Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1649
Views
5
Helpful
15
Replies

Duplicating an existing VPN btw Azure VN and On-Premise fails

varunoberoi
Level 1
Level 1

‎02-11-2022 10:37 PM - edited ‎02-11-2022 10:46 PM

I have an existing Tunnel based VPN connection between my On-Premise router's WAN1 and Azure VN and I wanted to load balance it with another Tunnel based VPN between WAN2 and Azure.

 

Tunnel 10 is UP-ACTIVE and Tunnel 11 is DOWN-NEGOTIATING. It never changes to UP-ACTIVE.
 
To debug, I ran sh crypto ipsec sa. The output is below:
 
What I have noticed in that output is the line "ip mtu idb Dialer1" on both tunnel outputs. Since WAN 2 IP is on Dialer 2, it should ideally be "ip mtu idb Dialer2" in the output of the interface Tunnel11. Routing between Azure IP space 10.0.0.0/24 & On-Premise 10.1.0.0/20 is also not working ever since I added the second VPN connection.
 
All help is appreciated, thanks.

 

-----------------------------------------------------------------------------

OrionRouter#sh crypto ipsec sa

 

interface: Tunnel10
    Crypto map tag: Tunnel10-head-0, local addr 117.242.xxx.xxx

 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 52.140.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 256, #pkts decrypt: 256, #pkts verify: 256
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

     local crypto endpt.: 117.242.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
     plaintext mtu 1438, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x40A0AEDE(1084272350)
     PFS (Y/N): N, DH group: none

 

     inbound esp sas:
      spi: 0x6890F2BD(1754329789)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2004, flow_id: ESG:4, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4607997/2911)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:
      spi: 0x40A0AEDE(1084272350)
        transform: esp-gcm 256 ,
        in use settings ={Tunnel, }
        conn id: 2003, flow_id: ESG:3, sibling_flags FFFFFFFF80000048, crypto map: Tunnel10-head-0
        sa timing: remaining key lifetime (k/sec): (4608000/2911)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

 

     outbound ah sas:

 

     outbound pcp sas:

 

interface: Tunnel11
    Crypto map tag: Tunnel11-head-0, local addr 103.69.xxx.xxx

 

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 52.140.xxx.xxx port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

 

     local crypto endpt.: 103.69.xxx.xxx, remote crypto endpt.: 52.140.xxx.xxx
     plaintext mtu 1492, path mtu 1492, ip mtu 1492, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:
OrionRouter#
----------------------------------------------------------------------------------------------

 

The commands to configure both VPN connections are:

 

 

config t

!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit

!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit

config t

!-----------Create a policy------------
crypto ikev2 policy azure-wan1-vpn-policy
proposal std-vpn-proposal
match address local 117.242.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan1-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan1-vpn-profile
match address local 117.242.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan1-vpn-keyring
exit

!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 117.242.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx

crypto ipsec profile azure-wan1-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan1-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 10
ip address 169.254.0.1 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 117.242.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
exit

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12

ip route 10.0.0.0 255.255.254.0 Tunnel 10
exit
 
 
 
 
Second VPN commands below:
 
config t

!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit

!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
mode tunnel
exit

!REPLACE: below local IP with WAN static ip
!-----------Create a policy------------
crypto ikev2 policy azure-wan2-vpn-policy
proposal std-vpn-proposal
match address local 103.69.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan2-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan2-vpn-profile
match address local 103.69.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan2-vpn-keyring
exit

!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 103.69.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 103.69.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 103.69.xxx.xxx

crypto ipsec profile azure-wan2-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan2-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! *  - Increment the tunnel # and the last digit of the IP address
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 11
ip address 169.254.0.2 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 103.69.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
exit

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12

ip route 10.0.0.0 255.255.254.0 Tunnel 11
exit
Labels:
15 Replies 15

MHM Cisco World
VIP
VIP

‎02-12-2022 01:36 AM

Even if you have two different  vti tunnel, the destination of each tunnel use same outlet interface "dialer ".

You need pbr to make each tunnel destination use spcific outlet interface.

0 Helpful

varunoberoi
Level 1
Level 1
In response to MHM Cisco World

‎02-12-2022 02:15 AM

Could you be a little more detailed.. Which attributes and properties must I change or add?

0 Helpful

Rob Ingram
VIP
VIP

‎02-12-2022 03:48 AM

@varunoberoi your first tunnel is established correctly, traffic is being decrypted but not encrypted. This is likely because you've got 2 static routes over both tunnels and the return traffic is being sent back over the 2nd tunnel, which is not working, thus blackholing the traffic. You should either run a dynamic routing protocol over the tunnel interfaces or use IP SLA to track the tunnels and remove a route in the event a tunnel drops, without this you will blackhole traffic again.

 

As for the other tunnel (Tunnel11), the IPSec SAs have not established correctly (no inbound or outbound ESP SAs).

Does Tunnel11 work if tunnel 10 is shutdown?

 

Please can you run ikev2 debugs and provide the output for review.

0 Helpful

varunoberoi
Level 1
Level 1
In response to Rob Ingram

‎02-12-2022 04:48 AM - edited ‎02-12-2022 04:54 AM

Ok, tried a bunch of things: Firstly I removed all tunnel routes to only focus on establishing stable connections first.

 

Tunnel 11 does not work when tunnel 10 is shutdown. the output of show crypto session yields the following: 

 

It is using Dialer1 to establish the connection! the config of Tunnel 11 clearly mentions that source interface should be Dialer 2.

 

Crypto session current status

Interface: Tunnel11
Session status: DOWN
Peer: 52.140.xxx.xxx port 500
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 0, origin: crypto map

Interface: Dialer1
Profile: azure-wan1-vpn-profile
Session status: UP-IDLE
Peer: 52.140.xxx.xxx port 500
Session ID: 1053
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active
Session ID: 1050
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active
Session ID: 1054
IKEv2 SA: local 117.242.xxx.xxx/500 remote 52.140.xxx.xxx/500 Active

OrionRouter#

 

interface Tunnel11
ip address 169.254.0.2 255.255.255.255
ip tcp adjust-mss 1350
tunnel source Dialer2
tunnel mode ipsec ipv4
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
!

 

 

 

 

Debug crypto ikev2

 

OrionRouter#debug crypto ikev2
IKEv2 default debugging is on
OrionRouter#
*Feb 12 12:47:19.687: IKEv2:(SESSION ID = 28,SA ID = 6):Retransmitting packet

*Feb 12 12:47:19.687: IKEv2:(SESSION ID = 28,SA ID = 6):Sending Packet [To 52.140.xxx.xxx:500/From 103.69.xxx.xxx:500/VRF i0:f0]
Initiator SPI : EBD2171A6C23DA39 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 12 12:47:21.158: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:47:21.158: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:47:21.158: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:47:21.158: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:47:21.158: IKEv2:SA is already in negotiation, hence not negotiating again
*Feb 12 12:47:51.157: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:47:51.157: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:47:51.157: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:47:51.157: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:47:51.157: IKEv2:SA is already in negotiation, hence not negotiating again
OrionRouter#
*Feb 12 12:48:02.460: %SSH-4-SSH2_UNEXPECTED_MSG: Unexpected message type has arrived. Terminating the connection from 122.194.229.36

*Feb 12 12:48:13.977: IKEv2:Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)

*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Verify SA init message
*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Insert SA
*Feb 12 12:48:13.978: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:13.978: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:13.978: IKEv2:(SESSION ID = 1068,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:13.989: IKEv2-ERROR:(SESSION ID = 1068,SA ID = 10):: The peer's KE payload contained the wrong DH group
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Sending invalid ke notification, peer sent group 14, local policy prefers group 2

*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)

*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Failed SA init exchange
*Feb 12 12:48:13.989: IKEv2-ERROR:(SESSION ID = 1068,SA ID = 10):Initial exchange failed: Initial exchange failed
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Abort exchange
*Feb 12 12:48:13.989: IKEv2:(SESSION ID = 1068,SA ID = 10):Deleting SA

*Feb 12 12:48:14.090: IKEv2:Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) NOTIFY(Unknown - 16431) NOTIFY(REDIRECT_SUPPORTED)

*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Verify SA init message
*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Insert SA
*Feb 12 12:48:14.090: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:14.090: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:14.090: IKEv2:(SESSION ID = 1069,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Start PKI Session
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[PKI -> IKEv2] Starting of PKI Session PASSED
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Feb 12 12:48:14.094: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):Request queued for computation of DH key
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Feb 12 12:48:14.094: IKEv2:(SESSION ID = 1069,SA ID = 10):Request queued for computation of DH secret
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 12 12:48:14.096: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):Generating IKE_SA_INIT message
*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):IKE Proposal: 2, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:14.096: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Feb 12 12:48:14.096: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Feb 12 12:48:14.097: IKEv2:(SESSION ID = 1069,SA ID = 10):Completed SA init exchange
*Feb 12 12:48:14.097: IKEv2:(SESSION ID = 1069,SA ID = 10):Starting timer (30 sec) to wait for auth message

*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Received Packet [From 112.133.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi NOTIFY(INITIAL_CONTACT) IDr AUTH SA TSi TSr NOTIFY(Unknown - 16417)

*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Stopping timer to wait for auth message
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Checking NAT discovery
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):NAT not found
*Feb 12 12:48:14.199: IKEv2:(SESSION ID = 1069,SA ID = 10):Searching policy based on peer's identity '112.133.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:14.199: IKEv2-ERROR:% IKEv2 profile not found
*Feb 12 12:48:14.203: IKEv2-ERROR:(SESSION ID = 1069,SA ID = 10):: Failed to locate an item in the database
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Verification of peer's authentication data FAILED
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending authentication failure notify
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Sending Packet [To 112.133.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : DF181D4BC8C652E5 - Responder SPI : E54F8BF3B3EA41BE Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Auth exchange failed
*Feb 12 12:48:14.203: IKEv2-ERROR:(SESSION ID = 1069,SA ID = 10):: Auth exchange failed
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Abort exchange
*Feb 12 12:48:14.203: IKEv2:(SESSION ID = 1069,SA ID = 10):Deleting SA
*Feb 12 12:48:14.203: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Close PKI Session
*Feb 12 12:48:14.203: IKEv2:(SA ID = 10):[PKI -> IKEv2] Closing of PKI Session PASSED

*Feb 12 12:48:19.181: IKEv2:Received Packet [From 52.140.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

*Feb 12 12:48:19.181: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify SA init message
*Feb 12 12:48:19.181: IKEv2:(SESSION ID = 1070,SA ID = 10):Insert SA
*Feb 12 12:48:19.182: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:19.182: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):Processing IKE_SA_INIT message
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Start PKI Session
*Feb 12 12:48:19.182: IKEv2:(SA ID = 10):[PKI -> IKEv2] Starting of PKI Session PASSED
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Feb 12 12:48:19.182: IKEv2:(SESSION ID = 1070,SA ID = 10):Request queued for computation of DH key
*Feb 12 12:48:19.183: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:19.183: IKEv2:(SESSION ID = 1070,SA ID = 10):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 2
*Feb 12 12:48:19.184: IKEv2:(SESSION ID = 1070,SA ID = 10):Request queued for computation of DH secret
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Feb 12 12:48:19.185: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):Generating IKE_SA_INIT message
*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA1 SHA96 DH_GROUP_1024_MODP/Group 2
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[PKI -> IKEv2] Retrieved trustpoint(s): 'CISCO_IDEVID_SUDI0' 'CISCO_IDEVID_SUDI'
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Feb 12 12:48:19.185: IKEv2:(SA ID = 10):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Feb 12 12:48:19.185: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Feb 12 12:48:19.186: IKEv2:(SESSION ID = 1070,SA ID = 10):Completed SA init exchange
*Feb 12 12:48:19.186: IKEv2:(SESSION ID = 1070,SA ID = 10):Starting timer (30 sec) to wait for auth message

*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Received Packet [From 52.140.xxx.xxx:500/To 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
IDi AUTH SA TSi TSr

*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Stopping timer to wait for auth message
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Checking NAT discovery
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):NAT not found
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Searching policy based on peer's identity '52.140.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:19.222: IKEv2:found matching IKEv2 profile 'azure-wan1-vpn-profile'
*Feb 12 12:48:19.222: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring
*Feb 12 12:48:19.222: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:48:19.222: IKEv2:Searching Policy with fvrf 0, local address 117.242.xxx.xxx
*Feb 12 12:48:19.222: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify peer's policy
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Peer's policy verified
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's authentication method
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Peer's authentication method is 'PSK'
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's preshared key for 52.140.xxx.xxx
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verify peer's authentication data
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Use preshared key for id 52.140.xxx.xxx, key len 32
*Feb 12 12:48:19.222: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 12 12:48:19.222: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Verification of peer's authenctication data PASSED
*Feb 12 12:48:19.222: IKEv2:(SESSION ID = 1070,SA ID = 10):Processing IKE_AUTH message
*Feb 12 12:48:19.225: IKEv2:IPSec policy validate request sent for profile azure-wan1-vpn-profile with psh index 10.

*Feb 12 12:48:19.225: IKEv2:(SESSION ID = 1070,SA ID = 10):
*Feb 12 12:48:19.227: IKEv2:(SA ID = 10):[IPsec -> IKEv2] Callback received for the validate proposal - FAILED.

*Feb 12 12:48:19.228: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):Received Policies: : Failed to find a matching policyESP: Proposal 1: AES-GCM-256 Don't use ESN
*Feb 12 12:48:19.229:
*Feb 12 12:48:19.229: ESP: Proposal 2: AES-CBC-256 SHA96 Don't use ESN
*Feb 12 12:48:19.230:
*Feb 12 12:48:19.231: ESP: Proposal 3: 3DES SHA96 Don't use ESN
*Feb 12 12:48:19.232:
*Feb 12 12:48:19.232: ESP: Proposal 4: AES-CBC-256 SHA256 Don't use ESN
*Feb 12 12:48:19.233:
*Feb 12 12:48:19.234: ESP: Proposal 5: AES-CBC-128 SHA96 Don't use ESN
*Feb 12 12:48:19.235:
*Feb 12 12:48:19.235: ESP: Proposal 6: 3DES SHA256 Don't use ESN
*Feb 12 12:48:19.237:
*Feb 12 12:48:19.237:
*Feb 12 12:48:19.237: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):Expected Policies: : Failed to find a matching policy
*Feb 12 12:48:19.237: IKEv2-ERROR:(SESSION ID = 1070,SA ID = 10):: Failed to find a matching policy
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending no proposal chosen notify
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get my authentication method
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):My authentication method is 'PSK'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get peer's preshared key for 52.140.xxx.xxx
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Generate my authentication data
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Use preshared key for id 117.242.xxx.xxx, key len 32
*Feb 12 12:48:19.237: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 12 12:48:19.237: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Get my authentication method
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):My authentication method is 'PSK'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Generating IKE_AUTH message
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Constructing IDr payload: '117.242.xxx.xxx' of type 'IPv4 address'
*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Building packet for encryption.
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

*Feb 12 12:48:19.237: IKEv2:(SESSION ID = 1070,SA ID = 10):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i0:f0]
Initiator SPI : 08BCDEE47D7AC7D5 - Responder SPI : FF299FFE00986FD2 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Feb 12 12:48:19.238: IKEv2:(SA ID = 10):[IKEv2 -> PKI] Close PKI Session
*Feb 12 12:48:19.238: IKEv2:(SA ID = 10):[PKI -> IKEv2] Closing of PKI Session PASSED
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):IKEV2 SA created; inserting SA into database. SA lifetime timer (3600 sec) started
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Initializing DPD, configured for 0 seconds
*Feb 12 12:48:19.238: IKEv2:IKEv2 MIB tunnel started, tunnel index 10
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Checking for duplicate IKEv2 SA
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):No duplicate IKEv2 SA found
*Feb 12 12:48:19.238: IKEv2:(SESSION ID = 1070,SA ID = 10):Starting timer (8 sec) to delete negotiation context
*Feb 12 12:48:19.465: IKEv2:(SESSION ID = 28,SA ID = 6):Retransmitting packet

*Feb 12 12:48:19.465: IKEv2:(SESSION ID = 28,SA ID = 6):Sending Packet [To 52.140.xxx.xxx:500/From 103.69.xxx.xxx:500/VRF i0:f0]
Initiator SPI : EBD2171A6C23DA39 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 12 12:48:21.158: IKEv2:% Getting preshared key from profile keyring azure-wan2-vpn-keyring
*Feb 12 12:48:21.158: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 12 12:48:21.158: IKEv2:Searching Policy with fvrf 0, local address 103.69.xxx.xxx
*Feb 12 12:48:21.158: IKEv2:Found Policy 'azure-wan2-vpn-policy'
*Feb 12 12:48:21.158: IKEv2:SA is already in negotiation, hence not negotiating again
*Feb 12 12:48:24.108: IKEv2-ERROR:(SESSION ID = 28,SA ID = 6):: Maximum number of retransmissions reached
*Feb 12 12:48:24.108: IKEv2:(SESSION ID = 28,SA ID = 6):Failed SA init exchange
*Feb 12 12:48:24.108: IKEv2-ERROR:(SESSION ID = 28,SA ID = 6):Initial exchange failed: Initial exchange failed
*Feb 12 12:48:24.108: IKEv2:(SESSION ID = 28,SA ID = 6):Abort exchange
*Feb 12 12:48:24.110: IKEv2:(SESSION ID = 28,SA ID = 6):Deleting SA

0 Helpful

Rob Ingram
VIP
VIP
In response to varunoberoi

‎02-12-2022 05:11 AM

@varunoberoi put each WAN interface in a dedicated VRF, leave the tunnel and inside networks in the global routing table.

0 Helpful

varunoberoi
Level 1
Level 1
In response to Rob Ingram

‎02-12-2022 05:41 AM

Ran these commands, unsure if they are correct. But the IP addresses got removed from the Dialers as soon as I ran them.

 

config t
ip routing
ip vrf wan1-vrf
rd 51551:1
exit
interface dialer 1
ip vrf forwarding wan1-vrf
exit

ip vrf wan2-vrf
rd 51552:1
exit
interface dialer 2
ip vrf forwarding wan2-vrf
exit
 
 
Also, when you say leave the tunnel and inside networks in the global routing table, you mean I should let them be as they are, right?

 

0 Helpful

Rob Ingram
VIP
VIP
In response to varunoberoi

‎02-12-2022 06:00 AM

@varunoberoi example

 

interface dialer 1
 ip vrf forwarding wan1-vrf
!
interface tunnel 10
 tunnel vrf wan1-vrf
!
crypto ikev2 policy azure-wan1-vpn-policy
 match fvrf wan1-vrf
!
crypto ikev2 profile azure-wan1-vpn-profile
 match fvrf wan1-vrf
!
ip route vrf wan1-vrf 0.0.0.0 0.0.0.0 1.1.1.2

 

0 Helpful

varunoberoi
Level 1
Level 1
In response to Rob Ingram

‎02-12-2022 10:12 PM - edited ‎02-12-2022 10:12 PM

This did not work, the tunnel status stayed on DOWN or DOWN-NEGOTIATING.

0 Helpful

Rob Ingram
VIP
VIP
In response to varunoberoi

‎02-13-2022 06:49 AM - edited ‎02-13-2022 09:04 AM

@varunoberoi What did you configure? What was the output of the debugs?

 

Regardless, having 3 default routes with the same cost is going to cause you issues, hence the suggestion to use a unique VRF per outside interface - traffic received on an interface will be returned via the same interface.

0 Helpful

varunoberoi
Level 1
Level 1
In response to Rob Ingram

‎02-13-2022 12:21 PM

Ok, I solved it by defining an interface in the tunnel source instead of an IP address. So,

 

interface tunnel 10
tunnel source Dialer1
interface tunnel 11
tunnel source Dialer2

This solved it. Both tunnels are stable and active. Now, with some SLA tracks I will automate the routes in case one tunnel fails.

 

Though the problem is solved, Just for future reference and my own knowledge, I tried to configure VRF. I ran the following commands:

 

After Factory resetting the router for a fresh start, I only setup WAN1, and tunnel10 and added the vrf commands like you had mentioned. I didn't understand what exactly my route should be, but this is my running configuration.

OrionRouter#sh run
Building configuration...

Current configuration : 4087 bytes
!
! Last configuration change at 20:10:32 UTC Sun Feb 13 2022
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname OrionRouter
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$DC9B$al4nxHk3NUsrRpIPALvaw/
enable password orionrouter
!
no aaa new-model
!
ip vrf wan1-vrf
 rd 64512:1
!
!
!

!
ip dhcp pool LAN1
 network 10.1.0.0 255.255.240.0
 default-router 10.1.0.1
 dns-server 8.8.8.8 10.1.0.2
!
ip dhcp pool SP0101
 host 10.1.0.2 255.255.240.0
 client-identifier 01f0.d4e2.e724.0b
 default-router 10.1.0.1
 dns-server 8.8.8.8 218.248.114.193 10.1.0.2
 lease infinite
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0/4
 no watchdog
!
license udi pid ISR4451-X/K9 sn FOC230303Q5
license boot level uck9
license boot level securityk9
spanning-tree extend system-id
!
!
redundancy
 mode none
!
crypto ikev2 proposal std-vpn-proposal
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 policy azure-wan1-vpn-policy
 match fvrf wan1-vrf
 proposal std-vpn-proposal
!
crypto ikev2 keyring azure-wan1-vpn-keyring
 peer 52.140.xxx.xxx
  address 52.140.xxx.xxx
  pre-shared-key secretpass
 !
!
!
crypto ikev2 profile azure-wan1-vpn-profile
 match fvrf wan1-vrf
 match identity remote address 52.140.xxx.xxx 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-wan1-vpn-keyring
 lifetime 3600
 dpd 10 5 on-demand
!
!
!
vlan internal allocation policy ascending
!
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
!
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
 mode tunnel
!
crypto ipsec profile azure-wan1-vpn-IPsecProfile
 set transform-set std-vpn-TransformSet
 set ikev2-profile azure-wan1-vpn-profile
!
!
!
!
!
!
!
!
!
!
interface Tunnel10
 ip address 169.254.0.1 255.255.255.255
 ip tcp adjust-mss 1350
 tunnel source Dialer1
 tunnel mode ipsec ipv4
 tunnel destination 52.140.xxx.xxx
 tunnel vrf wan1-vrf
 tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
!
interface GigabitEthernet0/0/0
 ip address 10.1.0.1 255.255.240.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0/0/3
 no ip address
 shutdown
 negotiation auto
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.1.100.1 255.255.255.0
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
interface Dialer1
 ip vrf forwarding wan1-vrf
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1442
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname or1662298533_nid@ftth.bsnl.in
 ppp chap password 0 password
!
ip nat inside source route-map wan1-nat interface Dialer1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route vrf wan1-vrf 10.0.0.0 255.255.254.0 1.1.1.2
!
!
access-list 100 permit ip 10.1.0.0 0.0.15.255 any
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx
!
route-map wan1-nat permit 10
 match ip address 100
 match interface Dialer1
!
snmp-server community cisco RO
!
!
control-plane
!
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password passxxx
 login
!
!
end

The vpn connection is down: output of debug crypto knev2

 

OrionRouter#
*Feb 13 20:19:01.171: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring
*Feb 13 20:19:01.171: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 13 20:19:01.171: IKEv2:Searching Policy with fvrf 2, local address 117.242.xxx.xxx
*Feb 13 20:19:01.171: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 2
*Feb 13 20:19:01.171: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Feb 13 20:19:01.171: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA1   SHA96   DH_GROUP_1024_MODP/Group 2

*Feb 13 20:19:01.171: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2]
Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 13 20:19:01.172: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
*Feb 13 20:19:03.098: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Feb 13 20:19:03.098: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2]
Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 13 20:19:07.032: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Feb 13 20:19:07.032: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2]
Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 13 20:19:14.682: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Feb 13 20:19:14.682: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2]
Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 13 20:19:29.180: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Feb 13 20:19:29.180: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 52.140.xxx.xxx:500/From 117.242.xxx.xxx:500/VRF i2:f2]
Initiator SPI : FF69010DB8A2746F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb 13 20:19:31.171: IKEv2:% Getting preshared key from profile keyring azure-wan1-vpn-keyring
*Feb 13 20:19:31.171: IKEv2:% Matched peer block '52.140.xxx.xxx'
*Feb 13 20:19:31.172: IKEv2:Searching Policy with fvrf 2, local address 117.242.xxx.xxx
*Feb 13 20:19:31.172: IKEv2:Found Policy 'azure-wan1-vpn-policy'
*Feb 13 20:19:31.172: IKEv2:SA is already in negotiation, hence not negotiating again
0 Helpful

MHM Cisco World
VIP
VIP
In response to varunoberoi

‎02-13-2022 01:01 PM - edited ‎02-14-2022 02:54 PM

...

0 Helpful

MHM Cisco World
VIP
VIP
In response to varunoberoi

‎02-13-2022 01:45 PM - edited ‎02-14-2022 03:14 PM

can I see the show ip route vrf wan1-vrf of router ?

0 Helpful

MHM Cisco World
VIP
VIP
In response to varunoberoi

‎02-12-2022 06:44 AM

friend just share the config of Dialer Interface and VTI, I will take look and reply with need command.

0 Helpful

varunoberoi
Level 1
Level 1
In response to MHM Cisco World

‎02-12-2022 10:11 PM

1. My entire running configuration

2. Commands I am running to configure Tunnel10 VPN - Azure-Wan1

3. Commands I want to run to configure Tunnel11 VPN - Azure Wan2

 

OrionRouter#sh run
Building configuration...

Current configuration : 5208 bytes
!
! Last configuration change at 05:56:24 UTC Sun Feb 13 2022
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname OrionRouter
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$nz7j$eHp886tm/7syxaMCfYh3h/
enable password orionrouter
!
no aaa new-model
no process cpu autoprofile hog
!
!
!

ip dhcp excluded-address 10.1.0.3 10.1.0.150
!
ip dhcp pool LAN1
 network 10.1.0.0 255.255.240.0
 default-router 10.1.0.1
 dns-server 8.8.8.8 10.1.0.2
!
ip dhcp pool SP0101
 host 10.1.0.2 255.255.240.0
 client-identifier 01f0.d4e2.e724.0b
 default-router 10.1.0.1
 dns-server 8.8.8.8 10.1.0.2
 lease infinite
!
!
!
!
!
!
!
!
!
!
subscriber templating
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0/4
 no watchdog
!
license udi pid ISR4451-X/K9 sn FOC230303Q5
license boot level uck9
license boot level securityk9
spanning-tree extend system-id
!
!
redundancy
 mode none
!
crypto ikev2 proposal std-vpn-proposal
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 policy azure-wan1-vpn-policy
 match address local 117.242.xxx.xxx
 proposal std-vpn-proposal
!
crypto ikev2 keyring azure-wan1-vpn-keyring
 peer 52.140.xxx.xxx
  address 52.140.xxx.xxx
  pre-shared-key secretpass
 !
!
!
crypto ikev2 profile azure-wan1-vpn-profile
 match address local 117.242.xxx.xxx
 match identity remote address 52.140.xxx.xxx 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local azure-wan1-vpn-keyring
 lifetime 3600
 dpd 10 5 on-demand
!
!
!
vlan internal allocation policy ascending
no cdp run
!
ip tftp source-interface GigabitEthernet0
!
!
!
!
!
!
!
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256
 mode tunnel
!
crypto ipsec profile azure-wan1-vpn-IPsecProfile
 set transform-set std-vpn-TransformSet
 set ikev2-profile azure-wan1-vpn-profile
!
!
!
!
!
!
!
!
!
!
interface Tunnel10
 ip address 169.254.0.1 255.255.255.255
 ip tcp adjust-mss 1350
 tunnel source 117.242.xxx.xxx
 tunnel mode ipsec ipv4
 tunnel destination 52.140.xxx.xxx
 tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
!
interface GigabitEthernet0/0/0
 ip address 10.1.0.1 255.255.240.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/1
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/0/2
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/0/3
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 3
!
interface Service-Engine0/4/0
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 10.1.100.1 255.255.255.0
 negotiation auto
 no cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1442
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname or16xxxxx3_nid@ftth.bsnl.in
 ppp chap password 0 password
 no cdp enable
!
interface Dialer2
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1442
 dialer pool 2
 dialer-group 2
 ppp authentication pap callin
 ppp pap sent-username 98xxxx62 password 0 7xxx2
 no cdp enable
!
interface Dialer3
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1442
 dialer pool 3
 dialer-group 3
 ppp authentication pap callin
 ppp pap sent-username xxxxx password 0 3424xxxx
 no cdp enable
!
ip nat inside source route-map wan1-nat interface Dialer1 overload
ip nat inside source route-map wan2-nat interface Dialer2 overload
ip nat inside source route-map wan3-nat interface Dialer3 overload
ip nat inside source static tcp 10.1.0.2 3000 117.242.xxx.xxx 3000 extendable
ip nat inside source static tcp 10.1.0.2 4000 117.242.xxx.xxx 4000 extendable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 10.0.0.0 255.255.254.0 Tunnel10
!
!
access-list 100 permit ip 10.1.0.0 0.0.15.255 any
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx
!
route-map wan2-nat permit 10
 match ip address 100
 match interface Dialer2
!
route-map wan3-nat permit 10
 match ip address 100
 match interface Dialer3
!
route-map wan1-nat permit 10
 match ip address 100
 match interface Dialer1
!
snmp-server community cisco RO
!
!
control-plane
!
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password xxxxxxx
 login
!
!
end
! ----------------------------------------------------------------------------
! Azure VPN Setup (Assumes parallel settings done at Azure Portal
! Securityk9 license must be configured on the router
! ----------------------------------------------------------------------------
config t

!----------- Azure VPN Config ------------
crypto ikev2 proposal std-vpn-proposal
encryption aes-cbc-256
integrity sha1
group 2
exit

!-----------Create a transform-set------------
crypto ipsec transform-set std-vpn-TransformSet esp-gcm 256 
mode tunnel
exit

exit
! ----------------------------------------------------------------------------
! Azure VPN Setup (Assumes parallel settings done at Azure Portal
! Securityk9 license must be configured on the router
! ----------------------------------------------------------------------------
config t

!-----------Create a policy------------
crypto ikev2 policy azure-wan1-vpn-policy
proposal std-vpn-proposal
match address local 117.242.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan1-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan1-vpn-profile
match address local 117.242.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan1-vpn-keyring
exit

!-----------Create an access list------------
access-list 101 permit ip 10.1.0.0 0.0.15.255 10.0.0.0 0.0.1.255
! REPLACE 52.140.xxx.xxx with Azure VPN IP address
! REPLACE 117.242.xxx.xxx with WAN Static IP address
access-list 101 permit esp host 52.140.xxx.xxx host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq isakmp host 117.242.xxx.xxx
access-list 101 permit udp host 52.140.xxx.xxx eq non500-isakmp host 117.242.xxx.xxx

crypto ipsec profile azure-wan1-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan1-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 10
ip address 169.254.0.1 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 117.242.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan1-vpn-IPsecProfile
exit

! ------------------------------------------------------------------------------
! Static routes
! - Adding the static routes to point the VNet prefixes to the IPsec tunnels
! * REPLACE: Tunnel interface number(s), default tunnel 11 and tunnel 12

ip route 10.0.0.0 255.255.254.0 Tunnel 10
exit
! ----------------------------------------------------------------------------
! Azure VPN Setup (Assumes parallel settings done at Azure Portal
! Securityk9 license must be configured on the router
! ----------------------------------------------------------------------------
config t
!REPLACE: below local IP with WAN static ip
!-----------Create a policy------------
crypto ikev2 policy azure-wan2-vpn-policy
proposal std-vpn-proposal
match address local 103.69.xxx.xxx
exit

!-----------Create Pre-Shared key------------
crypto ikev2 keyring azure-wan2-vpn-keyring
peer 52.140.xxx.xxx
address 52.140.xxx.xxx
pre-shared-key secretpass
exit
exit

!---------- Create Ikev2 profile-------------
crypto ikev2 profile azure-wan2-vpn-profile
match address local 103.69.xxx.xxx
match identity remote address 52.140.xxx.xxx 255.255.255.255
authentication remote pre-share
authentication local pre-share
lifetime 3600
dpd 10 5 on-demand
keyring local azure-wan2-vpn-keyring
exit

crypto ipsec profile azure-wan2-vpn-IPsecProfile
set transform-set  std-vpn-TransformSet
set ikev2-profile  azure-wan2-vpn-profile
set security-association lifetime seconds 3600
exit

! ------------------------------------------------------------------------------
! Tunnel interface (VTI) configuration
! - Create/configure a tunnel interface
! - Configure an APIPA (169.254.x.x) address that does NOT overlap with any
!   other address on this device. This is not visible from the Azure gateway.
! * REPLACE: Tunnel interface numbers and APIPA IP addresses below
! *  - Increment the tunnel # and the last digit of the IP address
! * Default tunnel interface 11 (169.254.0.1) and 12 (169.254.0.2)

int tunnel 11
ip address 169.254.0.2 255.255.255.255
tunnel mode ipsec ipv4
ip tcp adjust-mss 1350
tunnel source 103.69.xxx.xxx
tunnel destination 52.140.xxx.xxx
tunnel protection ipsec profile azure-wan2-vpn-IPsecProfile
exit

exit
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents