cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11290
Views
5
Helpful
6
Replies

DMVPN problem

Hello Community,

I'm having a weird problem with DMVPN, I created a lab to test this scenario and it worked fine, the only thing missing in my lab was the VRF but now in production I cannot make it work, the HUB router has VRF enable while the SPOKE does not and I'm using pre-shared key for authentication.

On the HUB im getting:

Sep  6 19:31:56.587 CDT: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
Sep  6 19:31:56.602 CDT: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
Sep  6 19:31:56.777 CDT: IKEv2-ERROR:Error constructing config reply
Sep  6 19:31:56.793 CDT: IKEv2-ERROR:(SESSION ID = 848,SA ID = 4):: Creation/Installation of IPsec SA into IPsec DB failed

While on the SPOKE im getting:

Sep  7 09:46:40.144 AEST: IKEv2:(SESSION ID = 1,SA ID = 4):: Failed to locate an item in the database
Sep  7 09:46:40.144 AEST: IKEv2:(SESSION ID = 1,SA ID = 4):: Auth exchange failed
Sep  7 09:46:40.152 AEST: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI
Sep  7 09:46:40.152 AEST: IKEv2:: A supplied parameter is incorrect
Sep  7 09:46:40.156 AEST: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI
Sep  7 09:46:40.156 AEST: IKEv2:: A supplied parameter is incorrect

Any Ideas?
Thank you so much!!

[1] https://autrunk.com/2016/03/12/site-to-site-dmvpn-ikev2-vrf-ospf-dual-hub-single-domain/

[2] http://packetpushers.net/designing-a-multi-region-multi-hub-phase-3-dmvpn-with-bgp/

6 Replies 6

pjain2
Cisco Employee
Cisco Employee

can you share the below debugs from both the ends:

deb  cry ikev2 platform 

deb cry ikev2 protocol

Hi! Thanks for the suggestion but I dont have those debugs available, so I enabled errors, packets, and default... see attached, hope this helps.

Rolando,

I found a similar problem with the same error messages/results.  My solution was to remove 'ah-sha256-hmac' from the transform and substitute it with 'esp-sha256-hmac'.  (There's a known bug for this problem: CSCsv96390.). My working configuration is:

crypto ipsec transform-set AES256-SHA256 esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile DMVPN-IPSEC-PROFILE
set transform-set AES256-SHA256
set ikev2-profile DMVPN-PROFILE

This isn't identical to your configuration.  (You look to be using 'esp-gcm 256'.). Perhaps your platform doesn't support that cipher?  Try removing your transform-set from the ipsec profile... there should be a default profile on the box that does work.  For instance:

r1#show run all | section transform-set default
crypto ipsec transform-set default esp-aes esp-sha-hmac
mode transport

Hope this helps,

Patrick

UPDATE:

I decided to start from scratch, and build everything from zero and see command by command what was wrong... I made the DMVPN worked without ipsec enabled and after adding the IPsec I broke it again... and after a lot of tweaking here and there I got to this:

HUB:

 

Sep  9 16:07:39.082: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

 

Sep  9 16:07:39.086: IKEv2:(SESSION ID = 2015,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started

Sep  9 16:07:39.086: IKEv2:(SESSION ID = 2015,SA ID = 1):Session with IKE ID PAIR (199.22.22.80, 199.22.22.80) is UP

Sep  9 16:07:39.086: IKEv2:IKEv2 MIB tunnel started, tunnel index 1

Sep  9 16:07:39.086: IKEv2:(SESSION ID = 2015,SA ID = 1):Load IPSEC key material

Sep  9 16:07:39.086: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database

Sep  9 16:07:39.087: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED

Sep  9 16:07:39.101: IKEv2-ERROR:(SESSION ID = 2015,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed

Sep  9 16:07:39.101: IKEv2:(SESSION ID = 2015,SA ID = 1):Queuing IKE SA delete request reason: unknown

Sep  9 16:07:39.102: IKEv2:(SESSION ID = 2015,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x4CE36410]

Sep  9 16:07:39.102: IKEv2:(SESSION ID = 2015,SA ID = 1):Building packet for encryption. 

Payload contents:

 DELETE

Sep  9 16:07:39.102: IKEv2:(SESSION ID = 2015,SA ID = 1):Checking if request will fit in peer window

 

 

SPOKE

 

Sep 10 07:02:23.307 AEST: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

 

Sep 10 07:02:23.307 AEST: IKEv2:(SESSION ID = 4,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started

Sep 10 07:02:23.307 AEST: IKEv2:(SESSION ID = 4,SA ID = 1):Session with IKE ID PAIR (199.22.22.80, 199.22.22.80) is UP

Sep 10 07:02:23.307 AEST: IKEv2:IKEv2 MIB tunnel started, tunnel index 1

Sep 10 07:02:23.307 AEST: IKEv2:(SESSION ID = 4,SA ID = 1):Load IPSEC key material

Sep 10 07:02:23.307 AEST: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database

Sep 10 07:02:23.311 AEST: IKEv2:: Negotiation context locked currently in use

Sep 10 07:02:23.311 AEST: IKEv2:: Negotiation context locked currently in use

Sep 10 07:02:23.315 AEST: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED

Sep 10 07:02:23.315 AEST: IKEv2:(SESSION ID = 4,SA ID = 1):Checking for duplicate IKEv2 SA

Sep 10 07:02:23.315 AEST: IKEv2:(SESSION ID = 4,SA ID = 1):No duplicate IKEv2 SA found

If I'm not wrong something is failing for phase two, but I dont know what... ideas?

Thanks!

What did you do to fish it? I'm having the same problem with Cisco CSR1000v using esp-3des esp-md5-hmac transform set.

Turns ou that CSR1000v Doesn’t support that transform set.

 

 

  • CSCuh49807

Symptom: IPsec transform set with esp-md5-hmac is not supported in this release. When esp-md5-hmac is used, though the IPsec tunnel is established, traffic can not pass through the tunnel. Inbound traffic will be dropped with HMAC error. Outbound traffic will reach to the peer, but will be dropped by the peer with HMAC error.

The following error message is displayed:

%IOSXE-3-PLATFORM: F0: cpp_cp: QFP:0.0 Thread:000 TS:00000002356612773534 %IPSEC-3-HMAC_ERROR: IPSec SA receives HMAC error, DP Handle 5, src_addr 60.0.0.2, dest_addr 60.0.0.1, SPI 0xb98e9ee1
 

Conditions: Whenever esp-md5-hmac is used in an IPsec transform set.

Workaround: Use esp-sha-hmac, not esp-md5-hmac

 

 

https://www.cisco.com/c/en/us/td/docs/routers/csr1000/release/notes/csr1000v_3Srn.html