06-10-2022 12:31 AM - edited 06-10-2022 03:46 AM
I've been testing IKEv2 on a Cisco C891F router in an attempt to replace a L2TP/IPSec remote access VPN service with an IKEv2 service using the Native VPN client in Windows 10.
Currently the L2TP/IPSec service works perfectly and Windows 10 clients using the Native VPN client are assigned IPv4 & IPv6 addresses as part of the PPPoE session.
With IKEv2 it's all a bit different...
I've managed to get IPv4 working, but not IPv6. I think I'm most of the way there, however there is something not right with the SA negotiation for IPv6. Windows throws up the error '840: Internal address negotiation failed'.
I've tried various iterations of the 'ipv6 local pool' command specifying the prefix length as 128, 64, 126 etc. The IPSec profile sets 'mixed-mode'
aaa authentication login VPN-IKEv2 group RADIUS-Servers
!
aaa authorization network IKEv2-authorisation local
!
crypto ikev2 authorization policy windows-authorisation ipv6 pool VPN-2 ipvd dns x:x:x:x:: y:y:y:y:: pool default dns 192.168.100.20 192.168.102.133 def-domain domain.local pfs ! crypto ikev2 proposal windows encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha256 group 2 14 15 16 19 20 ! crypto ikev2 policy windows proposal windows ! crypto ikev2 profile windows-rsa match identity remote address 0.0.0.0 identity local fqdn cisco-c891f.domain.local authentication local rsa-sig authentication remote rsa-sig authentication remote eap query-identity pki trustpoint cert-auth aaa authentication eap VPN-IKEv2 aaa authorization group eap list IKEv2-authorisation windows-authorisation local virtual-template 30 ! crypto ipsec transform-set aes256-sha1 esp-aes esp-sha-hmac mode tunnel ! crypto ipsec profile windows-ikev2 set transform-set aes256-sha1 set mixed-mode set ikev2-profile windows-rsa ! ip local pool default 192.168.120.17 192.168.120.25 ! ipv6 local pool VPN-2 2001:x:x:x::/112 128 ! interface Virtual-Template30 type tunnel ip unnumbered Loopback0 ip nat inside ip virtual-reassembly in ipv6 unnumbered Loopback0 tunnel mode ipsec ipv4 tunnel protection ipsec profile windows-ikev2 !
The internal IPv4 address space is all RFC1918 so its visible, the IPv6 address space is a public /48 prefix that my provider supplies.
Just wondering whether anyone has managed this? Seems to be an issue between IOS and Windows as I can see the IPSec proposal with the local & remote IPv6 proxies.
827253: Jun 10 09:13:17.193 BST: IPSEC:(SESSION ID = 190) (create_sa) sa created, (sa) sa_dest= 192.168.120.30, sa_proto= 50, sa_spi= 0x8F5F9C7D(2405407869), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 247 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 192.168.120.30:0, remote= 192.168.130.4:0, local_proxy= ::/0/256/0, remote_proxy= 2001:xxx:xxx:xxx::/128/256/0 827254: Jun 10 09:13:17.193 BST: IPSEC:(SESSION ID = 190) (create_sa) sa created, (sa) sa_dest= 192.168.130.4, sa_proto= 50, sa_spi= 0x4ABF02AE(1254032046), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 248 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 192.168.120.30:0, remote= 192.168.130.4:0, local_proxy= ::/0/256/0, remote_proxy= 2001:xxx:xxx:xxx::/128/256/0 827255: Jun 10 09:13:17.193 BST: [Sibling 8F5F9C7D]: state = Install SPI 827256: Jun 10 09:13:17.193 BST: [Sibling 8F5F9C7D]: state = Del Transient SPI 827257: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Check Outbound Enable Status 827258: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Got Enable Outbound SA 827259: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Select Outbound SA 827260: Jun 10 09:13:17.193 BST: [Ident 800001A5]: state = Install New Outbound SA 827261: Jun 10 09:13:17.193 BST: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_CREATE_PTOP_SA message to ACL Virtual-Access6-head-0-ACL, static seqno 65537 dynamic seqno 0 827262: Jun 10 09:13:17.193 BST: IPSEC: Expand action denied, notify RP 827263: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Set flow_installed 827264: Jun 10 09:13:17.197 BST: IPSEC:(SESSION ID = 190) (STATES) ident_set_flow_installed_action Sending crypto_ss_connection_open 827265: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Check Install SA Declare Success 827266: Jun 10 09:13:17.197 BST: [Ident 800001A5]: state = Declare success 827267: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Event Install new outbound sa: Create IPV6 route from ACL for 192.168.130.4 827268: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Refcount 1 Virtual-Access6 827269: Jun 10 09:13:17.197 BST: IPSEC(rte_mgr): VPN Route Added 2001:xxx:xxx:xxx::/128 via Virtual-Access6 in IP DEFAULT TABLE with tag 0 distance 1 827270: Jun 10 09:13:17.197 BST: [KMI Forward]: state = success 827271: Jun 10 09:13:17.197 BST: [KMI Forward]: deleting state machine 827272: Jun 10 09:13:17.197 BST: [ACL Virtual-Access6-head-0-ACL]: state = ACL KMI check result 827273: Jun 10 09:13:17.197 BST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access6, changed state to up 827274: Jun 10 09:13:17.205 BST: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer 192.168.130.4:4500 Id: 192.168.130.4 827275: Jun 10 09:13:17.205 BST: IPSEC(key_engine): got a queue event with 1 KMI message(s) 827276: Jun 10 09:13:17.205 BST: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 5344 827277: Jun 10 09:13:17.205 BST: IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP 827278: Jun 10 09:13:17.205 BST: [Delete SA]: state = Delete SA Initialization 827279: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) still in use sa: 0x140E2224 827280: Jun 10 09:13:17.205 BST: [Delete SA]: state = Enable outbound 827281: Jun 10 09:13:17.205 BST: [Delete SA]: state = Delete SA 827282: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) (key_engine_delete_sas) delete SA with spi 0x8F5F9C7D proto 50 for 192.168.120.30 827283: Jun 10 09:13:17.205 BST: [Delete SA] -> [Sibling 8F5F9C7D]: message Message - Delete Sibling 827284: Jun 10 09:13:17.205 BST: [Sibling 8F5F9C7D]: message = Message - Delete Sibling 827285: Jun 10 09:13:17.205 BST: [Sibling 8F5F9C7D]: state = Notify Ident 827286: Jun 10 09:13:17.205 BST: IPSEC:(SESSION ID = 190) (delete_sa) deleting SA,
01-25-2023 11:47 PM
Hi,
did you make it run? Where was the problem? I'll be doing the same thing in few days, so I am grabing some inspiration.
Regards
Tomas
01-26-2023 12:37 AM
I had some more success, however I could not get IPv4 & IPv6 working at the same time. It was one or the other.
Re: Use Windows 11 built-in IKEv2 client for FlexVPN - Cisco Community
I gave up in the end and have left the L2TP/IPSec in place. My test rig is still in the lab and my config is in that post. If you have more success than me I'd appreciate any help. I have a C1100 series IOS-XE router available to me and was going to see if I had any more luck with that, but I haven't had the time.
Andy
01-26-2023 12:48 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: