05-21-2024 04:40 AM - edited 05-21-2024 04:56 AM
Hi guys,
I have a problem to configure VPN IPSec tunnel with Ikev2.
I have already an IPSEC VPN Ikev1 configured, up and running, and I need to configure a new one with IkeV2.
I have tried to configure but , during the crypto isakmp debug I received this error:
May 21 11:51:35.625: ISAKMP: (0):processing SA payload. message ID = 0
May 21 11:51:35.625: ISAKMP: (0):processing vendor id payload
May 21 11:51:35.625: ISAKMP: (0):vendor ID is DPD
May 21 11:51:35.625: ISAKMP: (0):processing vendor id payload
May 21 11:51:35.625: ISAKMP: (0):vendor ID seems Unity/DPD but major 152 mismatch
May 21 11:51:35.625: ISAKMP: (0):Using Default ISAKMP policies (check proposal).----> I have created a Ikev2 Proposal but it's NOT used
May 21 13:51:35 CEST: %CRYPTO-6-IKMP_POLICY_DEFAULT: Using ISAKMP Default policies ----> I have created an IkeV2 Policies but it's NOT used
May 21 11:51:35.625: ISAKMP: (0):found peer pre-shared key matching 10.21.209.189
May 21 11:51:35.625: ISAKMP: (0):local preshared key found
Scanning profiles for xauth ... CUST-IKE-PROFILE_2 CUST123-IKE-PROFILE TEST_2-PROFILE
May 21 11:14:11.515: ISAKMP: (0):IKE->PKI Get configured TrustPoints state (R) MM_NO_STATE (peer 10.X.X.X)
May 21 11:14:11.515: ISAKMP: (0):PKI->IKE Got configured TrustPoints state (R) MM_NO_STATE (peer 10.X.X.X)
May 21 11:14:11.515: ISAKMP: (0):Checking ISAKMP transform 0 against priority 65503 policy
May 21 11:14:11.515: ISAKMP: (0): life type in seconds
May 21 11:14:11.515: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
May 21 11:14:11.515: ISAKMP: (0): encryption AES-CBC
May 21 11:14:11.515: ISAKMP: (0): keylength of 128
May 21 11:14:11.515: ISAKMP: (0): auth pre-share
May 21 11:14:11.515: ISAKMP: (0): hash SHA256
May 21 11:14:11.515: ISAKMP: (0): default group 14
May 21 11:14:11.515: ISAKMP-ERROR: (0):Hash algorithm offered does not match policy!
The problem is that I don't see the correct profile created CUST_IKEv2_PROFILE. The hash algorithm is correct :
crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14
I change the crypto map name and added to interface:
interface GigabitEthernet0/0/3.900
description DR_CITY
encapsulation dot1Q 900
ip vrf forwarding DR-TO-CITY
ip address 172.30.254.X 255.255.255.240
standby 1 ip 172.30.254.X
standby 1 priority 120
standby 1 preempt
standby 1 name VPNHA-CMG
crypto map VPN_TRAFFIC-CMG_IKEv2
end
Any help is appreciated
Giorgio
Solved! Go to Solution.
05-21-2024 11:46 PM - edited 05-21-2024 11:47 PM
R2#show run
R2#show running-config
Building configuration...
Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.1
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel!!crypto ipsec profile profset transform-set transset ikev2-profile prof
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!interface Tunnel0ip vrf forwarding ikev2ip address 5.0.0.2 255.255.255.0shutdowntunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 100.0.0.1tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.2 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 20.0.0.2 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 10.0.0.0 255.255.255.0 100.0.0.1
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
05-21-2024 06:55 AM
Can you share the config'
I think yoh config the ikev2 without vrf aware
Let me check that
MHM
05-21-2024 07:21 AM
Hello MHM
below the configuration:
crypto ikev2 keyring CUST_KEYRING_IKEv2
peer CUSTOMER
address 10.21.X.X
pre-shared-key SECRETKEY
crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL
ip access-list extended CUST_CRYPTOACL
10 permit ip 10.21.138.152 0.0.0.7 100.73.0.0 0.0.0.255
Transform sets=ESP-AES256-SHA256: esp-256-aes esp-sha256-hmac
crypto ikev2 profile CUST_IKEv2-PROFILE
authentication local pre-share
authentication remote pre-share
match identity remote address 10.21.X.X 255.255.255.255
keyring CUST_KEYRING_IKEv2
crypto map VPN_TRAFFIC-CMG 30 ipsec-isakmp
set peer 10.21.X.X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match address CUST_CRYPTOACL
Bye
Giorgio
05-21-2024 07:10 AM
Hi HMH,
below the configuration, yes on ikev1 configuration i haven't add the vrf and it's ok
crypto ikev2 keyring CUST_KEYRING_IKEv2
peer CUSTOMER
address 10.21.X.X
pre-shared-key SECRETKEY
crypto ikev2 proposal CUST_IKEv2-PROPOSAL
encryption aes-cbc-128
integrity sha256
group 14
crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL
ip access-list extended CUST_CRYPTOACL
10 permit ip 10.21.138.152 0.0.0.7 100.73.0.0 0.0.0.255
Transform sets={ESP-AES256-SHA256: { esp-256-aes esp-sha256-hmac }
crypto ikev2 profile CUST_IKEv2-PROFILE
authentication local pre-share
authentication remote pre-share
match identity remote address 10.21.X.X 255.255.255.255
keyring CUST_KEYRING_IKEv2
crypto map VPN_TRAFFIC-CMG 30 ipsec-isakmp
set peer 10.21.X.X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match address CUST_CRYPTOACL
Bye
05-21-2024 08:26 AM - edited 05-21-2024 08:27 AM
OK,
show crypto ikev2 proposal <<- did you see same as what you config ??
if yes then try add
no crypto ikev2 proposal default
and check again
NOTE:- you need to use under crypto ikev2 profile, the identity local address x.x.x.x
MHM
05-21-2024 08:34 AM - edited 05-21-2024 08:41 AM
From your last post I have added the vrf in Ikev2 Policy:
crypto ikev2 policy CUST_IKEv2-POLICY
proposal CUST_IKEv2-PROPOSAL
match fvrf CUST_VRF
and now i receive this error:
May 21 15:29:19.055: IKEv2-ERROR:(SESSION ID = 81550,SA ID = 1):: Failed to receive the AUTH msg before the timer expired
May 21 15:29:19.055: IKEv2-ERROR:(SESSION ID = 81550,SA ID = 1):: Auth exchange failed
May 21 15:29:30.093: IKEv2-ERROR:**bleep** type 3041043353 not supported
I 've check the pre shared key on Customer FW and it seems the same:
Ikev1
ipsec-tunnel "tunnel1" create
dynamic-keying
ike-policy 1
pre-shared-key "DCt3eiqN/v8MIWxS6B66ptuPQA9+G1Ah6f96Xw==" hash2
Ikev2
ipsec-tunnel "tunnel1" create
security-policy 1
dynamic-keying
ike-policy 1
pre-shared-key "DCt3eiqN/v8MIWxS6B66ptuPQA9+G1Ah6f96Xw==" hash2
auto-establish
transform 1
Based on this what could it be ?
Bye
Giorgio
05-21-2024 08:57 AM
@giorgio ghezzi match the FVRF under the IKEV2 profile.
crypto ikev2 profile CUST_IKEv2-PROFILE
match fvrf CUST_VRF
05-21-2024 09:26 AM - edited 05-21-2024 11:48 PM
Below I share the command I use for crypto map IKEv2 vrf aware
MHM
05-21-2024 11:37 PM
Thanks for the example.
The only difference between our configuration is that I have no IPSEC profile but I have applied to crypto map.
crypto map VPN_TRAFFIC-CUST 30 ipsec-isakmp
set peer 10.21.X.1X
set transform-set ESP-AES256-SHA256
set ikev2-profile CUST_IKEv2-PROFILE
match **bleep** CUST_CRYPTOACL
applied to outside interface G0/0/2.450
interface GigabitEthernet0/0/2.450
description DR_M2M
encapsulation dot1Q 900
ip vrf forwarding CUST_VRF
ip **bleep** 172.30.X.X 255.255.255.240
standby 1 ip 172.30.X.X
standby 1 priority 120
standby 1 preempt
standby 1 name VPNHA-CUST
standby 1 track 12 decrement 30
crypto map VPN_TRAFFIC-CUST
All the rest is the same.
I guess it's a authentication problem. I will keep you update
BYE
Giorgio
05-21-2024 11:44 PM - edited 05-21-2024 11:46 PM
R1#show run
R1#show running-config
Building configuration...
Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.2
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.2 255.255.255.255
identity local address 100.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel
!
!
! this for my lab crypto ipsec profile profset transform-set transset ikev2-profile prof
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.2
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!interface Tunnel0ip vrf forwarding ikev2ip address 5.0.0.1 255.255.255.0shutdowntunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 100.0.0.2tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.1 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 10.0.0.1 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 20.0.0.0 255.255.255.0 100.0.0.2
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
05-21-2024 11:46 PM - edited 05-21-2024 11:47 PM
R2#show run
R2#show running-config
Building configuration...
Current configuration : 2321 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
ip vrf ikev2
rd 1:1
!
crypto ikev2 proposal prop
encryption 3des
integrity md5
group 5
!
crypto ikev2 policy polc
match fvrf ikev2
proposal prop
!
crypto ikev2 keyring key
peer ANY
address 100.0.0.1
pre-shared-key cisco
!
!
!
crypto ikev2 profile prof
match fvrf ikev2
match identity remote address 100.0.0.1 255.255.255.255
identity local address 100.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local key
!
!
!
crypto ipsec transform-set trans esp-des esp-md5-hmac
mode tunnel!!crypto ipsec profile profset transform-set transset ikev2-profile prof
!
!
crypto map mhm 10 ipsec-isakmp
set peer 100.0.0.1
set transform-set trans
set ikev2-profile prof
match address 100
!
!
!
!
!interface Tunnel0ip vrf forwarding ikev2ip address 5.0.0.2 255.255.255.0shutdowntunnel source FastEthernet0/0tunnel mode ipsec ipv4tunnel destination 100.0.0.1tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip vrf forwarding ikev2
ip address 100.0.0.2 255.255.255.0
duplex full
crypto map mhm
!
interface FastEthernet3/1
ip vrf forwarding ikev2
ip address 20.0.0.2 255.255.255.0
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route vrf ikev2 10.0.0.0 255.255.255.0 100.0.0.1
!
access-list 100 permit ip 20.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide