Solved: Cisco ISR4431 IPSEC Ikev1 and Ikev2

giorgio ghezzi · ‎05-21-2024

Hi guys,

I have a problem to configure VPN IPSec tunnel with Ikev2.
I have already an IPSEC VPN Ikev1 configured, up and running, and I need to configure a new one with IkeV2.

I have tried to configure but , during the crypto isakmp debug I received this error:

May 21 11:51:35.625: ISAKMP: (0):processing SA payload. message ID = 0
May 21 11:51:35.625: ISAKMP: (0):processing vendor id payload
May 21 11:51:35.625: ISAKMP: (0):vendor ID is DPD
May 21 11:51:35.625: ISAKMP: (0):processing vendor id payload
May 21 11:51:35.625: ISAKMP: (0):vendor ID seems Unity/DPD but major 152 mismatch
May 21 11:51:35.625: ISAKMP: (0):Using Default ISAKMP policies (check proposal).----> I have created a Ikev2 Proposal but it's NOT used
May 21 13:51:35 CEST: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies ----> I have created an IkeV2 Policies but it's NOT used
May 21 11:51:35.625: ISAKMP: (0):found peer pre-shared key matching 10.21.209.189
May 21 11:51:35.625: ISAKMP: (0):local preshared key found

Scanning profiles for xauth ... CUST-IKE-PROFILE_2 CUST123-IKE-PROFILE TEST_2-PROFILE
May 21 11:14:11.515: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 10.X.X.X)
May 21 11:14:11.515: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 10.X.X.X)
May 21 11:14:11.515: ISAKMP: (0):Checking ISAKMP transform 0 against priority 65503 policy
May 21 11:14:11.515: ISAKMP: (0): life type in seconds
May 21 11:14:11.515: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 21 11:14:11.515: ISAKMP: (0): encryption AES-CBC
May 21 11:14:11.515: ISAKMP: (0): keylength of 128
May 21 11:14:11.515: ISAKMP: (0): auth pre-share
May 21 11:14:11.515: ISAKMP: (0): hash SHA256
May 21 11:14:11.515: ISAKMP: (0): default group 14

May 21 11:14:11.515: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!

The problem is that I don't see the correct profile created CUST_IKEv2_PROFILE. The hash algorithm is correct :

crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14

I change the crypto map name and added to interface:

interface GigabitEthernet0/0/3.900
description DR_CITY
encapsulation dot1Q 900
ip vrf forwarding DR-TO-CITY
ip address 172.30.254.X 255.255.255.240
standby 1 ip 172.30.254.X
standby 1 priority 120
standby 1 preempt
standby 1 name VPNHA-CMG
crypto map VPN_TRAFFIC-CMG_IKEv2
end

Any help is appreciated

Giorgio

MHM Cisco World · ‎05-21-2024

R2#show run
R2#show running-config
Building configuration...

Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.1
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
~~crypto ipsec profile prof~~
~~set transform-set trans~~
~~set ikev2-profile prof~~
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!
~~interface Tunnel0~~
~~ip vrf forwarding ikev2~~
~~ip address 5.0.0.2 255.255.255.0~~
~~shutdown~~
~~tunnel source FastEthernet0/0~~
~~tunnel mode ipsec ipv4~~
~~tunnel destination 100.0.0.1~~
~~tunnel protection ipsec profile prof~~
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.2 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 20.0.0.2 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 10.0.0.0 255.255.255.0 100.0.0.1
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

View solution in original post

MHM Cisco World · ‎05-21-2024

Can you share the config'

I think yoh config the ikev2 without vrf aware

Let me check that

MHM

giorgio ghezzi · ‎05-21-2024

Hello MHM

below the configuration:

crypto ikev2 keyring CUST_KEYRING_IKEv2
peer CUSTOMER
address 10.21.X.X
pre-shared-key SECRETKEY

crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14

crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL

ip access-list extended CUST_CRYPTOACL
10 permit ip 10.21.138.152 0.0.0.7 100.73.0.0 0.0.0.255

Transform sets=ESP-AES256-SHA256: esp-256-aes esp-sha256-hmac

crypto ikev2 profile CUST_IKEv2-PROFILE
authentication local pre-share
authentication remote pre-share
match identity remote address 10.21.X.X 255.255.255.255
keyring CUST_KEYRING_IKEv2

crypto map VPN_TRAFFIC-CMG 30 ipsec-isakmp
set peer 10.21.X.X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match address CUST_CRYPTOACL

Bye
Giorgio

giorgio ghezzi · ‎05-21-2024

Hi HMH,

below the configuration, yes on ikev1 configuration i haven't add the vrf and it's ok

crypto ikev2 keyring CUST_KEYRING_IKEv2
peer CUSTOMER
address 10.21.X.X
pre-shared-key SECRETKEY

crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14

crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL

ip access-list extended CUST_CRYPTOACL
10 permit ip 10.21.138.152 0.0.0.7 100.73.0.0 0.0.0.255

Transform sets={ESP-AES256-SHA256: { esp-256-aes esp-sha256-hmac }

crypto ikev2 profile CUST_IKEv2-PROFILE
authentication local pre-share
authentication remote pre-share
match identity remote address 10.21.X.X 255.255.255.255
keyring CUST_KEYRING_IKEv2

crypto map VPN_TRAFFIC-CMG 30 ipsec-isakmp
set peer 10.21.X.X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match address CUST_CRYPTOACL

Bye

MHM Cisco World · ‎05-21-2024

OK,
show crypto ikev2 proposal <<- did you see same as what you config ??
if yes then try add

no crypto ikev2 proposal default

and check again

NOTE:- you need to use under crypto ikev2 profile, the identity local address x.x.x.x

MHM

giorgio ghezzi · ‎05-21-2024

From your last post I have added the vrf in Ikev2 Policy:
crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL
match fvrf CUST_VRF

and now i receive this error:

May 21 15:29:19.055: IKEv2-ERROR:(SESSION ID = 81550,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
May 21 15:29:19.055: IKEv2-ERROR:(SESSION ID = 81550,SA ID = 1):: Auth exchange failed
May 21 15:29:30.093: IKEv2-ERROR:**bleep** type 3041043353 not supported

I 've check the pre shared key on Customer FW and it seems the same:

Ikev1
ipsec-tunnel "tunnel1" create
dynamic-keying
ike-policy 1
pre-shared-key "DCt3eiqN/v8MIWxS6B66ptuPQA9+G1Ah6f96Xw==" hash2

Ikev2

ipsec-tunnel "tunnel1" create

security-policy 1

dynamic-keying

ike-policy 1

pre-shared-key "DCt3eiqN/v8MIWxS6B66ptuPQA9+G1Ah6f96Xw==" hash2

auto-establish

transform 1

Based on this what could it be ?

Bye

Giorgio

Rob Ingram · ‎05-21-2024

@giorgio ghezzi match the FVRF under the IKEV2 profile.

crypto ikev2 profile CUST_IKEv2-PROFILE
 match fvrf CUST_VRF

MHM Cisco World · ‎05-21-2024

Below I share the command I use for crypto map IKEv2 vrf aware

MHM

giorgio ghezzi · ‎05-21-2024

Thanks for the example.
The only difference between our configuration is that I have no IPSEC profile but I have applied to crypto map.

crypto map VPN_TRAFFIC-CUST 30 ipsec-isakmp
set peer 10.21.X.1X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match **bleep** CUST_CRYPTOACL

applied to outside interface G0/0/2.450
interface GigabitEthernet0/0/2.450
description DR_M2M
encapsulation dot1Q 900
ip vrf forwarding CUST_VRF
ip **bleep** 172.30.X.X 255.255.255.240
standby 1 ip 172.30.X.X
standby 1 priority 120
standby 1 preempt
standby 1 name VPNHA-CUST
standby 1 track 12 decrement 30
crypto map VPN_TRAFFIC-CUST

All the rest is the same.

I guess it's a authentication problem. I will keep you update

BYE

Giorgio

MHM Cisco World · ‎05-21-2024

R1#show run
R1#show running-config
Building configuration...

Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.2
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.2 255.255.255.255
identity local address 100.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!

! this for my lab
~~crypto ipsec profile prof~~
~~set transform-set trans~~
~~set ikev2-profile prof~~
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!
~~interface Tunnel0~~
~~ip vrf forwarding ikev2~~
~~ip address 5.0.0.1 255.255.255.0~~
~~shutdown~~
~~tunnel source FastEthernet0/0~~
~~tunnel mode ipsec ipv4~~
~~tunnel destination 100.0.0.2~~
~~tunnel protection ipsec profile prof~~
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.1 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 10.0.0.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 20.0.0.0 255.255.255.0 100.0.0.2
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!

MHM Cisco World · ‎05-21-2024

R2#show run
R2#show running-config
Building configuration...

Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.1
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
~~crypto ipsec profile prof~~
~~set transform-set trans~~
~~set ikev2-profile prof~~
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!
~~interface Tunnel0~~
~~ip vrf forwarding ikev2~~
~~ip address 5.0.0.2 255.255.255.0~~
~~shutdown~~
~~tunnel source FastEthernet0/0~~
~~tunnel mode ipsec ipv4~~
~~tunnel destination 100.0.0.1~~
~~tunnel protection ipsec profile prof~~
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.2 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 20.0.0.2 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 10.0.0.0 255.255.255.0 100.0.0.1
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end