10-07-2021 03:09 AM
What has to match in the configs? I have no DNS in the network and would like to use PSK (no certs). I tried various combinations without any success so far. SW IOS XE 17.3.3
Debug IKEv2 all:
...
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Checking NAT discovery
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):NAT not found
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Searching policy based on peer's identity '10.214.0.68' of type 'IPv4 address'
*Oct 6 17:26:53.833 CEST: IKEv2:found matching IKEv2 profile 'CRY_IKEV2_PROFILE'
*Oct 6 17:26:53.833 CEST: IKEv2:% Getting preshared key from profile keyring CRY_IKEV2_KEYRING
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Searching Policy with fvrf 0, local address 10.214.0.255
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Using the Default Policy for Proposal
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Found Policy 'default'
*Oct 6 17:26:53.833 CEST: IKEv2:not a VPN-SIP session
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verify peer's policy
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Peer's policy verified
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Get peer's authentication method
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Peer's authentication method is 'PSK'
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Get peer's preshared key for 10.214.0.68
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verify peer's authentication data
*Oct 6 17:26:53.833 CEST: IKEv2-ERROR:(SESSION ID = 360,SA ID = 1):: Failed to authenticate the IKE SA
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verification of peer's authentication data FAILED
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Sending authentication failure notify
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Sending Packet [To 10.214.240.10:500/From 10.214.0.255:500/VRF i0:f0]
Initiator SPI : DC19B4254BB0C960 - Responder SPI : 3F580AF81180425F Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Auth exchange failed
*Oct 6 17:26:53.834 CEST: IKEv2-ERROR:(SESSION ID = 360,SA ID = 1):: Auth exchange failed
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Abort exchange
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Deleting SA
*Oct 6 17:26:53.834 CEST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Oct 6 17:26:53.834 CEST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
...
Hub Config:
-------------------------------------------------------
aaa authorization network AAA_FLEXVPN_LOCAL local
!
crypto ikev2 authorization policy CRY_IKEV2_AUTHORIZATION
route set interface
route set access-list ACL_FLEXVPN_ROUTES
!
crypto ikev2 keyring CRY_IKEV2_KEYRING
peer ANY
address 10.214.0.0 255.255.255.0
identity address 10.214.0.255
pre-shared-key asdf
!
crypto ikev2 profile CRY_IKEV2_PROFILE
match identity remote address 10.214.0.0 255.255.255.0
identity local address 10.214.0.255
authentication remote pre-share
authentication local pre-share
keyring local CRY_IKEV2_KEYRING
aaa authorization group psk list AAA_FLEXVPN_LOCAL CRY_IKEV2_AUTHORIZATION
virtual-template 1
!
crypto ipsec profile CRY_IPSEC_PROFILE
set ikev2-profile CRY_IKEV2_PROFILE
!
interface Loopback1
ip address 10.214.0.255 255.255.255.255
!
interface GigabitEthernet6
ip address 10.214.63.225 255.255.255.240
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel source GigabitEthernet6
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CRY_IPSEC_PROFILE
!
ip route 10.214.0.64 255.255.255.248 10.214.63.238
ip route 10.214.240.0 255.255.240.0 10.214.63.238
!
ip access-list standard ACL_FLEXVPN_ROUTES
10 permit any
Spoke Config:
-------------------------------------------------------
aaa authorization network AAA_FLEXVPN_LOCAL local
!
crypto ikev2 authorization policy CRY_IKEV2_AUTHORIZATION
route set interface
route set access-list ACL_FLEXVPN_ROUTES
!
crypto ikev2 keyring CRY_IKEV2_KEYRING
peer ANY
address 10.214.0.0 255.255.255.0
identity address 10.214.0.68
pre-shared-key asdf
!
crypto ikev2 profile CRY_IKEV2_PROFILE
match identity remote address 10.214.0.254 255.255.255.255
match identity remote address 10.214.0.255 255.255.255.255
identity local address 10.214.0.68
authentication remote pre-share
authentication local pre-share
keyring local CRY_IKEV2_KEYRING
aaa authorization group psk list AAA_FLEXVPN_LOCAL CRY_IKEV2_AUTHORIZATION
!
crypto ikev2 client flexvpn CRY_FLEX_CLIENT
peer 1 10.214.0.254
peer 2 10.214.0.255
client connect Tunnel0
!
crypto ipsec profile CRY_IPSEC_PROFILE
set ikev2-profile CRY_IKEV2_PROFILE
!
interface Loopback0
ip address 10.214.0.68 255.255.255.255
!
interface Tunnel0
ip unnumbered Loopback0
ip mtu 1300
keepalive 10 3
tunnel source Cellular0/1/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CRY_IPSEC_PROFILE
!
interface Cellular0/1/0
ip address negotiated
ip tcp adjust-mss 1240
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 enable
pulse-time 1
!
ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route 10.214.0.0 255.255.0.0 Tunnel0 250
ip route 10.214.0.255 255.255.255.255 Cellular0/1/0 250
ip ssh version 2
ip scp server enable
!
!
ip access-list standard ACL_FLEXVPN_ROUTES
10 permit 10.214.0.68
!
dialer-list 1 protocol ip permit
Solved! Go to Solution.
10-07-2021 04:03 AM - edited 10-07-2021 05:08 AM
@MATTHIAS SCHAERER yes, "identity address" and "address" both refer to the peer's identity.
10-07-2021 03:23 AM
The "identity address" command is used to specify the peer using their identity, but you appear to have specified the local IP address of the loopback interface.
Can you remove the "identity address x.x.x.x" from the keyring of both the hub and spoke. You are matching using "address x.x.x.x x.x.x.x" of the remote peer anyway, so you don't need to match on "identity address" as well.
HTH
10-07-2021 03:31 AM
Hi Rob
Thanks for the fast reply. I used to have the config without identity address in the keyring section. The result was similar to what I have added in the debug. I will be back at the site tomorrow and redo the test, however I think that I've already been there.
But just for the proper understanding: identity address and address in the keyring refer both to remote Flexvpn Peers and serve for IKEV2 identification?
Kind regards,
Mat
10-07-2021 04:03 AM - edited 10-07-2021 05:08 AM
@MATTHIAS SCHAERER yes, "identity address" and "address" both refer to the peer's identity.
05-30-2025 09:35 PM - edited 05-30-2025 09:37 PM
did this ever get solved? it looks like a bug to me, and I'm experience the same thing very similar to above problem. I upgraded to latest IOS XE code today to rule that out, but still have auth error. it seems to be something related to the virtual-template being used as if i configure two spokes with a hardset tunnel (ie TUN222 interface), they pass IKEv2. shoudl add that i tried both PSK from within a crypto ike keyring and by setting password within the ikev2 profile. both options failue from teh headend to the spoke but work on the spoke when the tunnel is fxied with a real number (non-virtual-template). Here is the debug snippet from the headend router:
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2177,SA ID = 1):Auth exchange failed
May 30 2025 21:26:42 PDT: IKEv2-ERROR:(SESSION ID = 2177,SA ID = 1):: Auth exchange failed
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2177,SA ID = 1):Abort exchange
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2177,SA ID = 1):Deleting SA
May 30 2025 21:26:42 PDT: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
May 30 2025 21:26:42 PDT: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2178,SA ID = 2):Verification of peer's authentication data FAILED
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2178,SA ID = 2):Sending authentication failure notify
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2178,SA ID = 2):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2178,SA ID = 2):Sending Packet [To 192.168.10.2:500/From 192.168.10.12:500/VRF i0:f0]
Initiator SPI : 6F7111E396259C19 - Responder SPI : C209631C67339892 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
May 30 2025 21:26:42 PDT: IKEv2:(SESSION ID = 2178,SA ID = 2):Auth exchange failed
10-07-2021 08:27 AM
follow
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide