Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ
- Cisco Community
- Technology and Support
- Security
- VPN
- Re: IKEv2-ERROR:: Auth exchange failed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
16961
Views
2
Helpful
21
Replies
IKEv2-ERROR:: Auth exchange failed
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-13-2023 06:57 AM
I'm struggling to bring my ipsec tunnel up, it's failing the sa negotiation. I would appreciate any help
cisco ISR4451:
ip access-list extended myac
30 permit ip 20.20.20.0 0.0.0.255 172.16.32.0 0.0.0.255
40 permit icmp 20.20.20.0 0.0.0.255 172.16.32.0 0.0.0.255
!
interface GigabitEthernet0/0/0
ip address 192.168.200.2 255.255.255.0
negotiation auto
crypto map mymap
!
crypto map mymap 1 ipsec-isakmp
set peer 4.9.x.x
set transform-set myset
set pfs group14
set ikev2-profile myprofile
match address myac
!
crypto ipsec transform-set myset esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ikev2 profile myprofile
match identity remote address x.x.x.x 255.255.255.255
identity local address 192.168.200.2
authentication remote pre-share
authentication local pre-share
keyring local mykey
!
crypto ikev2 keyring mykey
peer 4.9.x.x
address 4.9.x.x
pre-shared-key xxxx
!
!
crypto ikev2 proposal myproposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy ikepolicy
match address local 192.168.200.2
proposal myproposal
!
13:35:18.236: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
MsgID = 1 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL
MsgID = 1 CurState: EXIT Event: EV_ABORT
MsgID = 1 CurState: EXIT Event: EV_CHK_PENDING_ABORT
*Jul 13 13:44:50.356: IKEv2-INTERNAL:Negotiating SA request deleted
*Jul 13 13:44:50.356: IKEv2-INTERNAL:Decrement count for outgoing negotiating
Labels:
- Labels:
-
VPN
21 Replies 21
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 04:05 AM
Debug crypto ikev2 internal
Debug crypto ikev2 packet
Please share both.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 06:51 AM
Jul 14 13:30:46.970: IKEv2-INTERNAL:% Getting preshared key by address 4.9.x.x
*Jul 14 13:30:46.971: IKEv2-INTERNAL:Adding Proposal myproposal to toolkit policy
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(1): Choosing IKE profile myprofile
*Jul 14 13:30:46.971: IKEv2-INTERNAL:New ikev2 sa request admitted
*Jul 14 13:30:46.971: IKEv2-INTERNAL:Incrementing outgoing negotiating sa count by one
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: IDLE Event: EV_INIT_SA
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_SET_POLICY
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Setting configured policies
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GET_PPK_CAP
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_NO_EVENT
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Action: Action_Null
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jul 14 13:30:46.971: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):No config data to send to toolkit:
*Jul 14 13:30:46.972: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_BLD_MSG
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Vendor Specific Payload: DELETE-REASON
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCOVPN-REV-02
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Sending DRU Handshake
*Jul 14 13:30:46.972: IKEv2-INTERNAL:(1): Sending custom vendor id : CISCO-DYNAMIC-ROUTE
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Notify Payload: NAT_DETECTION_SOURCE_IP
*Jul 14 13:30:46.972: IKEv2-INTERNAL:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
*Jul 14 13:30:46.972: IKEv2-PAK:(SESSION ID = 1,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 518
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
KE Next payload: N, reserved: 0x0, length: 264
DH group: 14, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Jul 14 13:30:46.973: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_BLD_INIT Event: EV_INSERT_SA
*Jul 14 13:30:46.973: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=0000000000000000 (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_NO_EVENT
*Jul 14 13:30:47.023: IKEv2-INTERNAL:Got a packet from dispatcher
*Jul 14 13:30:47.023: IKEv2-INTERNAL:Processing an item off the pak queue
*Jul 14 13:30:47.023: IKEv2-PAK:(SESSION ID = 1,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 448
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
KE Next payload: N, reserved: 0x0, length: 264
DH group: 14, Reserved: 0x0
N Next payload: NOTIFY, reserved: 0x0, length: 36
*Jul 14 13:30:47.024: IKEv2-INTERNAL:Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
*Jul 14 13:30:47.024: IKEv2-INTERNAL:Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Jul 14 13:30:47.024: IKEv2-INTERNAL:Parse Notify Payload: Unknown - 16418 NOTIFY(Unknown - 16418) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
*Jul 14 13:30:47.024: IKEv2-INTERNAL:Parse Notify Payload: Unknown - 16404 NOTIFY(Unknown - 16404) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: Unknown - 0
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_WAIT_INIT Event: EV_RECV_INIT
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_PROC_MSG
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_DETECT_NAT
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Process NAT discovery notify
*Jul 14 13:30:47.025: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Processing nat detect src notify
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Remote address not matched
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Processing nat detect dst notify
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Local address not matched
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Host is located NAT inside
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHK_DIKE
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHG_NAT_T_PORT
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
*Jul 14 13:30:47.026: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_NO_EVENT
*Jul 14 13:30:47.028: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
*Jul 14 13:30:47.028: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Action: Action_Null
*Jul 14 13:30:47.028: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_GEN_SKEYID
*Jul 14 13:30:47.028: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Generate skeyid
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_DONE
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: INIT_DONE Event: EV_CHK4_ROLE
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Config-request is not supported for crypto maps
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):No config data to send to toolkit:
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_FOR_PPK
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Context already unlocked for 80007F197A787978
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_PPK_MAND
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_EAP
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: unknown event
*Jul 14 13:30:47.029: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
*Jul 14 13:30:47.030: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
*Jul 14 13:30:47.030: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
*Jul 14 13:30:47.030: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCO-GRANITE
*Jul 14 13:30:47.030: IKEv2-INTERNAL:Construct Notify Payload: INITIAL_CONTACT
*Jul 14 13:30:47.030: IKEv2-INTERNAL:Construct Notify Payload: SET_WINDOW_SIZE
*Jul 14 13:30:47.030: IKEv2-INTERNAL:Construct Notify Payload: ESP_TFC_NO_SUPPORT
*Jul 14 13:30:47.030: IKEv2-INTERNAL:Construct Notify Payload: NON_FIRST_FRAGS
Payload contents:
VID Next payload: IDi, reserved: 0x0, length: 20
IDi Next payload: AUTH, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
AUTH Next payload: SA, reserved: 0x0, length: 72
Auth method PSK, reserved: 0x0, reserved 0x0
SA Next payload: TSi, reserved: 0x0, length: 44
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 1, length: 16
start port: 0, end port: 65535
start addr: 20.20.20.1, end addr: 20.20.20.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 20.20.20.0, end addr: 20.20.20.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 40
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 1, length: 16
start port: 0, end port: 65535
start addr: 172.16.32.1, end addr: 172.16.32.1
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 172.16.32.0, end addr: 172.16.32.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: INITIAL_CONTACT
NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: NON_FIRST_FRAGS
*Jul 14 13:30:47.031: IKEv2-PAK:(SESSION ID = 1,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 352
Payload contents:
ENCR Next payload: VID, reserved: 0x0, length: 324
*Jul 14 13:30:47.032: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
*Jul 14 13:30:47.044: IKEv2-INTERNAL:Got a packet from dispatcher
*Jul 14 13:30:47.045: IKEv2-INTERNAL:Processing an item off the pak queue
*Jul 14 13:30:47.045: IKEv2-PAK:(SESSION ID = 1,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 96
Payload contents:
*Jul 14 13:30:47.045: IKEv2-INTERNAL:Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):Action: Action_Null
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: EXIT Event: EV_ABORT.
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: EXIT Event: EV_CHK_PENDING_ABORT
*Jul 14 13:30:47.045: IKEv2-INTERNAL:Negotiating SA request deleted
*Jul 14 13:30:47.045: IKEv2-INTERNAL:Decrement count for outgoing negotiating
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: EXIT Event: EV_CHK_GKM
*Jul 14 13:30:47.045: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=C333CE69860650CC R_SPI=F8B04A67F7FBD43E (I) MsgID = 1 CurState: EXIT Event: EV_UPDATE_CAC_STATS....
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 01:27 AM - edited ā07-14-2023 01:28 AM
Could you please try to change the command "identity local address" to "match address local" under IKEv2 profile and see if that works?
crypto ikev2 profile myprofile
no identity local address 192.168.200.2
match address local 192.168.200.2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 03:02 AM
still getting authentication failed!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 07:24 AM
AES-CBC-265<<- this what you config
this what I see in debug AES-CBC (which same as AES-CBC-128)
so match encrypt in both side
remove prf sha512 I suggest before it not issue here
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 08:23 AM
yes i config AES-CBC-265
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ā07-14-2023 08:33 AM
I know that,
but value is AES-CBC-128 so
change your side to aes-cbc-128 and check
- « Previous
-
- 1
- 2
- Next »
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents