Solved: Re: IKEv2 GCM "IKE SA delete request reason: unknown"

seefarrun · ‎03-23-2022

I'm adding this in case anyone has to go through the same joy I have for the last day and a half and can't find an answer.

I was setting up a new IKEv2 VPN with a Virtual Tunnel Interface on an ASA running 9.8.4.x. I was using aes-gcm-256 as encryption for both phases and the documentation from the other peer specified using SHA256 as the integrity. When I set up my IKEv2 policy as per below it would not allow me to set the integrity to anything but null, which was fine.

crypto ikev2 policy 8
 encryption aes-gcm-256
 group 19
 prf sha256
 lifetime seconds 86400

When I set up my new ipsec policy it warned me that integrity wouldn't be used but took the config anyway and I must have missed / ignored the warnings:

myfirewall(config)# crypto ipsec ikev2 ipsec-proposal set-5
myfirewall(config-ipsec-proposal)#  protocol esp encryption aes-gcm-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored
myfirewall(config-ipsec-proposal)#  protocol esp integrity sha-256
WARNING: GCM\GMAC are authenticated encryption algorithms.esp integrity config is ignored

myfirewall# show run | beg ipsec-proposal set-5
crypto ipsec ikev2 ipsec-proposal set-5
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-256

It wouldn't form the tunnel and going through the Cisco debug doco, it seems like it formed Phase 1 (CONNECTION STATUS: REGISTERED) but when it came to form Phase 2 (the Child portion) it was just committing suicide and deleting the SA.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

The only thing in there was a log saying "Queuing IKE SA delete request reason: unknown" which wasn't that useful:

IKEv2-PLAT-2: (824): idle timeout set to: 30
IKEv2-PLAT-2: (824): session timeout set to: 0
IKEv2-PLAT-2: (824): group policy set to x.x.x.x
IKEv2-PLAT-2: (824): class attr set
IKEv2-PLAT-2: (824): tunnel protocol set to: 0x40
IKEv2-PLAT-2: (824): IPv4 filter ID not configured for connection
IKEv2-PLAT-2: (824): group lock set to: none
IKEv2-PLAT-2: (824): IPv6 filter ID not configured for connection
IKEv2-PLAT-2: (824): connection attribues set valid to TRUE
IKEv2-PLAT-2: (824): Successfully retrieved conn attrs
IKEv2-PLAT-2: (824): Session registration after conn attr retrieval PASSED, No error
IKEv2-PLAT-2: (824): connection auth hdl set to -1
IKEv2-PLAT-2:
CONNECTION STATUS: REGISTERED... peer: x.x.x.x:500, phase1_id: x.x.x.x
IKEv2-PROTO-2: (824): Initializing DPD, configured for 10 seconds
IKEv2-PLAT-2: mib_index set to: 501
IKEv2-PROTO-2: (824): Checking for duplicate IKEv2 SA
IKEv2-PROTO-2: (824): No duplicate IKEv2 SA found
IKEv2-PROTO-2: (824): Queuing IKE SA delete request reason: unknown

I couldn't find any other useful debugs and after reading through the configuration guide i saw all the bits about CGM not needing integrity. I set my ipsec proposal to null and it came up straight away:

crypto ipsec ikev2 ipsec-proposal set-5
 protocol esp encryption aes-gcm-256
 protocol esp integrity null

So hopefully that helps the next guy!

Mike.Cifelli · ‎03-23-2022

Combined mode ciphers support/provide encryption & integrity via the single algorithm. Glad you figured it out! Thanks for the share

View solution in original post

Mike.Cifelli · ‎03-23-2022

Combined mode ciphers support/provide encryption & integrity via the single algorithm. Glad you figured it out! Thanks for the share

Sriman235 · ‎09-01-2022

Thanks alot for sharing the solution it helped me to resolve the tunnel down issue

MHM Cisco World · ‎03-23-2022

Thanks for sharing