cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1454
Views
0
Helpful
2
Replies

FlexVPN IPSEC using default transform set instead of the one we defined.

gchevalley
Level 1
Level 1

I am in the process of setting up an FlexVPN connection between two ASR 1001-X routers running  IOS XE Version 03.13.02.S.  The routers are currently in a lab but will ultimately be used to connect the corporate office with a remote data center.  I am experiencing an issue with the IPSEC SA being deleted right after it is created caused by the router trying to use the default transform set instead of the defined transform set TSET.

Here is the IPSEC debug from the OFFICE router:

030833: Feb 16 11:03:53.803: %IKEV2-5-RECV_CONNECTION_REQUEST: Received a IKE_INIT_SA request
030834: 5d00h: IPSEC(key_engine): got a queue event with 1 KMI message(s)
030835: 5d00h: IPSEC(validate_proposal_request): proposal part #1
030836: 5d00h: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.10.10.9:0, remote= 10.10.10.10:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
030837: 5d00h: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
030838: 5d00h: Crypto mapdb : proxy_match
src addr : 0.0.0.0
dst addr : 0.0.0.0
protocol : 0
src port : 0
dst port : 0
030839: 5d00h: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
{esp-aes esp-sha-hmac }
030840: 5d00h: IPSEC(key_engine): failed to process KMI message 42
CORP-RT-P2P-1#
030841: Feb 16 11:03:53.835: %IKEV2-5-SA_UP: SA UP
030842: Feb 16 11:03:53.841: %IKEV2-5-SA_DOWN: SA DOWN

I am currently using ESP-GCM as the transform but previously used esp-aes 256 and esp-sha384-hmac but received the same error.

Here is my crypto config:

crypto ikev2 proposal IKEV2_PROPOSAL 
encryption aes-gcm-256 aes-gcm-128
prf sha384 sha256
group 21 20 19
!
crypto ikev2 policy 10
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEY
peer Data_Center
address 10.10.10.10
hostname Data_Center
pre-shared-key Key_1
!
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 10.10.10.10 255.255.255.255
identity local address 10.10.10.9
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEY
!
!
crypto ipsec transform-set TSET esp-aes 256 esp-sha384-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile IPSEC_PROFILE
set transform-set TSET
set ikev2-profile IKEV2_PROFILE
!
!
interface Tunnel0
ip address 10.10.10.13 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination 10.10.10.10
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet0/0/2
description VPLS Circuit
ip address 10.10.10.9 255.255.255.252
negotiation auto

When I query the transform sets you can see that it is trying to use the default:

OFFICE#sh crypto ipsec transform-set 
Transform set default: { esp-aes esp-sha-hmac } 
will negotiate = { Transport, },

Transform set TSET: { esp-gcm }
will negotiate = { Tunnel, },

2 Replies 2

bunjiega
Level 1
Level 1

I am having the same issue. All the 'show' commands are correct, but the operational result does not match the configuration.

Make new post it better 

MHM