Solved: Re: Cisco CSR1000V IPSec Profile PFS not set

David Rollins · ‎11-12-2021

I have configured a flexvpn in my lab for use in production, on virtual CSR1000v's. I have PFS set in the IPsec Profile, but I am not seeing it in use. Any thoughts why that may be? I even changed the default IPsec profile, to see if it would have any affect.

Here is my config:

aaa authorization network FLEXVPN_LOCAL local
!
aaa session-id common
!
crypto ikev2 authorization policy IKEV2_AUTH
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto pki certificate map CERT_MAP 5
issuer-name co pki-server
!
crypto ikev2 profile IKEV2-PROFILE
match certificate CERT_MAP
identity local fqdn remote1.homelab.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint pki-trust
dpd 10 3 periodic
aaa authorization group cert list FLEXVPN_LOCAL IKEV2_AUTH
!
crypto ipsec transform-set IPSEC-TRANS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TRANS
set pfs group21
set ikev2-profile IKEV2-PROFILE
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet2
tunnel destination 172.17.1.2
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC-PROFILE
service-policy output tunnel

Here is an output of show commands:

#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.17.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.17.1.1/255.255.255.255/47/0)
current_peer 172.17.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 373, #pkts encrypt: 373, #pkts digest: 373
#pkts decaps: 374, #pkts decrypt: 374, #pkts verify: 374
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.17.1.2, remote crypto endpt.: 172.17.1.1
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0x873CA09B(2268897435)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE4CBD56(239910230)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: CSR:16, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607935/2371)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

#sh crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEv2 Profile: IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group21
Mixed-mode : Disabled
Transform sets={
IPSEC-TRANS: { esp-256-aes esp-sha512-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group21
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

Rob Ingram · ‎11-13-2021

@David Rollins PFS will only show after a rekey, as per the Cisco IKEV2 book - "PFS will only show once the first CHILD_SA has been created, so you will need to allow the IPsec Security Association to rekey, which is by default 3600 seconds."

View solution in original post

Rob Ingram · ‎11-13-2021

@David Rollins PFS will only show after a rekey, as per the Cisco IKEV2 book - "PFS will only show once the first CHILD_SA has been created, so you will need to allow the IPsec Security Association to rekey, which is by default 3600 seconds."

UnspokenDrop7 · ‎11-25-2021

I have this issue too. I have setup a DMVPN in my lab and configured the IPSec profile, on both sides, to use PFS. But it never gets used. I have manually cleared the crypto session and even shutdown the tunnel interface, removed the IPSec profile, waited 5-10 minutes before re-applying the IPSec profile and then bring the tunnel interface online again. But still no PFS is in use. Everything else is negotiated correctly, both in both phase 1 and 2, but it's like setting PFS has no effect. Am I missing something here?

Crypto config LAB-HUB-1:

crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-gcm-256 aes-gcm-128
prf sha512 sha384 sha256
group 21 20 19
no crypto ikev2 proposal default
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL
no crypto ikev2 policy default
!
crypto ikev2 profile IKEv2-PROFILE
match identity remote fqdn domain lab.local
identity local fqdn LAB-HUB-1.lab.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint LAB-CA
dpd 30 3 on-demand
!
no crypto isakmp default policy
!
crypto ipsec transform-set TRANSFORM-SET esp-gcm 256
mode transport
no crypto ipsec transform-set default
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET
set pfs group21
set ikev2-profile IKEv2-PROFILE
!
no crypto ipsec profile default

Crypto config LAB-HUB-2:

crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-gcm-256 aes-gcm-128
prf sha512 sha384 sha256
group 21 20 19
crypto ikev2 proposal SEC-IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512 sha384 sha256
group 21 20 5 2
no crypto ikev2 proposal default
!
crypto ikev2 policy IKEv2-POLICY
match fvrf any
proposal IKEv2-PROPOSAL
proposal SEC-IKEV2-PROPOSAL
no crypto ikev2 policy default
!
crypto ikev2 profile IKEv2-PROFILE
match fvrf VRF-OLD
match identity remote fqdn domain lab.local
identity local fqdn LAB-HUB-2.lab.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint LAB-CA
dpd 30 3 on-demand
!
no crypto isakmp default policy
!
crypto ipsec transform-set SEC-TRANSFORMSET esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec transform-set TRANSFORM-SET esp-gcm 256
mode transport
no crypto ipsec transform-set default
!
crypto ipsec profile IPSEC-PROFILE
set transform-set TRANSFORM-SET SEC-TRANSFORMSET
set pfs group21
set ikev2-profile IKEv2-PROFILE
!
no crypto ipsec profile default

Show the IPSec SA on LAB-HUB-1:

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1080, #pkts encrypt: 1080, #pkts digest: 1080
#pkts decaps: 1241970, #pkts decrypt: 1241970, #pkts verify: 1241970
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xD0D4E4D1(3503613137)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x934D07B8(2471299000)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 2653, flow_id: Onboard VPN:653, sibling_flags C0000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (2702901/216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD0D4E4D1(3503613137)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 2654, flow_id: Onboard VPN:654, sibling_flags C0000000, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4245645/216)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Show the IPSec SA on LAB-HUB-2:

interface: Tunnel0
Crypto map tag: IPSEC-PROFILE-head-1-IPv4, local addr x.x.x.x

protected vrf: VRF-OLD
local ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (x.x.x.x/255.255.255.255/47/0)
current_peer x.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 22140503, #pkts encrypt: 22140503, #pkts digest: 22140503
#pkts decaps: 16410, #pkts decrypt: 16410, #pkts verify: 16410
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
plaintext mtu 1466, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0x934D07B8(2471299000)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD0D4E4D1(3503613137)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 4754, flow_id: ESG:2754, sibling_flags FFFFFFFF80000008, crypto map: IPSEC-PROFILE-head-1-IPv4
sa timing: remaining key lifetime (k/sec): (4607897/663)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x934D07B8(2471299000)
transform: esp-gcm 256 ,
in use settings ={Transport, }
conn id: 4753, flow_id: ESG:2753, sibling_flags FFFFFFFF80000008, crypto map: IPSEC-PROFILE-head-1-IPv4
sa timing: remaining key lifetime (k/sec): (3322317/663)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

UnspokenDrop7 · ‎11-26-2021

Did another check today and now the PFS is set to DH group 21. I have not made any change.

My guess is that something was still not really cleared despite me shutting down the interface for 5-10 minutes and made sure there was no IKEv2 or IPSec SAs before bringing the interface up again.

Rob Ingram · ‎11-26-2021

@UnspokenDrop7 the SA rekeyed, see answer above.

UnspokenDrop7 · ‎11-27-2021

@Rob Ingram
OK, so shutting down the interface (where the IPSec profile is used - tunnel protection ipsec profile IPSEC-PROFILE), waiting for any remaining IKEv2 and IPSec SAs to disappear or manually clearing them, and then bring the interface up again doesn't force the IPSec SA to rekey? I would have to clear the IPSec SA on the remote peer as well? I mean it must be possible to somehow manually trigger a rekey, right?

UnspokenDrop7 · ‎02-11-2022

@Rob Ingram
I had a moment today, I now understand rekey. Your first answer is now clear to me. Thanks!