Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7193
Views
10
Helpful
4
Replies

FlexVPN: IKEv2 Verification of peer's authentication data FAILED

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎10-07-2021 03:09 AM

What has to match in the configs? I have no DNS in the network and would like to use PSK (no certs). I tried various combinations without any success so far. SW IOS XE 17.3.3

 

Debug IKEv2 all:

...

*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Checking NAT discovery
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):NAT not found
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Searching policy based on peer's identity '10.214.0.68' of type 'IPv4 address'
*Oct 6 17:26:53.833 CEST: IKEv2:found matching IKEv2 profile 'CRY_IKEV2_PROFILE'
*Oct 6 17:26:53.833 CEST: IKEv2:% Getting preshared key from profile keyring CRY_IKEV2_KEYRING
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Searching Policy with fvrf 0, local address 10.214.0.255
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Using the Default Policy for Proposal
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Found Policy 'default'
*Oct 6 17:26:53.833 CEST: IKEv2:not a VPN-SIP session
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verify peer's policy
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Peer's policy verified
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Get peer's authentication method
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Peer's authentication method is 'PSK'
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Get peer's preshared key for 10.214.0.68
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verify peer's authentication data
*Oct 6 17:26:53.833 CEST: IKEv2-ERROR:(SESSION ID = 360,SA ID = 1):: Failed to authenticate the IKE SA
*Oct 6 17:26:53.833 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Verification of peer's authentication data FAILED
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Sending authentication failure notify
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Sending Packet [To 10.214.240.10:500/From 10.214.0.255:500/VRF i0:f0]
Initiator SPI : DC19B4254BB0C960 - Responder SPI : 3F580AF81180425F Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Auth exchange failed
*Oct 6 17:26:53.834 CEST: IKEv2-ERROR:(SESSION ID = 360,SA ID = 1):: Auth exchange failed
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Abort exchange
*Oct 6 17:26:53.834 CEST: IKEv2:(SESSION ID = 360,SA ID = 1):Deleting SA
*Oct 6 17:26:53.834 CEST: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Oct 6 17:26:53.834 CEST: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED

...

 

Hub Config:

-------------------------------------------------------

aaa authorization network AAA_FLEXVPN_LOCAL local
!

crypto ikev2 authorization policy CRY_IKEV2_AUTHORIZATION
route set interface
route set access-list ACL_FLEXVPN_ROUTES
!
crypto ikev2 keyring CRY_IKEV2_KEYRING
peer ANY
address 10.214.0.0 255.255.255.0
identity address 10.214.0.255
pre-shared-key asdf
!
crypto ikev2 profile CRY_IKEV2_PROFILE
match identity remote address 10.214.0.0 255.255.255.0
identity local address 10.214.0.255
authentication remote pre-share
authentication local pre-share
keyring local CRY_IKEV2_KEYRING
aaa authorization group psk list AAA_FLEXVPN_LOCAL CRY_IKEV2_AUTHORIZATION
virtual-template 1
!

crypto ipsec profile CRY_IPSEC_PROFILE
set ikev2-profile CRY_IKEV2_PROFILE
!

interface Loopback1
ip address 10.214.0.255 255.255.255.255

!

interface GigabitEthernet6
ip address 10.214.63.225 255.255.255.240

!

interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel source GigabitEthernet6
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CRY_IPSEC_PROFILE
!

ip route 10.214.0.64 255.255.255.248 10.214.63.238
ip route 10.214.240.0 255.255.240.0 10.214.63.238
!

ip access-list standard ACL_FLEXVPN_ROUTES
10 permit any

 

 

 

Spoke Config:

-------------------------------------------------------

aaa authorization network AAA_FLEXVPN_LOCAL local

!

crypto ikev2 authorization policy CRY_IKEV2_AUTHORIZATION
route set interface
route set access-list ACL_FLEXVPN_ROUTES
!
crypto ikev2 keyring CRY_IKEV2_KEYRING
peer ANY
address 10.214.0.0 255.255.255.0
identity address 10.214.0.68
pre-shared-key asdf
!
crypto ikev2 profile CRY_IKEV2_PROFILE
match identity remote address 10.214.0.254 255.255.255.255
match identity remote address 10.214.0.255 255.255.255.255
identity local address 10.214.0.68
authentication remote pre-share
authentication local pre-share
keyring local CRY_IKEV2_KEYRING
aaa authorization group psk list AAA_FLEXVPN_LOCAL CRY_IKEV2_AUTHORIZATION
!
crypto ikev2 client flexvpn CRY_FLEX_CLIENT
peer 1 10.214.0.254
peer 2 10.214.0.255
client connect Tunnel0
!
crypto ipsec profile CRY_IPSEC_PROFILE
set ikev2-profile CRY_IKEV2_PROFILE
!

interface Loopback0
ip address 10.214.0.68 255.255.255.255
!
interface Tunnel0
ip unnumbered Loopback0
ip mtu 1300
keepalive 10 3
tunnel source Cellular0/1/0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile CRY_IPSEC_PROFILE
!

interface Cellular0/1/0
ip address negotiated
ip tcp adjust-mss 1240
dialer in-band
dialer idle-timeout 0
dialer-group 1
ipv6 enable
pulse-time 1
!

ip route 0.0.0.0 0.0.0.0 Cellular0/1/0
ip route 10.214.0.0 255.255.0.0 Tunnel0 250
ip route 10.214.0.255 255.255.255.255 Cellular0/1/0 250
ip ssh version 2
ip scp server enable
!
!
ip access-list standard ACL_FLEXVPN_ROUTES
10 permit 10.214.0.68

!

dialer-list 1 protocol ip permit

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to MATTHIAS SCHAERER

‎10-07-2021 04:03 AM - edited ‎10-07-2021 05:08 AM

@MATTHIAS SCHAERER yes, "identity address" and "address" both refer to the peer's identity.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎10-07-2021 03:23 AM

@MATTHIAS SCHAERER 

The "identity address" command is used to specify the peer using their identity, but you appear to have specified the local IP address of the loopback interface.

 

Can you remove the "identity address x.x.x.x" from the keyring of both the hub and spoke. You are matching using "address x.x.x.x x.x.x.x" of the remote peer anyway, so you don't need to match on "identity address" as well.

 

HTH

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to Rob Ingram

‎10-07-2021 03:31 AM

Hi Rob

Thanks for the fast reply. I used to have the config without identity address in the keyring section. The result was similar to what I have added in the debug. I will be back at the site tomorrow and redo the test, however I think that I've already been there.

But just for the proper understanding: identity address and address in the keyring refer both to remote Flexvpn Peers and serve for IKEV2 identification?

Kind regards,

Mat

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MATTHIAS SCHAERER

‎10-07-2021 04:03 AM - edited ‎10-07-2021 05:08 AM

@MATTHIAS SCHAERER yes, "identity address" and "address" both refer to the peer's identity.

Go to solution
MHM Cisco World
VIP
VIP

‎10-07-2021 08:27 AM

follow

0 Helpful
Customers Also Viewed These Support Documents