12-06-2020 12:31 PM - edited 12-06-2020 01:12 PM
I am trying to setup IKEv2 but the tunnel is failing. This is IOS to ASA below are my configs and the debug. I have the exact same configuration as this link https://integratingit.wordpress.com/2018/06/09/configuring-a-vti-tunnel-between-asa-firewall-and-ios-router/
CONFIGS
IOSRTR#
crypto ikev2 proposal NYC_PROPOSAL
encryption aes-cbc-256
integrity sha512 sha384
group 19 14
crypto ikev2 policy NYC-IKEV2_POLICY
proposal NYC_PROPOSAL
crypto ikev2 keyring NYC_KEYRING
peer NoKo_ASA
description Keyring entry for NoKo-KR
address X.X.X.59 255.255.255.255
pre-shared-key local REMOVED
pre-shared-key remote REMOVED
crypto ikev2 profile NYC-IKEv2
match identity remote address X.X.X.59
authentication local pre-share
authentication remote pre-share
keyring local NYC_KEYRING
identity local address X.X.119.2
dpd 10 2 on-demand
crypto ipsec transform-set NYC-HS-TS esp-aes 256 esp-sha512-hmac
mode tunnel
crypto ipsec profile NYC-isakmp-1
set transform-set NYC-HS-TS
set ikev2-profile NYC-IKEv2
interface Tunnel500
ip address 10.0.100.1 255.255.255.252
tunnel source X.X.119.2
tunnel mode ipsec ipv4
tunnel destination X.X.X.59
tunnel protection ipsec profile NYC-isakmp-1
end
ip route 10.4.4.0 255.255.255.0 10.0.100.2
==============================================================================================
ASA#
crypto ikev2 policy 212
encryption aes-256
integrity sha512 sha384
group 19 14
prf sha512 sha384
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ipsec ikev2 ipsec-proposal NYC-TSET
protocol esp encryption aes-256 aes-192
protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec profile NYC-isakmp-1
set ikev2 ipsec-proposal NYC-TSET
group-policy X.X.119.2 internal
group-policy X.X.119.2 attributes
vpn-tunnel-protocol ikev2
tunnel-group X.X.119.2 type ipsec-l2l
tunnel-group X.X.119.2 general-attributes
default-group-policy X.X.119.2
tunnel-group X.X.119.2 ipsec-attributes
ikev2 local-authentication pre-shared-key REMOVED
ikev2 remote-authentication pre-shared-key REMOVED
interface Tunnel501
nameif VTI
ip address 10.0.100.2 255.255.255.252
tunnel source interface OUTSIDE
tunnel destination X.X.119.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile NYC-isakmp-1
route VTI 172.21.2.0 255.255.255.0 10.0.100.1
OUTPUTS
IOSRTR#sho int tun 500
Tunnel500 is up, line protocol is down
Hardware is Tunnel
Internet address is 10.0.100.1/30
MTU 10000 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel linestate evaluation down - linestate protection reg down
Tunnel source X.X.119.2, destination X.X.X.59
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1500 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "LSV-isakmp-1")
Last input never, output never, output hang never
Last clearing of "show interface" counters 1w6d
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11 packets output, 1968 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
NoKo-ASA# sho int tun501
Interface Tunnel501 "VTI", is down, line protocol is down
Hardware is Virtual Tunnel MAC address N/A, MTU 1500
IP address 10.0.100.2, subnet mask 255.255.255.252
Tunnel Interface Information:
Source interface: OUTSIDE IP address: X.X.X.59
Destination IP address: X.X.119.2
Mode: ipsec ipv4 IPsec profile: LSV-isakmp-1
DEBUG
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2020.12.06 15:59:17 =~=~=~=~=~=~=~=~=~=~=~=
:58:52.496: IKEv2:(SESSION ID = 856
IOSRTR#1,SA ID = 1):Verification of peer's authenctication data PASSED
Dec 6 20:58:52.496: IKEv2:(SESSION ID = 8561,SA ID = 1):Processing INITIAL_CONTACT
Dec 6 20:58:52.496: IKEv2:(SESSION ID = 8561,SA ID = 1):Processing IKE_AUTH message
Dec 6 20:58:52.498: IKEv2:IPSec policy validate request sent for profile NYC-IKEv2 with psh index 1.
Dec 6 20:58:52.498: IKEv2:(SESSION ID = 8561,SA ID = 1):
Dec 6 20:58:52.498: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IOSRTR#
Dec 6 20:58:52.498: IKEv2:(SESSION ID = 8561,SA ID = 1):Get my authentication method
Dec 6 20:58:52.498: IKEv2:(SESSION ID = 8561,SA ID = 1):My authentication method is 'PSK'
Dec 6 20:58:52.498: IKEv2:(SESSION ID = 8561,SA ID = 1):Get peer's preshared key for X.X.X59
Dec 6 20:58:52.498: IKEv2:(SESSION ID = 8561,SA ID = 1):Generate my authentication data
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Use preshared key for id X.X.119.2, key len 14
Dec 6 20:58:52.499: IKEv2:[IKEv2
IOSRTR# -> Crypto Engine] Generate IKEv2 authentication data
Dec 6 20:58:52.499: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Get my authentication method
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):My authentication method is 'PSK'
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Generating IKE_AUTH message
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Constructing IDr payload: 'X.X.119.
IOSRTR#2' of type 'IPv4 address'
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Sending Packet [To 59:500/From 68.7
IOSRTR#0.119.2:500/VRF i0:f0]
Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Session with IKE ID PAIR (X.X.X59, X.X.119.2) is UP
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Initializing DPD, conf
IOSRTR#igured for 0 seconds
Dec 6 20:58:52.499: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Dec 6 20:58:52.499: IKEv2:(SESSION ID = 8561,SA ID = 1):Load IPSEC key material
Dec 6 20:58:52.499: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Dec 6 20:58:52.500: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED
Dec 6 20:58:52.502: IKEv2:(SESSION ID = 8561,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Dec 6 20:58:52.502: IKEv
IOSRTR#2:(SESSION ID = 8561,SA ID = 1):Queuing IKE SA delete request reason: unknown
Dec 6 20:58:52.502: IKEv2:(SESSION ID = 8561,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xBA140FB6]
Dec 6 20:58:52.502: IKEv2:(SESSION ID = 8561,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Checking if request will fit in peer window
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Sending Packet [To X.X.X59:
IOSRTR#500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Check for existing IPSEC SA
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Delete all IKE SAs
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xBD21641D7F634894 RSPI: 0x304A6207215BBD63]
Dec 6
IOSRTR#20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Checking if request will fit in peer window
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Check for existing active SA
Dec 6 20:58:52.503: IKEv2:(SESSION ID = 8561,SA ID = 1):Delete all IKE SAs
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
IOSRTR#Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 0
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Processing ACK to informational exchange
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Check for existing IPSEC SA
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Delete all IKE SAs
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Sending Packet [To X.X.X59:50
IOSRTR#0/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 1
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Dec 6 20:58:52.600: IKEv2:(SESSION ID = 8561,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 2
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
SA N TSi TSr
Dec 6 20:58:52.601: IKEv2:(SE
IOSRTR#SSION ID = 8561,SA ID = 1):Received a message while waiting for a delete-ACK; dropping message
Dec 6 20:58:52.601: IKEv2:Failed to decrement count for incoming negotiating
Dec 6 20:58:52.601: IKEv2:(SESSION ID = 8561,SA ID = 1):Abort exchange
Dec 6 20:58:52.694: IKEv2:(SESSION ID = 8561,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : BD21641D7F634894 - Responder SPI : 304A6207215BBD63 Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload c
IOSRTR#ontents:
DELETE
Dec 6 20:58:52.695: IKEv2:(SESSION ID = 8561,SA ID = 1):Processing ACK to informational exchange
Dec 6 20:58:52.695: IKEv2:(SESSION ID = 8561,SA ID = 1):Deleting SA
Dec 6 20:59:20.363: IKEv2:(SESSION ID = 8559,SA ID = 2):Retransmitting packet
Dec 6 20:59:20.364: IKEv2:(SESSION ID = 8559,SA ID = 2):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : 926F4E603ED77BFD - Responder SPI : 2ED29AEC7C0FB886 Message id: 1
IKEv2 IKE_AUTH Exchange RE
IOSRTR#QUEST
Payload contents:
ENCR
Dec 6 20:59:22.594: IKEv2:Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(Unknown - 16430) VID
Dec 6 20:59:22.594: IKEv2:(SESSION ID = 8562,SA ID = 1):Verify SA init message
Dec 6 20:59:22.594: IKEv2:(SESSION ID = 8562,SA ID = 1):Insert SA
Dec 6 20:59:22.594: IKEv2:Searchi
IOSRTR#ng Policy with fvrf 0, local address X.X.119.2
Dec 6 20:59:22.594: IKEv2:Found Policy 'NYC-IKEV2_POLICY'
Dec 6 20:59:22.594: IKEv2:(SESSION ID = 8562,SA ID = 1):Processing IKE_SA_INIT message
Dec 6 20:59:22.623: IKEv2:(SESSION ID = 8562,SA ID = 1):: The peer's KE payload contained the wrong DH group
Dec 6 20:59:22.623: IKEv2:(SESSION ID = 8562,SA ID = 1):Sending invalid ke notification, peer sent group 5, local policy prefers group 19
Dec 6 20:59:22.623: IKEv2:(SESSION ID = 8562,SA ID = 1):S
IOSRTR#Clear crypto ikev2 sa debug crypto ikev2 ending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
Dec 6 20:59:22.623: IKEv2:(SESSION ID = 8562,SA ID = 1):Failed SA init exchange
Dec 6 20:59:22.624: IKEv2:(SESSION ID = 8562,SA ID = 1):Initial exchange failed: Initial exchange failed
Dec 6 20:59:22.624: IKEv2:(SESSION ID = 8562,SA ID = 1):Abort exchange
Dec 6
IOSRTR#debug crypto ikev2 20:59:22.624: IKEv2:(SESSION ID = 8562,SA ID = 1):Deleting SA
Dec 6 20:59:22.718: IKEv2:Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(Unknown - 16430) VID
Dec 6 20:59:22.718: IKEv2:(SESSION ID = 8563,SA ID = 1):Verify SA init message
Dec 6 20:59:22.718: IKEv2:(SESSION ID = 8563,SA ID = 1):Insert SA
Dec 6 20
IOSRTR#debug crypto ikev2 Clear crypto ikev2 sa sho ver :59:22.718: IKEv2:Searching Policy with fvrf 0, local address X.X.119.2
Dec 6 20:59:22.718: IKEv2:Found Policy 'NYC-IKEV2_POLICY'
Dec 6 20:59:22.718: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing IKE_SA_INIT message
Dec 6 20:59:22.732: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 6 20:59:22.732: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Dec 6 20:59:22.732: IKEv2:Failed to retrieve Certificate Issuer list
Dec 6 20:59:22.733: IKEv2:(SESSION ID = 8
IOSRTR#sho ver
IOSRTR#sho version 563,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Dec 6 20:59:22.734: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 6 20:59:22.734: IKEv2:(SESSION ID = 8563,SA ID = 1):Request queued for computation of DH key
Dec 6 20:59:22.734: IKEv2:(SESSION ID = 8563,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Dec 6 20:59:22.738: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 6 20:59:22.738: IKEv2:(SESS
IOSRTR#sho version
IOSRTR#sho version
IOSRTR#sho version
IOSRTR#sho version
IOSRTR#sho version Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa ION ID = 8563,SA ID = 1):Request queued for computation of DH secret
Dec 6 20:59:22.738: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Dec 6 20:59:22.738: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Dec 6 20:59:22.738: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
Dec 6 20:59:22.738: IKEv2:(SESSION ID = 8563,SA ID = 1):Generating IKE_SA_INIT message
Dec 6 20:59:22.738: IKEv
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa
IOSRTR#Clear crypto ikev2 sa 2:(SESSION ID = 8563,SA ID = 1):IKE Proposal: 5, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_256_ECP/Group 19
Dec 6 20:59:22.738: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Dec 6 20:59:22.738: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
Dec 6 20:59:22.738: IKEv2:Failed to retrieve Certificate Issuer list
Dec 6 20:59:22.739: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From 6
IOSRTR#Clear crypto ikev2 sa
IOSRTR#8.70.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID
Dec 6 20:59:22.740: IKEv2:(SESSION ID = 8563,SA ID = 1):Completed SA init exchange
Dec 6 20:59:22.740: IKEv2:(SESSION ID = 8563,SA ID = 1):Starting timer (30 sec) to wait for auth message
Dec 6 20:59:22.835: IKEv2:(SESSION ID = 8563,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:
IOSRTR#f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Dec 6 20:59:22.835: IKEv2:(SESSION ID = 8563,SA ID = 1):Stopping timer to wait for auth message
Dec 6 20:59:22.835: IKEv2:(SESSION ID = 8563,SA ID = 1):Checking NAT discovery
Dec 6 20:59:22.835: IKEv2:(SESSION ID = 8563,SA ID = 1):NAT not found
Dec 6 20:59:
IOSRTR#22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Searching policy based on peer's identity 'X.X.X59' of type 'IPv4 address'
Dec 6 20:59:22.837: IKEv2:found matching IKEv2 profile 'NYC-IKEv2'
Dec 6 20:59:22.837: IKEv2:% Getting preshared key from profile keyring NYC_KEYRING
Dec 6 20:59:22.837: IKEv2:% Matched peer block 'NoKo_ASA'
Dec 6 20:59:22.837: IKEv2:Searching Policy with fvrf 0, local address X.X.119.2
Dec 6 20:59:22.837: IKEv2:Found Policy 'NYC-IKEV2_POLICY'
Dec 6 20:59:22.837: IKEv2:(
IOSRTR#SESSION ID = 8563,SA ID = 1):Verify peer's policy
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Peer's policy verified
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Get peer's authentication method
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Peer's authentication method is 'PSK'
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Get peer's preshared key for X.X.X59
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Verify peer's authentication data
IOSRTR#Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Use preshared key for id X.X.X59, key len 14
Dec 6 20:59:22.837: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Dec 6 20:59:22.837: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Verification of peer's authenctication data PASSED
Dec 6 20:59:22.837: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing INITIAL_CONTACT
Dec 6 20:59:22.837: IKE
IOSRTR#v2:(SESSION ID = 8563,SA ID = 1):Processing IKE_AUTH message
Dec 6 20:59:22.839: IKEv2:IPSec policy validate request sent for profile NYC-IKEv2 with psh index 1.
Dec 6 20:59:22.839: IKEv2:(SESSION ID = 8563,SA ID = 1):
Dec 6 20:59:22.840: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Get my authentication method
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):My authentication method is
IOSRTR#'PSK'
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Get peer's preshared key for X.X.X59
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Generate my authentication data
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Use preshared key for id X.X.119.2, key len 14
Dec 6 20:59:22.840: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Dec 6 20:59:22.840: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Dec 6 20:59:22.840: I
IOSRTR#KEv2:(SESSION ID = 8563,SA ID = 1):Get my authentication method
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):My authentication method is 'PSK'
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Generating IKE_AUTH message
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Constructing IDr payload: 'X.X.119.2' of type 'IPv4 address'
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA51
IOSRTR#2 Don't use ESN
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
D
IOSRTR#ec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Session with IKE ID PAIR (X.X.X59, X.X.119.2) is UP
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Initializing DPD, configured for 0 seconds
Dec 6 20:59:22.840: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
Dec 6 20:59:22.840: IKEv2:(SESSION ID = 8563,SA ID = 1):Load IPSEC key material
D
IOSRTR#ec 6 20:59:22.841: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
Dec 6 20:59:22.841: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED
Dec 6 20:59:22.843: IKEv2:(SESSION ID = 8563,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Queuing IKE SA delete request reason: unknown
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending DELETE INFO message for IPsec
IOSRTR#SA [SPI: 0xF97ECFD]
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Checking if request will fit in peer window
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload content
IOSRTR#s:
ENCR
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Check for existing IPSEC SA
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Delete all IKE SAs
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xCDD31D6033B3586F RSPI: 0x7FD9E566759FAC94]
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Chec
IOSRTR#king if request will fit in peer window
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Check for existing active SA
Dec 6 20:59:22.844: IKEv2:(SESSION ID = 8563,SA ID = 1):Delete all IKE SAs
Dec 6 20:59:23.516: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.119.2, prot=50, spi=0xF97ECFD(261614845), srcaddr=X.X.X59, input interface=Tunnel500
Dec 6 20:59:24.806: IKEv2:(SESSION ID = 8563,SA ID = 1):Retransmitting packet
Dec 6 20:59:24.806:
IOSRTR# IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Dec 6 20:59:24.904: IKEv2:(SESSION ID = 8563,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 0
IKEv2 INFORMATIONAL Exchange RESPONSE
IOSRTR#
Payload contents:
DELETE
Dec 6 20:59:24.904: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing ACK to informational exchange
Dec 6 20:59:24.904: IKEv2:(SESSION ID = 8563,SA ID = 1):Check for existing IPSEC SA
Dec 6 20:59:24.904: IKEv2:(SESSION ID = 8563,SA ID = 1):Delete all IKE SAs
Dec 6 20:59:24.905: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 1
IK
IOSRTR#Ev2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Dec 6 20:59:24.905: IKEv2:(SESSION ID = 8563,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 2
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:
SA N TSi TSr
Dec 6 20:59:24.905: IKEv2:(SESSION ID = 8563,SA ID = 1):Received a message while waiting for a delete-ACK; dropping message
Dec 6 20:59:24.905: IKEv
IOSRTR#2:Failed to decrement count for incoming negotiating
Dec 6 20:59:24.906: IKEv2:(SESSION ID = 8563,SA ID = 1):Abort exchange
Dec 6 20:59:24.999: IKEv2:(SESSION ID = 8563,SA ID = 1):Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : CDD31D6033B3586F - Responder SPI : 7FD9E566759FAC94 Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE
Dec 6 20:59:24.999: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing ACK to informational exchange IOSRTR#
Dec 6 20:59:24.999: IKEv2:(SESSION ID = 8563,SA ID = 1):Deleting SA
Dec 6 20:59:34.167: IKEv2:(SESSION ID = 8559,SA ID = 2):Auth exchange failed
Dec 6 20:59:34.167: IKEv2:(SESSION ID = 8559,SA ID = 2):: Auth exchange failed
Dec 6 20:59:34.167: IKEv2:(SESSION ID = 8559,SA ID = 2):Abort exchange
Dec 6 20:59:34.169: IKEv2:(SESSION ID = 8559,SA ID = 2):Deleting SA
IOSRTR#
Dec 6 20:59:53.526: IKEv2:% Getting preshared key from profile keyring NYC_KEYRING
Dec 6 20:59:53.526: IKEv2:% Matched peer block 'NoKo_ASA'
Dec 6 20:59:53.526: IKEv2:Searching Policy with fvrf 0, local address X.X.119.2
Dec 6 20:59:53.526: IKEv2:Found Policy 'NYC-IKEV2_POLICY'
Dec 6 20:59:53.526: IKEv2:(SESSION ID = 8563,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
Dec 6 20:59:53.527: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 6 20
IOSRTR#:59:53.527: IKEv2:(SESSION ID = 8563,SA ID = 1):Request queued for computation of DH key
Dec 6 20:59:53.527: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
Dec 6 20:59:53.527: IKEv2:(SESSION ID = 8563,SA ID = 1):Generating IKE_SA_INIT message
Dec 6 20:59:53.527: IKEv2:(SESSION ID = 8563,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 7
AES-CBC SHA512 SHA384 SHA512 SHA384 DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14
Dec
IOSRTR# 6 20:59:53.527: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : A42C0091E5FA9E86 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
Dec 6 20:59:53.527: IKEv2:(SESSION ID = 8563,SA ID = 1):Insert SA
Dec 6 20:59:53.623: IKEv2:(SESSION ID = 8563,SA ID = 1):Received Packet [From 47.206.
IOSRTR#73.59:500/To X.X.119.2:500/VRF i0:f0]
Initiator SPI : A42C0091E5FA9E86 - Responder SPI : B9AD299DF7F37BF8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID CERTREQ NOTIFY(Unknown - 16430) VID
Dec 6 20:59:53.623: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing IKE_SA_INIT message
Dec 6 20:59:53.623: IKEv2:(SESSION ID = 8563,SA ID = 1):Verify SA init message
Dec 6 20:59:53.623: IKEv2:(SESSION ID = 8563,SA ID = 1):Processing IKE_SA_INIT message
Dec 6 20:59
IOSRTR#:53.624: IKEv2:(SESSION ID = 8563,SA ID = 1):Checking NAT discovery
Dec 6 20:59:53.624: IKEv2:(SESSION ID = 8563,SA ID = 1):NAT not found
Dec 6 20:59:53.624: IKEv2:(SESSION ID = 8563,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
Dec 6 20:59:53.627: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
Dec 6 20:59:53.627: IKEv2:(SESSION ID = 8563,SA ID = 1):Request queued for computation of DH secret
Dec 6 20:59:53.627: IKEv2:(SA ID = 1):[IKEv2 -> Crypto E
IOSRTR#ngine] Calculate SKEYSEED and create rekeyed IKEv2 SA
Dec 6 20:59:53.628: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Completed SA init exchange
Dec 6 20:59:53.628: IKEv2:Config data to send:
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Config-type: Config-request
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Attrib type: app-version, length: 251, data: Cisco I
IOSRTR#OS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S10, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Thu 09-Aug-18 08:11 by mcpre
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Have config mode data to send
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Check for EAP exchange
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Generate my authentication data
Dec
IOSRTR# 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Use preshared key for id X.X.119.2, key len 14
Dec 6 20:59:53.628: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Dec 6 20:59:53.628: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Get my authentication method
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):My authentication method is 'PSK'
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 85
IOSRTR#63,SA ID = 1):Check for EAP exchange
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Generating IKE_AUTH message
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Constructing IDi payload: 'X.X.119.2' of type 'IPv4 address'
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Building packet for encryption.
Payload
IOSRTR#contents:
VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Dec 6 20:59:53.628: IKEv2:(SESSION ID = 8563,SA ID = 1):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : A42C0091E5FA9E86 - Responder SPI : B9AD299DF7F37BF8 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Dec 6 20:59:54.895: IKEv2:Received Packet [From X.X.X59:500/To X.X.119.2:500/VRF i
IOSRTR#0:f0]
Initiator SPI : CCBF410C2333C923 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(Unknown - 16430) VID
Dec 6 20:59:54.895: IKEv2:(SESSION ID = 8564,SA ID = 2):Verify SA init message
Dec 6 20:59:54.895: IKEv2:(SESSION ID = 8564,SA ID = 2):Insert SA
Dec 6 20:59:54.895: IKEv2:Searching Policy with fvrf 0, local address X.X.119.2
Dec 6 20:59:54.895: IKEv2:Found Policy 'NYC-IKEV2_POLICY'
Dec 6 20:59:54.895:
IOSRTR#IKEv2:(SESSION ID = 8564,SA ID = 2):Processing IKE_SA_INIT message
Dec 6 20:59:54.924: IKEv2:(SESSION ID = 8564,SA ID = 2):: The peer's KE payload contained the wrong DH group
Dec 6 20:59:54.924: IKEv2:(SESSION ID = 8564,SA ID = 2):Sending invalid ke notification, peer sent group 5, local policy prefers group 19
Dec 6 20:59:54.924: IKEv2:(SESSION ID = 8564,SA ID = 2):Sending Packet [To X.X.X59:500/From X.X.119.2:500/VRF i0:f0]
Initiator SPI : CCBF410C2333C923 - Responder SPI : 00000000000
IOSRTR#00000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD)
Dec 6 20:59:54.924: IKEv2:(SESSION ID = 8564,SA ID = 2):
12-06-2020 01:05 PM
What ASA version are you running? I recall this post recently where the user had to upgrade to 9.8+ (the link you reference is using 9.9) or this post where you need to disable config-exchange on the router when establishing a VPN between an IOS router and an ASA. I've previously got it working without disabling config-exchange, but I guess it depends on the OS used.
HTH
12-06-2020 01:45 PM
Rob,
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(3)S10, RELEASE SOFTWARE (fc1)
Cisco Adaptive Security Appliance Software Version 9.10(1)
You did help me one this same project https://community.cisco.com/t5/security-blogs/ikev2-site-2-site-debugs-on-ios/ba-p/3106197 but on that on I somehow fat fingered the key. Now that is fixed and the is the newest issues.
"where you need to disable config-exchange" must have been someone else.
On the provided debug everything looks good up to:
"
Dec 6 20:03:43.425: IKEv2:(SA ID = 2):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED
Dec 6 20:03:43.427: IKEv2:(SESSION ID = 8343,SA ID = 2):: Creation/Installation of IPsec SA into IPsec DB failed
"
I am just not sure what causes that to fail.
Thanks,
WW
12-06-2020 01:59 PM
I was referring to this post
config-exchange must be disabled on the IOS routers, this can be configured under the IKEv2 profile.
12-06-2020 02:56 PM
Rob,
I do not have it enabled. Here is the config:
crypto ikev2 profile NYC-IKEv2
match identity remote address X.X.X.59
authentication local pre-share
authentication remote pre-share
keyring local NYC_KEYRING
identity local address X.X.119.2
dpd 10 2 on-demand
Did you see that I had it enabled somewhere?
Thanks Rob!
12-07-2020 02:08 AM
It's configured as default, you'd need to explictly disable the function.
12-08-2020 06:44 AM
config respond-only in ASA
the debug show that each IPSec end try to make connection in same time so we will make IOS initiator and ASA as respond-only,
try this way
03-02-2021 09:44 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide