06-19-2024 03:45 AM
Dear experts,
I'm having some issue; configurations match both ends but still getting Auth exchange failing
////// Logs
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing ENCR payload
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing VID payload VID
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing IDr payload IDr
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing AUTH payload AUTH
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing SA payload SA
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing TSi payload TSi
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing TSr payload TSr
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(SET_WINDOW_SIZE)
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(ESP_TFC_NO_SUPPO RT)
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing NOTIFY payload NOTIFY(NON_FIRST_FRAGS)
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Process auth response notify
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Searching policy based on peer's identity '10. 75.2.1' of type 'IPv4 address'
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Failed to locate an item in the databa se
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Verification of peer's authentication data FAI LED
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Auth exchange failed
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Auth exchange failed
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Abort exchange
Jun 19 10:37:01.593: IKEv2:(SESSION ID = 18530,SA ID = 2):Deleting SA
Jun 19 10:37:09.596: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI
Jun 19 10:37:09.596: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 10.75.2.1:500/To 10.75.2.2:5 00/VRF i0:f3]
Initiator SPI : A2B39E3F76D6DF73 - Responder SPI : 4E5D9F502C38BD7D Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Jun 19 10:37:09.596: IKEv2-ERROR:: A supplied parameter is incorrect
//////////////
////// R1 Configs ////
crypto ikev2 keyring ikev4_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco321
!
crypto ikev2 profile ikev4_prof
match identity remote address 10.75.2.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev4_key
crypto isakmp policy 11
encryption aes 256
hash sha512
authentication pre-share
group 20
lifetime 3600
crypto isakmp key cisco321 address 10.75.2.1
crypto ipsec transform-set tfs4 esp-gcm 256
esn
mode tunnel
crypto ipsec profile ipsec4_prof
set transform-set tfs4
set ikev2-profile ikev4_prof
////// R2 ///configs
crypto ikev2 keyring ikev4_key
peer mypeer
address 0.0.0.0 0.0.0.0
pre-shared-key cisco321
!
crypto ikev2 profile ikev4_prof
match identity remote address 10.75.2.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local ikev4_key
crypto isakmp policy 11
encryption aes 256
hash sha512
authentication pre-share
group 20
lifetime 3600
crypto isakmp key cisco321 address 10.75.2.2
crypto ipsec transform-set tfs4 esp-gcm 256
esn
mode tunnel
crypto ipsec profile ipsec4_prof
set transform-set tfs4
set ikev2-profile ikev4_prof
Solved! Go to Solution.
06-19-2024 03:54 AM
Sorry to see that your issue not solve completely
two points
1- first you config isakmp policy but the IKEv2 use different policy it config with
crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>
crypto ikev2 policy <poli>
proposal <prop>
2- some ISR IOS XE router not support esp-gcm 256, so try other SA
MHM
06-19-2024 08:02 PM
06-19-2024 03:49 AM
@dgawaya1 authentication is failing, is the peer sending the IP address (10.75.2.1) as defined? Please provide the rest of the configuration, including physical and tunnel interfaces etc.
Jun 19 10:37:01.591: IKEv2:(SESSION ID = 18530,SA ID = 2):Searching policy based on peer's identity '10. 75.2.1' of type 'IPv4 address'
Jun 19 10:37:01.592: IKEv2-ERROR:(SESSION ID = 18530,SA ID = 2):: Failed to locate an item in the databa se
Jun 19 10:37:01.592: IKEv2:(SESSION ID = 18530,SA ID = 2):Verification of peer's authentication data FAI LED
06-19-2024 04:18 AM
@Rob Ingram
///R1
SYD1PAXVR002#sh run int tun 11
Building configuration...
Current configuration : 332 bytes
!
interface Tunnel11
description Vivienne Court GRE/IPsec tunnel
vrf forwarding VRF-TUNNEL2
ip address 10.3.3.2 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination 10.75.2.1
tunnel vrf VRF-TUNNEL2
tunnel protection ipsec profile ipsec4_prof
end
SYD1PAXVR002#sh run int gi0/0/2
Building configuration...
Current configuration : 122 bytes
!
interface GigabitEthernet0/0/2
vrf forwarding VRF-TUNNEL2
ip address 10.75.2.2 255.255.255.240
negotiation auto
end
///R2
interface Tunnel11
description Vivienne Court GRE/IPsec tunnel
ip address 10.3.3.1 255.255.255.252
ip mtu 1336
ip tcp adjust-mss 1296
tunnel source GigabitEthernet0/0/2
tunnel mode ipsec ipv4
tunnel destination 10.75.2.2
tunnel protection ipsec profile ipsec4_prof
end
SYD2PAXVR002#sh run int gi0/0/2
Building configuration...
Current configuration : 94 bytes
!
interface GigabitEthernet0/0/2
ip address 10.75.2.1 255.255.255.240
negotiation auto
end
06-19-2024 04:24 AM
@dgawaya1 you are using VRF on R1, so you need to ensure you match VRF under the IKEV2 profile.
crypto ikev2 profile ikev4_prof
match fvrf VRF-TUNNEL2
You also need to ensure that under the IKEv2 policy you also define the VRF, if you haven't already.
Here is an example of using VRF under FlexVPN - https://integratingit.wordpress.com/2019/04/22/flexvpn-vrf/
06-19-2024 04:28 AM
my tunnel interface went down when I configured "
match fvrf VRF-TUNNEL2"
06-19-2024 03:54 AM
Sorry to see that your issue not solve completely
two points
1- first you config isakmp policy but the IKEv2 use different policy it config with
crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>
crypto ikev2 policy <poli>
proposal <prop>
2- some ISR IOS XE router not support esp-gcm 256, so try other SA
MHM
06-19-2024 04:29 AM
Ive moved away from esp-gcm. no luck yet
06-19-2024 04:34 AM - edited 06-19-2024 04:36 AM
If the tunnel source in one or both peers use vrf ypu need below
crypto ikev2 proposal <prop> <<- setting below must match in both Peers
integrity <>
encrypt <>
group <>
crypto ikev2 policy <poli>
proposal <prop>
Match fvrf <>
Also you need under
Crypto ikev2 profile <>
Match fvrf <>
And under tunnel ypu need
Tunnel vrf <>
06-19-2024 03:44 PM - edited 06-19-2024 03:45 PM
Before I go any further, show crypto isakmp has no results. But show crypto ipsec sa. Also, looks like the auth failed message is not there anymore in the logs. The tunnel is up! Could this indicate a success?
///////////////R1 (hub) /////////////////////////////////////////
SYD1PAXVR002#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
SYD1PAXVR002#show crypto ipsec profile ipsec4_prof
IPSEC profile ipsec4_prof
IKEv2 Profile: ikev4_prof
Security association lifetime: 4608000 kilobytes/3600 seconds
Dualstack (Y/N): N
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
tfs4: { esp-256-aes esp-sha384-hmac } ,
}
SYD1PAXVR002#show crypto ipsec sa
interface: Tunnel11
Crypto map tag: Tunnel11-head-0, local addr 10.75.2.2
protected vrf: VRF-TUNNEL2
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 10.75.2.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.75.2.2, remote crypto endpt.: 10.75.2.1
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/2
current outbound spi: 0xA682ACA0(2793581728)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x30A77BC2(816282562)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 2326, flow_id: ESG:326, sibling_flags FFFFFFFF80004048, crypto map: Tunnel11-head-0, initiator : True
sa timing: remaining key lifetime (k/sec): (4608000/1738)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xA682ACA0(2793581728)
transform: esp-256-aes esp-sha384-hmac ,
in use settings ={Tunnel, }
conn id: 2325, flow_id: ESG:325, sibling_flags FFFFFFFF80004048, crypto map: Tunnel11-head-0, initiator : True
sa timing: remaining key lifetime (k/sec): (4608000/1738)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
SYD1PAXVR002#
///latest logs ////
Jun 19 22:11:11.088: IKEv2:(SESSION ID = 18530,SA ID = 2):Sending Packet [To 10.75.2.1:500/From 10.75.2.2:500/VRF i3:f3]
Initiator SPI : C0578C28121285F3 - Responder SPI : 21508F9228CACA2D Message id: 27
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
Jun 19 22:11:11.088: IKEv2:(SESSION ID = 18530,SA ID = 2):Check for existing IPSEC SA
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Received Packet [From 10.75.2.1:500/To 10.75.2.2:500/VRF i0:f3]
Initiator SPI : C0578C28121285F3 - Responder SPI : 21508F9228CACA2D Message id: 27
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing ENCR payload
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):parsing DELETE payload DELETE
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Processing ACK to informational exchange
Jun 19 22:11:11.092: IKEv2:(SESSION ID = 18530,SA ID = 2):Check for existing IPSEC SA
Jun 19 22:33:21.935: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: g] [Source: 10.2.64.25] [localport: 22] at 08:33:21 AEST Thu Jun 20 2024
SYD1PAXVR002#
06-19-2024 07:27 PM
It ikev2 so you need to use below
Show crypto ikev2 sa
Show crypto session
And from what I see' Yes the ipsec ikev2 is success UP.
MHM
06-19-2024 07:56 PM
SYD1PAXVR002#Show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.75.2.2/500 10.75.2.1/500 VRF-TUNNEL2/VRF-TU READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/55584 sec
CE id: 21797, Session-id: 26121
Local spi: C0578C28121285F3 Remote spi: 21508F9228CACA2D
IPv6 Crypto IKEv2 SA
SYD1PAXVR002#
SYD1PAXVR002#
SYD1PAXVR002# Show crypto session
Crypto session current status
Interface: Tunnel11
Profile: ikev4_prof
Session status: UP-ACTIVE
Peer: 10.75.2.1 port 500
Session ID: 18530
IKEv2 SA: local 10.75.2.2/500 remote 10.75.2.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
06-19-2024 08:02 PM
That perfect and tunnel is UP from output.
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide