08-24-2023 11:45 AM
Hello,
We spun up a new 8000 virtual router with similar configs to our existing environment(moving data centers) and the tunnel is not coming up. We are not running MD5 which most of these errors in the community have been for in regards to this error. Any ideas here?
*Aug 24 17:58:16.518: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
*Aug 24 17:58:23.498: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
*Aug 24 17:58:23.537: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
interface Tunnel995
bandwidth 90000
ip address x.x.x.x x.x.x.x
no ip redirects
ip mtu 1400
ip pim dr-priority 100
ip pim nbma-mode
ip pim sparse-mode
ip nhrp authentication xxxxx
ip nhrp network-id 995
ip nhrp nhs x.x.x.x nbma x.x.x.x multicast
ip nhrp nhs x.x.x.x nbma 160.19.160.3 multicast
ip nhrp nhs x.x.x.x nbma x.x.x.x multicast
ip nhrp registration timeout 60
ip nhrp redirect
ip tcp adjust-mss 1360
load-interval 30
delay 10000000
if-state nhrp
qos pre-classify
tunnel source GigabitEthernet5
tunnel mode gre multipoint
tunnel key 995
tunnel protection ipsec profile DMVPN-PROFILE-1
crypto ikev2 keyring DMVPN-KEYRING-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key xxxx
!
!
!
crypto ikev2 profile FVRF-IKEv2-IWAN-TRANSPORT-1
match identity remote address 0.0.0.0
identity local address x.x.x.x
authentication remote pre-share
authentication local pre-share
keyring local DMVPN-KEYRING-1
!
crypto ikev2 dpd 40 5 on-demand
end
Solved! Go to Solution.
08-29-2023 11:37 PM
@erics08 please can you provide the full IKEv2 debug
08-24-2023 11:50 AM
@erics08 the message is complaining about DH group 5 which is defined under the IKEv2 Proposal, reconfigure this with DH group 19, 20 or 21. https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-cfg-ikev2-flex.html#GUID-496DF6C1-A9B8-4396-B6AF-7885243442A0
08-24-2023 12:56 PM
I followed the documentation and the tunnel still gets the error message with "Group 19, 20, 21". Here are the logs when I bounce the tunnel with the new group:
crypto ikev2 proposal proposal-1
encryption aes-cbc-128
integrity sha1
group 21
*Aug 24 19:50:36.988: %SYS-5-CONFIG_I: Configured from console by access on vty0 (10.1.7.20)
*Aug 24 19:50:42.282: %DMVPN-5-NHRP_NHS_DOWN: Tunnel995: Next Hop Server : (Tunnel: 10.99.5.252 NBMA: 160.19.160.3 ) for (Tunnel: 10.99.4.2 NBMA: 50.171.129.98) is DOWN, Reason: NHRP Registration Failure(NHRP: no error)
*Aug 24 19:50:42.358: %DMVPN-5-NHRP_NHS_DOWN: Tunnel995: Next Hop Server : (Tunnel: 10.99.5.254 NBMA: 65.152.38.4 ) for (Tunnel: 10.99.4.2 NBMA: 50.171.129.98) is DOWN, Reason: NHRP Registration Failure(NHRP: no error)
*Aug 24 19:50:42.900: %DMVPN-5-NHRP_NHS_DOWN: Tunnel995: Next Hop Server : (Tunnel: 10.99.5.253 NBMA: 50.201.14.190 ) for (Tunnel: 10.99.4.2 NBMA: 50.171.129.98) is DOWN, Reason: NHRP Registration Failure(NHRP: no error)
*Aug 24 19:51:06.266: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
*Aug 24 19:51:06.268: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
*Aug 24 19:51:06.303: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. U
08-24-2023 01:01 PM - edited 08-24-2023 01:05 PM
@erics08 I don't know if that error means you have DH group 5 configured or the peer. What is the peer configured with? Run IKEv2 debugs and determine what the you and the peer are using.
You've configured the IKEv2 proposal, but did you create the IKEv2 Policy and reference the proposal? Otherwise that proposal you created is not used and the smart defaults crypto settings will be used.
08-25-2023 09:58 AM - edited 08-25-2023 09:59 AM
Hi Rob,
After running some debugs, it looks like the peer is not configured with a proposal, but is using group 5(default for the ISR4451config). It looks like this new 8000v router only allows for group 14 and above. I'm trying to figure out a way that I can resolve this without having to change the group number on the other headend(ISR4451) because I would imagine I would need to change all of the spoke sites to the new group number as well. In the process of a data center move and this 8000v is where the new data center headend resides. Will need to run the environments in tandem for a bit.
APICHIIL-VPN01v(config-ikev2-proposal)#group ?
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
20 DH 384 ECP
21 DH 521 ECP
24 DH 2048 (256 subgroup) MODP
*Aug 25 14:04:00.816: IKEv2:(SESSION ID = 29,SA ID = 2):Sending Packet [To x.x.x.x:500/From x.x.x.x:500/VRF i0:f0]
Initiator SPI : 0369FA9521AA0EE6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 25 14:04:00.817: IKEv2:(SESSION ID = 29,SA ID = 2):Insert SA
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f2]
Initiator SPI : 0369FA9521AA0EE6 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):parsing NOTIFY payload NOTIFY(INVALID_KE_PAYLOAD)
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):Processing IKE_SA_INIT message
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):Processing invalid ke notification, we sent group 19, peer prefers group 5
*Aug 25 14:04:00.834: IKEv2-ERROR:(SESSION ID = 29,SA ID = 2):
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Aug 25 14:04:00.834: %CRYPTO_ENGINE-3-CSDL_COMPLIANCE_FAIL: Cisco PSB security compliance violation is detected. Use of DH group 5 by Crypto IKEv2 is denied
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation FAILED
*Aug 25 14:04:00.834: IKEv2:(SESSION ID = 29,SA ID = 2):Request queued for computation of DH key
*Aug 25 14:04:00.834: IKEv2-ERROR:(SESSION ID = 29,SA ID = 2):: DH public key computation failed
*Aug 25 14:04:00.835: IKEv2:(SESSION ID = 29,SA ID = 2):Failed SA init exchange
*Aug 25 14:04:00.835: IKEv2-ERROR:(SESSION ID = 29,SA ID = 2):Initial exchange failed: Initial exchange failed
*Aug 25 14:04:00.835: IKEv2:(SESSION ID = 29,SA ID = 2):Abort exchange
*Aug 25 14:04:00.835: IKEv2:(SESSION ID = 29,SA ID = 2):Deleting SA
*Aug 25 14:04:00.868: IKEv2:(SESSION ID = 30,SA ID = 1):Received Packet [From x.x.x.x:500/To x.x.x.x.98:500/VRF i0:f2]
Initiator SPI : 514FA4AE420317B8 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
*Aug 25 14:04:00.868: IKEv2:(SESSION ID = 30,SA ID = 1):parsing NOTIFY payload NOTIFY(INVALID_KE_PAYLOAD)
*Aug 25 14:04:00.868: IKEv2:(SESSION ID = 30,SA ID = 1):Processing IKE_SA_INIT message
*Aug 25 14:04:00.868: IKEv2:(SESSION ID = 30,SA ID = 1):Processing invalid ke notification, we sent group 19, peer prefers group 5
08-25-2023 10:26 AM
@erics08 you can define multiple DH groups in the proposal, so amend the other router and add a DH group that the 8000v supports. It will establish a tunnel with the 8000v using whatever you configured and continue to use DH group 5 with the existing spoke routers.
08-29-2023 12:06 PM
Thanks for the help Rob, I think I am past the issue with the mismatched DH group is now resolved, here is the config I added, still the tunnel isn't coming up. Still looking into this.
crypto ikev2 proposal proposal-1
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256 sha1
group 5 14 2
crypto ikev2 policy FVRF-IKEv2-IWAN-POLICY
proposal proposal-1
*Aug 29 18:46:07.506: IKEv2:(SESSION ID = 46,SA ID = 1):Sending Packet [To x.x.x.x:500/From x.x.x.x:500/VRF i2:f2]
Initiator SPI : FB4B797D7B78632C - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 29 18:46:07.506: IKEv2:(SESSION ID = 46,SA ID = 1):Insert SA
*Aug 29 18:46:07.508: IKEv2:% Getting preshared key from profile keyring DMVPN-KEYRING-1
*Aug 29 18:46:07.508: IKEv2:% Matched peer block 'ANY'
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 2, local address x.x.x.x
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 0,SA ID = 0):Using the Default Policy for Proposal
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'default'
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):(SA ID = 2):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):Request queued for computation of DH key
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):Generating IKE_SA_INIT message
*Aug 29 18:46:07.508: IKEv2:(SESSION ID = 47,SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 9
AES-CBC SHA512 SHA384 SHA512 SHA384 DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5
08-29-2023 11:37 PM
@erics08 please can you provide the full IKEv2 debug
08-30-2023 06:47 AM
I am fairly new to this environment and after looking further into this, I am not sure this is the path I can continue on. I spun up a virtual router for our DMVPN headend at our new data center and is too new to do DH group 5. The problem is, we have some old 800 and 1900 series routers in our environment and they are not capable of doing DH group 14 and above, so I think the best solution is to move the current 4451 headends to the new data center one at a time since they support the older DH group 5 technology. This is all just to support a legacy DMVPN environment while we convert to SD-WAN shortly. I will post the ikev2 logs shortly as well because it would be nice to verify this tunnel for the SD-WAN traffic when I am ready for that
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide