cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2108
Views
1
Helpful
6
Replies

IKEv2 Error - There was no IPSEC policy found for received TS

Rayn12345
Level 1
Level 1

Dear Community

I am a beginner and urgently need help!

I am trying to establish an IPSEC/IKEv2 connection between HUB (Cisco Router IOS version 15.8(3)M9) and SPOKES (Cisco IOS XE software, version 17.09.01 via Internet.

I also connect Linux-based routers with Strongswan to the HUB, where the connection works perfectly.

When connecting to the Cisco SPOKE, I receive the following error message:
IKEv2-ERROR:(SESSION ID = 199,SA ID = 2):: There was no IPSEC policy found for received TS

Please find attached the following files:

Configuration of the Cisco SPOKE
Configuration of the HUB
Debug output of the Cisco SPOKE ‘debug crypto ikev2 packet’
Debug output of the HUB ‘debug crypto ipsec’ 
Strongswan IPSEC tunnel information, where connection works

I hope I was able to give you useful information and otherwise just let me know if I should provide more.

Many thanks for your help.



1 Accepted Solution

Accepted Solutions

@Rayn12345 you have explictly configured "tunnel mode ipsec ipv4" on the hub virtual-template but you have not configured the same on Tu0 on the spoke, therefore the spoke is using GRE. Configure the spoke tunnel as below:-

interface Tunnel0
 tunnel mode ipsec ipv4

You also do not need the static route on the spoke via Tu0, the hub IP can be learnt via authorisation.

View solution in original post

6 Replies 6

in hub and Spoke 
share 
show crypto ikev2 sa
show crypto session 
show crypto ipsec sa

MHM

Rayn12345
Level 1
Level 1

SPOKE:

SPOKE#show crypto ikev2 sa 

<show nothing>

SPOKE#show crypto session
Crypto session current status

Interface: Tunnel0
Session status: DOWN
Peer: 1.2.3.4 port 500
IPSEC FLOW: permit 47 host 10.69.42.172 host 1.2.3.4
Active SAs: 0, origin: crypto map

R1-SPOKE1#show crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.69.42.172

protected vrf: (none)
local ident (addr/mask/prot/port): (10.69.42.172/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (1.2.3.4/255.255.255.255/47/0)
current_peer 1.2.3.4 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 10.69.42.172, remote crypto endpt.: 1.2.3.4
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0/1/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas

 

Thanks!

for hub

MHM

Rayn12345
Level 1
Level 1

HUB1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2 1.2.3.4/4500 178.197.203.50/29250 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1521 sec

Tunnel-id Local Remote fvrf/ivrf Status
1 1.2.3.4/4500 178.197.202.9/20043 none/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA256, Hash: None, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1074 sec

IPv6 Crypto IKEv2 SA

HUB1#show crypto session
Crypto session current status

Interface: Virtual-Access4
Profile: ike_v2_profile
Session status: UP-ACTIVE
Peer: 178.197.203.50 port 29250
Session ID: 64
IKEv2 SA: local 1.2.3.4/4500 remote 178.197.203.50/29250 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

Interface: Virtual-Access5
Profile: ike_v2_profile
Session status: UP-ACTIVE
Peer: 178.197.202.9 port 20043
Session ID: 78
IKEv2 SA: local 1.2.3.4/4500 remote 178.197.202.9/20043 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map

HUB1#show crypto ipsec sa

R1-HUB1#show crypto ipsec sa

interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr 1.2.3.4

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 178.197.203.50 port 29250
PERMIT, flags={origin_is_acl,}
#pkts encaps: 235, #pkts encrypt: 235, #pkts digest: 235
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.2.3.4, remote crypto endpt.: 178.197.203.50
plaintext mtu 1430, path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
current outbound spi: 0xC3911155(3281064277)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6DC99FCE(1841930190)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000040, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4218734/1881)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC3911155(3281064277)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000040, crypto map: Virtual-Access4-head-0
sa timing: remaining key lifetime (k/sec): (4218734/1881)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access5
Crypto map tag: Virtual-Access5-head-0, local addr 1.2.3.4

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 178.197.202.9 port 20043
PERMIT, flags={origin_is_acl,}
#pkts encaps: 176, #pkts encrypt: 176, #pkts digest: 176
#pkts decaps: 181, #pkts decrypt: 181, #pkts verify: 181
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 1.2.3.4, remote crypto endpt.: 178.197.202.9
plaintext mtu 1430, path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
current outbound spi: 0xC60C9E32(3322715698)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBAEC6850(3136055376)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 5, flow_id: Onboard VPN:5, sibling_flags 80000040, crypto map: Virtual-Access5-head-0
sa timing: remaining key lifetime (k/sec): (4371253/2328)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC60C9E32(3322715698)
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 6, flow_id: Onboard VPN:6, sibling_flags 80000040, crypto map: Virtual-Access5-head-0
sa timing: remaining key lifetime (k/sec): (4371253/2328)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

@Rayn12345 you have explictly configured "tunnel mode ipsec ipv4" on the hub virtual-template but you have not configured the same on Tu0 on the spoke, therefore the spoke is using GRE. Configure the spoke tunnel as below:-

interface Tunnel0
 tunnel mode ipsec ipv4

You also do not need the static route on the spoke via Tu0, the hub IP can be learnt via authorisation.

Rayn12345
Level 1
Level 1

Tunnel is up!

LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up

Thank you very much!!
There seems to be some other problems, but looks good so far.