Re: IKEv2-ERROR:: Auth exchange failed

D@1984 · ‎07-13-2023

I'm struggling to bring my ipsec tunnel up, it's failing the sa negotiation. I would appreciate any help

cisco ISR4451:

ip access-list extended myac
30 permit ip 20.20.20.0 0.0.0.255 172.16.32.0 0.0.0.255
40 permit icmp 20.20.20.0 0.0.0.255 172.16.32.0 0.0.0.255

!

interface GigabitEthernet0/0/0
ip address 192.168.200.2 255.255.255.0
negotiation auto
crypto map mymap
!

crypto map mymap 1 ipsec-isakmp
set peer 4.9.x.x
set transform-set myset
set pfs group14
set ikev2-profile myprofile
match address myac

!

crypto ipsec transform-set myset esp-aes 256 esp-sha512-hmac
mode tunnel
!

crypto ikev2 profile myprofile
match identity remote address x.x.x.x 255.255.255.255
identity local address 192.168.200.2
authentication remote pre-share
authentication local pre-share
keyring local mykey
!

crypto ikev2 keyring mykey
peer 4.9.x.x
address 4.9.x.x
pre-shared-key xxxx
!

!
crypto ikev2 proposal myproposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy ikepolicy
match address local 192.168.200.2
proposal myproposal
!

13:35:18.236: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed

MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH

MsgID = 1 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY

MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL

MsgID = 1 CurState: EXIT Event: EV_ABORT

MsgID = 1 CurState: EXIT Event: EV_CHK_PENDING_ABORT

*Jul 13 13:44:50.356: IKEv2-INTERNAL:Negotiating SA request deleted
*Jul 13 13:44:50.356: IKEv2-INTERNAL:Decrement count for outgoing negotiating

Rob Ingram · ‎07-13-2023

D@1984 potentially a pre-shared key mismatch, double check the PSK on both ends. Confirm with the remote peer whether they have the same PSK for local and remote (you are using the same PSK for both).

Confirm the remote peer IP address is correct, otherwise it will not match the PSK keyring you have configured.

FYI, policy basd VPNs (crypto maps) which you are using are depreciated in newer IOS-XE versions, route based VPNs (FlexVPN/DMVPN) are recommended now.

D@1984 · ‎07-13-2023

the keys are the same both side, I tried change them both but still got the error.

Rob Ingram · ‎07-13-2023

D@1984 is the peer behind NAT? In which case you'd have to match on the real IP address rather than the NAT IP address.

Provide the full debug to provide more clues.

D@1984 · ‎07-13-2023

which one of debug shall I run?

D@1984 · ‎07-14-2023

I tried route-based vpn but cant bring up the tunnel interface, it's showing up/down

interface Tunnel1
ip unnumbered GigabitEthernet0/0/0
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination 4.9.x.x
tunnel protection ipsec profile myipsec-profile

!
now the tunnel destination is a fqdn rather than an ip, is there a way to use fqdn instead of ip address?

MHM Cisco World · ‎07-13-2023

match identity remote address x.x.x.x 255.255.255.255

this x.x.x.x is 4.9.x.x or other IP

D@1984 · ‎07-13-2023

its 4.9 address

MHM Cisco World · ‎07-13-2023

crypto ikev2 proposal myproposal
encryption aes-cbc-256
integrity sha512
group 14 <<- cbeck if both side support group 14

D@1984 · ‎07-13-2023

the other side support group 14 I've been told

MHM Cisco World · ‎07-13-2023

What is other side platform

Fw or router and whcih vendor?

D@1984 · ‎07-14-2023

aws vpn gateway

MHM Cisco World · ‎07-14-2023

crypto ikev2 proposal myproposal
encryption aes-cbc-256
integrity sha512<<- change this to prf sha512
group 14

D@1984 · ‎07-14-2023

! Proposal Incomplete(MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured

MHM Cisco World · ‎07-14-2023

Ok' add both

integrity sha512

prf sha512