Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1016
Views
0
Helpful
3
Replies

IKEv2 FlexVPN with Windows IKEv2 native client IPv6 address assignment

andrew.butterworth
Level 7
Level 7

‎06-10-2022 12:31 AM - edited ‎06-10-2022 03:46 AM

I've been testing IKEv2 on a Cisco C891F router in an attempt to replace a L2TP/IPSec remote access VPN service with an IKEv2 service using the Native VPN client in Windows 10.

Currently the L2TP/IPSec service works perfectly and Windows 10 clients using the Native VPN client are assigned IPv4 & IPv6 addresses as part of the PPPoE session.

With IKEv2 it's all a bit different...

I've managed to get IPv4 working, but not IPv6. I think I'm most of the way there, however there is something not right with the SA negotiation for IPv6.  Windows throws up the error '840: Internal address negotiation failed'.

I've tried various iterations of the 'ipv6 local pool' command specifying the prefix length as 128, 64, 126 etc.  The IPSec profile sets 'mixed-mode'

aaa authentication login VPN-IKEv2 group RADIUS-Servers
!
aaa authorization network IKEv2-authorisation local
!
crypto ikev2 authorization policy windows-authorisation
 ipv6 pool VPN-2
 ipvd dns x:x:x:x:: y:y:y:y::
 pool default
 dns 192.168.100.20 192.168.102.133
 def-domain domain.local
 pfs
!
crypto ikev2 proposal windows
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha256
 group 2 14 15 16 19 20
!
crypto ikev2 policy windows
 proposal windows
!
crypto ikev2 profile windows-rsa
 match identity remote address 0.0.0.0
 identity local fqdn cisco-c891f.domain.local
 authentication local rsa-sig
 authentication remote rsa-sig
 authentication remote eap query-identity
 pki trustpoint cert-auth
 aaa authentication eap VPN-IKEv2
 aaa authorization group eap list IKEv2-authorisation windows-authorisation local
 virtual-template 30
!
crypto ipsec transform-set aes256-sha1 esp-aes esp-sha-hmac
 mode tunnel
!
crypto ipsec profile windows-ikev2
 set transform-set aes256-sha1
 set mixed-mode
 set ikev2-profile windows-rsa
!
ip local pool default 192.168.120.17 192.168.120.25
!
ipv6 local pool VPN-2 2001:x:x:x::/112 128
!
interface Virtual-Template30 type tunnel
 ip unnumbered Loopback0
 ip nat inside
 ip virtual-reassembly in
 ipv6 unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile windows-ikev2
!

The internal IPv4 address space is all RFC1918 so its visible, the IPv6 address space is a public /48 prefix that my provider supplies.

 

Just wondering whether anyone has managed this?  Seems to be an issue between IOS and Windows as I can see the IPSec proposal with the local & remote IPv6 proxies.

827253: Jun 10 09:13:17.193 BST: IPSEC:(SESSION ID = 190) (create_sa) sa created,
  (sa) sa_dest= 192.168.120.30, sa_proto= 50,
    sa_spi= 0x8F5F9C7D(2405407869),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 247
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 192.168.120.30:0, remote= 192.168.130.4:0,
    local_proxy= ::/0/256/0,
    remote_proxy= 2001:xxx:xxx:xxx::/128/256/0
827254: Jun 10 09:13:17.193 BST: IPSEC:(SESSION ID = 190) (create_sa) sa created,
  (sa) sa_dest= 192.168.130.4, sa_proto= 50,
    sa_spi= 0x4ABF02AE(1254032046),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 248
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 192.168.120.30:0, remote= 192.168.130.4:0,
    local_proxy= ::/0/256/0,
    remote_proxy= 2001:xxx:xxx:xxx::/128/256/0
827255: Jun 10 09:13:17.193 BST: [Sibling 8F5F9C7D]: state = Install SPI
827256: Jun 10 09:13:17.193 BST: [Sibling 8F5F9C7D]: state = Del Transient SPI
827257: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Check Outbound Enable Status
827258: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Got Enable Outbound SA
827259: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Select Outbound SA
827260: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Install New Outbound SA
827261: Jun 10 09:13:17.193 BST: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL Virtual-Access6-head-0-ACL, static seqno 65537 dynamic seqno 0
827262: Jun 10 09:13:17.193 BST: IPSEC: Expand action denied, notify RP
827263: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Set flow_installed
827264: Jun 10 09:13:17.197 BST: IPSEC:(SESSION ID = 190) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open

827265: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Check Install SA Declare Success
827266: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Declare success
827267: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV6 route from ACL for 192.168.130.4
827268: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access6
827269: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Added 2001:xxx:xxx:xxx::/128 via Virtual-Access6 in IP DEFAULT TABLE with tag 0 distance 1
827270: Jun 10 09:13:17.197 BST: [KMI Forward]: state = success
827271: Jun 10 09:13:17.197 BST: [KMI Forward]: deleting state machine
827272: Jun 10 09:13:17.197 BST: [ACL Virtual-Access6-head-0-ACL]: state = ACL KMI check result
827273: Jun 10 09:13:17.197 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up
827274: Jun 10 09:13:17.205 BST: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN.  Peer 192.168.130.4:4500       Id: 192.168.130.4
827275: Jun 10 09:13:17.205 BST: IPSEC(key_engine): got a queue event with 1 KMI message(s)
827276: Jun 10 09:13:17.205 BST: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5344
827277: Jun 10 09:13:17.205 BST: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
827278: Jun 10 09:13:17.205 BST: [Delete SA]: state = Delete SA Initialization
827279: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) still in use sa: 0x140E2224
827280: Jun 10 09:13:17.205 BST: [Delete SA]: state = Enable outbound
827281: Jun 10 09:13:17.205 BST: [Delete SA]: state = Delete SA
827282: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) (key_engine_delete_sas) delete SA with spi 0x8F5F9C7D proto 50 for 192.168.120.30
827283: Jun 10 09:13:17.205 BST: [Delete SA] -> [Sibling 8F5F9C7D]: message Message - Delete Sibling
827284: Jun 10 09:13:17.205 BST: [Sibling 8F5F9C7D]: message = Message - Delete Sibling
827285: Jun 10 09:13:17.205 BST: [Sibling 8F5F9C7D]: state = Notify Ident
827286: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) (delete_sa) deleting SA,

 

Labels:
0 Helpful
3 Replies 3

tomasnohejl
Level 1
Level 1

‎01-25-2023 11:47 PM

Hi,

did you make it run? Where was the problem? I'll be doing the same thing in few days, so I am grabing some inspiration.

Regards

 

Tomas

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to tomasnohejl

‎01-26-2023 12:37 AM

I had some more success, however I could not get IPv4 & IPv6 working at the same time.  It was one or the other.

Re: Use Windows 11 built-in IKEv2 client for FlexVPN - Cisco Community

I gave up in the end and have left the L2TP/IPSec in place.  My test rig is still in the lab and my config is in that post.  If you have more success than me I'd appreciate any help.  I have a C1100 series IOS-XE router available to me and was going to see if I had any more luck with that, but I haven't had the time.

Andy

0 Helpful

tomasnohejl
Level 1
Level 1
In response to andrew.butterworth

‎01-26-2023 12:48 AM

Hi,
Sure, I'll let you know.
Thanks
Tomas
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents