242: IKEv2:Failed to retrieve Certificate Issuer list

Oct 26 16:14:45.242: IKEv2:(SESSION ID = 5,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 7CBC814A781CAE5F - Responder SPI : 9F52C48A6A86CB91 Message id:0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Oct 26 16:14:45.246: IKEv2:(SESSION ID = 5,SA ID = 1):Completed SA init exchange

Oct 26 16:14:45.246: IKEv2:(SESSION ID = 5,SA ID = 1):Starting timer (30 sec) to wait for auth message

Oct 26 16:14:45.282: IKEv2:(SESSION ID = 5,SA ID = 1):Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 7CBC814A781CAE5F - Responder SPI : 9F52C48A6A86CB91 Message id:1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi IDr AUTH SA TSi TSr

Oct 26 16:14:45.282: IKEv2:(SESSION ID = 5,SA ID = 1):Stopping timer to wait for auth message
Oct 26 16:14:45.282: IKEv2:(SESSION ID = 5,SA ID = 1):Checking NAT discovery
Oct 26 16:14:45.282: IKEv2:(SESSION ID = 5,SA ID = 1):NAT not found
Oct 26 16:14:45.286: IKEv2:(SESSION ID = 5,SA ID = 1):Searching policy based onpeer's identity 'XX.XXX.253.100' of type 'IPv4 address'
Oct 26 16:14:45.286: IKEv2-ERROR:% IKEv2 profile not found
Oct 26 16:14:45.286: ISAKMP: (0):peer matches *none* of the profiles
Oct 26 16:14:45.286: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):: Failed to locate an item in the database
Oct 26 16:14:45.286: IKEv2:(SESSION ID = 5,SA ID = 1):Verification of peer's authentication data FAILED
Oct 26 16:14:45.286: IKEv2:(SESSION ID = 5,SA ID = 1):Sending authentication failure notify
Oct 26 16:14:45.286: IKEv2:(SESSION ID = 5,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

Oct 26 16:14:45.286: IKEv2:(SESSION ID = 5,SA ID = 1):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 7CBC814A781CAE5F - Responder SPI : 9F52C48A6A86CB91 Message id:1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

Oct 26 16:14:45.290: IKEv2:(SESSION ID = 5,SA ID = 1):Auth exchange failed
Oct 26 16:14:45.290: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):: Auth exchange failed
Oct 26 16:14:45.290: IKEv2:(SESSION ID = 5,SA ID = 1):Abort exchange
Oct 26 16:14:45.290: IKEv2:(SESSION ID = 5,SA ID = 1):Deleting SA

Rob Ingram · ‎10-26-2022

@WizJ so it's not finding the IKEv2 profile, amend:

crypto ikev2 profile Wg
 no match address local interface GigabitEthernet0/0
 identity local address <ip address of outside/external interface>

Also, you've got a custom IKEv2 Proposal but no IKEv2 policy to reference this, so it's likely you are using the IKEv2 defaults instead.

Example:

crypto ikev2 policy IKEV2_POLICY
 proposal Wg

WizJ · ‎10-26-2022

Gotcha. When you say

<ip address of outside/external interface>

is that the public ip address of the Cisco router?

Rob Ingram · ‎10-26-2022

@WizJ yes, the IP address of the local device.

WizJ · ‎10-26-2022

Oct 26 17:15:59.250: IKEv2:Received Packet [From XX.XXX.253.100:500/To XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 763247961875385E - Responder SPI : 0000000000000000 Message id:0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16418) VID

Oct 26 17:15:59.250: IKEv2:(SESSION ID = 8,SA ID = 3):Verify SA init message
Oct 26 17:15:59.250: IKEv2:(SESSION ID = 8,SA ID = 3):Insert SA
Oct 26 17:15:59.250: IKEv2:Searching Policy with fvrf 0, local address XX.XXX.253.101
Oct 26 17:15:59.250: IKEv2:Found Policy 'IKEV2_POLICY'
Oct 26 17:15:59.250: IKEv2:(SESSION ID = 8,SA ID = 3):Processing IKE_SA_INIT message
Oct 26 17:15:59.254: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):Received Policies: :
Failed to find a matching policyProposal 1: AES-CBC-128 SHA1 SHA96 DH_GROUP_20
48_MODP/Group 14
Oct 26 17:15:59.258:
Oct 26 17:15:59.258:
Oct 26 17:15:59.258: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):Expected Policies: :
Failed to find a matching policyProposal 1: AES-CBC-128 SHA256 SHA256 DH_GROUP
_2048_MODP/Group 14
Oct 26 17:15:59.262:
Oct 26 17:15:59.266:
Oct 26 17:15:59.266: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):: Failed to find a matching policy
Oct 26 17:15:59.266: IKEv2:(SESSION ID = 8,SA ID = 3):Sending no proposal chosen notify

Oct 26 17:15:59.266: IKEv2:(SESSION ID = 8,SA ID = 3):Sending Packet [To XX.XXX.253.100:500/From XX.XXX.253.101:500/VRF i0:f0]
Initiator SPI : 763247961875385E - Responder SPI : A963D2F6158899CD Message id:0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)

Oct 26 17:15:59.266: IKEv2:(SESSION ID = 8,SA ID = 3):Failed SA init exchange
Oct 26 17:15:59.266: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):Initial exchange failed: Initial exchange failed
Oct 26 17:15:59.266: IKEv2:(SESSION ID = 8,SA ID = 3):Abort exchange
Oct 26 17:15:59.266: IKEv2:(SESSION ID = 8,SA ID = 3):Deleting SA

Rob Ingram · ‎10-26-2022

@WizJ Failed to find a matching policy

Oct 26 17:15:59.254: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):Received Policies: :
Failed to find a matching policyProposal 1: AES-CBC-128 SHA1 SHA96 DH_GROUP_20
48_MODP/Group 14
Oct 26 17:15:59.258:
Oct 26 17:15:59.258:
Oct 26 17:15:59.258: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):Expected Policies: :
Failed to find a matching policyProposal 1: AES-CBC-128 SHA256 SHA256 DH_GROUP
_2048_MODP/Group 14
!
Oct 26 17:15:59.266: IKEv2-ERROR:(SESSION ID = 8,SA ID = 3):: Failed to find a matching policy

Did you create an IKEV2 policy and reference your IKEv2 proposal like I suggested?

If you did provide the full updated running config.

WizJ · ‎10-26-2022

Yes i did. Here is the config:

Current configuration : 3341 bytes
!
! Last configuration change at 17:29:58 UTC Wed Oct 26 2022
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CiscoConVpn
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool CondorDHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 71.10.216.1 71.10.216.2 4.4.4.4 8.8.8.8
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid
!
username $$%% privilege 15 secret 5
!
redundancy
!
crypto ikev2 proposal Wg
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1 md5
group 14
!
crypto ikev2 policy IKEV2_POLICY
proposal Wg
!
crypto ikev2 keyring Wg
peer Wg
address XX.XXX.253.100
pre-shared-key local test
pre-shared-key remote test
!
!
!
crypto ikev2 profile Wg
match identity remote address 192.168.1.1 255.255.255.255
match identity remote address 10.0.1.0 255.255.255.0
match identity remote address XX.XXX.253.100 255.255.255.255
identity local address XX.XXX.253.101
authentication remote pre-share
authentication local pre-share
keyring local Wg
!
!
!
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 14
crypto isakmp key test address XX.XXX.253.101
crypto isakmp key test address XX.XXX.253.100
crypto isakmp keepalive 30
crypto isakmp nat keepalive 20
crypto isakmp profile 1
! This profile is incomplete (no match identity statement)
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
mode tunnel
!
crypto ipsec profile 1
set transform-set MYSET
set pfs group14
set isakmp-profile 1
!
crypto ipsec profile Wg
set transform-set MYSET
set pfs group14
set ikev2-profile Wg
!
!
!
crypto map MYMAP 1 ipsec-isakmp
set peer XX.XXX.253.100
set transform-set MYSET
set pfs group14
set ikev2-profile Wg
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address XX.XXX.253.101 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map MYMAP
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 24.216.253.97
!
ipv6 ioam timestamp
!
!
access-list 100 permit ip 192.0.0.0 0.255.255.255 10.0.1.0 0.0.0.255
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
!
vstack
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input none
!
scheduler allocate 20000 1000
ntp server 34.202.215.187
!
end

Im sorry Rob this is just a mess. It would not let me remove the ISAKMP profile 1 because it said it was still in use. I see that i am referencing that profile in an IPSEC profile 1 that i do not need.

WizJ · ‎10-26-2022

The WatchGuard Phase 2 Settings are AES and SHA1. Im assuming they were using the IKEV2 default proposal before you had me create the IKEv2 policy that is now referencing the correct profile. That profile is using incorrect integrity methods.

Rob Ingram · ‎10-26-2022

@WizJ you can get rid of these settings that aren't in use:

no crypto ipsec profile 1
no crypto ipsec profile Wg
no crypto isakmp profile 1

Re-checking the logs, I noticed the received settings are not identical to any of your proposals.

Received Policies:
Failed to find a matching policyProposal 1: AES-CBC-128 SHA1 SHA96 DH_GROUP_20
48_MODP/Group 14

Amend your IKEv2 proposal to include SHA1 and group 20.

crypto ikev2 proposal Wg
 encryption aes-cbc-128
 integrity sha256 sha1
 group 14 20

Your NAT rule is still incorrect, you are referencing ACL 1 - "ip nat inside source list 1 interface GigabitEthernet0/0 overload" it should reference ACL 101.