04-25-2023 05:24 AM
the tunnel does not go up
crypto ikev2 proposal PROP-CBT
encryption aes-cbc-256
prf sha256
integrity sha512
group 14
crypto ikev2 policy POL-CBT
proposal PROP-CBT
crypto ikev2 keyring KEY-CBT
peer KEY-CBT
address 10.10.10.10
pre-shared-key *************
crypto ikev2 profile PROFILE-CBT
match identity remote address 10.10.10.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEY-CBT
crypto ipsec transform-set TS-CBT esp-aes 256 esp-sha256-hmac
mode tunnel
crypto map IPSECMAP 104 ipsec-isakmp
set peer 10.10.10.10
set security-association lifetime seconds 28800
set transform-set TS-CBT
set pfs group14
set ikev2-profile PROFILE-CBT
match address VPN-CBT
ip access-list extended VPN-CBT
permit ip host 192.168.168.125 host 17.10.10.20
permit ip host 192.168.168.111 host 17.10.10.20
router#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
04-25-2023 05:28 AM
@fgafurov29 you've configured a policy based VPN, you need to generate interesting traffic in order for the tunnel to be established.
From 192.168.168.125 or 192.168.168.111 ping 17.10.10.20 and see if the tunnel is established. If not enable IKEv2 debugs and provide the output for review.
04-25-2023 07:46 AM
this device has one tunnel configured
I wanted to set up the second one based on the previous one, but it doesn’t work
here are the logs
Apr 25 14:35:13.064: IKEv2:Received Packet [From 10.10.10.10:500/To 20.20.20.20.:500/VRF i0:f0]
Initiator SPI : 46ADDBECE5B451AD - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Apr 25 14:35:13.064: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 858
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 396
last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
Apr 25 14:35:13.132: IKEv2-INTERNAL:(SESSION ID = 45346,SA ID = 2):SM Trace-> SA: I_SPI=46ADDBECE5B451AD R_SPI=6FE1F18FC14F569F (R) MsgID = 0 CurState: EXIT Event: EV_CHK_GKM
Apr 25 14:35:13.132: IKEv2-INTERNAL:(SESSION ID = 45346,SA ID = 2):SM Trace-> SA: I_SPI=46ADDBECE5B451AD R_SPI=6FE1F18FC14F569F (R) MsgID = 0 CurState: EXIT Event: EV_UPDATE_CAC_STATS
Apr 25 14:35:13.136: IKEv2:(SESSION ID = 45346,SA ID = 2):Abort exchange
Apr 25 14:35:13.136: IKEv2:(SESSION ID = 45346,SA ID = 2):Deleting SA
Apr 25 14:35:15.088: IPSEC:(SESSION ID = 40733) (STATES) ident_rekey_timeout Sending crypto_ss_connection_failed
04-25-2023 05:32 AM
if you initiate traffic and not work update me, I think I know the issue where
04-25-2023 07:51 AM
what could be the problem
04-25-2023 08:20 AM
There is mismatch in proposal' you can see the router send three proposal.
What is config of othet peer ?
04-25-2023 08:44 AM
what are the three suggestions
partner configuration is not available to me
and besides, before setting up the second tunnel, it worked
04-25-2023 10:37 AM
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
this the three proposal send to Peer, NOW you mention that the ONE VPN stop work when other ONE add ??
04-25-2023 08:33 PM
Yes, it is, after raising one tunnel, the tunnel that worked fell down. But on this device it is planned to set up 3 tunnel and the 1st one is configured, the 2nd one is being set up at the moment, the 3rd one is in the process. And in the future we will raise the tunnel
04-26-2023 01:46 AM
show call admission statistics
show crypto call admission statistics
Also are you config one crypto map with multi seq or multi crypto map?
04-26-2023 02:13 AM
router#show call admission statistics
Total call admission charges: 70, limit 0
Total calls rejected 0, accepted 0
Load metric: charge 70, unscaled 70%
router#show crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 1000
Total IKE SA Count: 22 active: 13 negotiating: 9
Incoming IKE Requests: 943212 accepted: 943212 rejected: 0
Outgoing IKE Requests: 1059747 accepted: 1059747 rejected: 0
Rejected IKE Requests: 0 rsrc low: 0 Active SA limit: 0
In-neg SA limit: 0
IKE packets dropped at dispatch: 0
Max IPSEC SAs: 0
Total IPSEC SA Count: 28 active: 28 negotiating: 0
Incoming IPSEC Requests: 4655 accepted: 4655 rejected: 0
Outgoing IPSEC Requests: 108902 accepted: 108902 rejected: 0
Phase1.5 SAs under negotiation: 1
Yes, I'm setting up with several sequences. For example, ipsecmap10, ipsecmap20, ipsecmap30, and so on.
crypto map IPSECMAP 70 ipsec-isakmp
set peer ***************
set transform-set set1
match address VPN
crypto map IPSECMAP 80 ipsec-isakmp
set peer ***********
set transform-set set2
match address *********
crypto map IPSECMAP 90 ipsec-isakmp
set peer *************
set transform-set *************
match address **********
crypto map IPSECMAP 101 ipsec-isakmp
set peer ****************
set security-association lifetime seconds 86400
set transform-set ***
set pfs group14
set ikev2-profile **************
match address **************
crypto map IPSECMAP 103 ipsec-isakmp
set peer *****************
set security-association lifetime seconds 86400
set transform-set ***************
set pfs group14
match address ******************
crypto map IPSECMAP 110 ipsec-isakmp
set peer ****************
set security-association lifetime seconds 28800
set transform-set ******
set pfs group14
set ikev2-profile *************
match address ******************
04-26-2023 02:20 AM
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvx74212
This is bug' check cisco recommends to solve issue.
Thanks
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide