cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1342
Views
15
Helpful
17
Replies

IKEV2 on ASR1001 using crypto map

bbqbruce
Beginner
Beginner

Hi guys, hoping someone might have some pointers.

I'm tryng to set up an IKEv2 vpn but going round in circles.

 

I have a number of IKEv1 vpn's connected using crypto maps on our external interface. I've been told that the most recent config advice would be to use VTI's, however we aren't able to create a VTI as we would need to remove the crypto maps of the existing connections. We should be able to use IKEv2 in the current setup using crypto map to route through the existing external interface.

 

I'm running:

 

Cisco IOS XE Software, Version 03.10.02.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S2, RELEASE SOFTWARE (fc3)

 

Config applied:

 

crypto ikev2 proposal policy-7
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 policy 7
 match fvrf any
 proposal policy-7

crypto ikev2 keyring ikev2-setup-keyring
 peer ikev2-setup
  address site2smppip 255.255.255.248
  identity address site2vpnip
  pre-shared-key local presharedkey
  pre-shared-key remote presharedkey

crypto ikev2 profile ikev2-setup-profile
 match identity remote address site2vpnip 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-setup-keyring
 lifetime 36000
 dpd 60 5 periodic

crypto ipsec transform-set Transform-Set-5 esp-aes 256 esp-sha256-hmac
 mode tunnel

crypto ipsec profile ikev2-setup
 set transform-set Transform-Set-5
 set pfs group14
 set ikev2-profile ikev2-setup-profile
 responder-only

crypto map CMAP 246 ipsec-isakmp
 set peer site2vpnip
 set transform-set Transform-Set-5
 set pfs group14
 set ikev2-profile ikev2-setup-profile
 match address ikev2-setup_acl

interface GigabitEthernet0/0/0
 description Internet-Vlan
 ip address site1pubip 255.255.255.224
 ip access-group PublicInterface_ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 101 ip site1vpnip
 standby 101 priority 101
 standby 101 preempt
 standby 101 name standby101
 standby 101 track 2 decrement 10
 speed 1000
 no negotiation auto
 crypto map CMAP redundancy standby101

interface GigabitEthernet0/0/1.1234
 description VPN-Private-Vlan1234
 encapsulation dot1Q 1234
 ip address site1privip 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 103 ip site1privip2
 standby 103 priority 101
 standby 103 preempt
 standby 103 track 1 decrement 10

ip route site2smppip 255.255.255.248 site1routetointernetip name ikev2-setup_sms_gateway

ip access-list extended PublicInterface_ACL
 remark Permitted traffic from VPN Peers inbound
 permit ip host site2vpnip host site1vpnip

ip access-list extended ikev2-setup_acl
 permit ip host site1smppip site2smppip 0.0.0.7
 
However the logs show failures inserting the ipsec SA into the DB:
 
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : DB5A01A5279C76AA - Responder SPI : C9F661B4B6955A34 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi AUTH SA TSi TSr

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Stopping timer to wait for auth message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Checking NAT discovery
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):NAT not found
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Searching policy based on peer's identity 'site1vpnip' of type 'IPv4 address'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verify peer's policy
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Peer's policy verified
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Peer's authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verify peer's authentication data
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Use preshared key for id site1vpnip, key len 21
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verification of peer's authenctication data PASSED
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Processing IKE_AUTH message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get my authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):My authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Generate my authentication data
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Use preshared key for id site2vpnip, key len 21
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get my authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):My authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Generating IKE_AUTH message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Constructing IDr payload: 'site2vpnip' of type 'IPv4 address'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA256   Don't use ESN
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : DB5A01A5279C76AA - Responder SPI : C9F661B4B6955A34 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (36000 sec) started
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Session with IKE ID PAIR (site1vpnip, site2vpnip) is UP
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Initializing DPD, configured for 60 seconds
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Load IPSEC key material
Jun 16 14:30:20: KMI: Crypto IKEv2 sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine.
Jun 16 14:30:20: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKEv2.
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 246 dynamic seqno 0
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FC0717E5748
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0
Jun 16 14:30:20: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FC07621D000
Jun 16 14:30:20: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 16 14:30:20: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
Jun 16 14:30:20: KMI: (Session ID: 627759) IPSEC key engine sending message KEY_ENG_DELETE_SAS to Crypto IKEv2.
Jun 16 14:30:20: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_KMI_CREATE_SA message to ACL ikev2-setup_acl, static seqno 246 dynamic seqno 0
Jun 16 14:30:20: KMI: (Session ID: 627759) Crypto IKEv2 received message KEY_ENG_DELETE_SAS from IPSEC key engine.
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Queuing IKE SA delete request reason: unknown
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x96EE3596]
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE
 
Any advice would be gratefully received!
 

 

1 Accepted Solution

Accepted Solutions

@bbqbruce looking into the logs seem like it could be both side some how not liking the phase2 with esp-aes 256 could you change them both side to esp-sha-hmac

 

and test it please.

please do not forget to rate.

View solution in original post

17 Replies 17

Sheraz.Salim
VIP Advisor VIP Advisor
VIP Advisor

could you confirm if the remote side is configured with same parameter in regards to ipsec phase2.

please do not forget to rate.

Yes, the remote side is an azure vwan, it doesn't look to have too much configuration to play with:

 

Traffic Selector Config:

Local address range: site2smppip/29

remote address range: site1smppip/32

IKEV2

Use Policy based traffic selector: Enabled

SA Lifetime: 28800

IKE Phase1: AES256/SHA256/DH14

IKE Phase2: AES256/SHA256/PFS14

 

 

 

could you try taking off DH14 on both sites

 

crypto map CMAP 246 ipsec-isakmp  
 set peer site2vpnip
 set transform-set Transform-Set-5
 no set pfs group14

for phase 2 only. leave for phase 1.

please do not forget to rate.

No joy, still the same errors with:

 

crypto map CMAP 246 ipsec-isakmp  
 set peer site2vpnip
 set transform-set Transform-Set-5

 We aren't able to use DH5 as site 2 doesn't support it.

Options on site 2 are:

 

Encryption

AES128

AES256

GCMAES128

GCMAES256

 

Integrity

GCMAES128

GCMAES256

SHA256

 

PFSGroup

ECP256

ECP384

PFS14

PFS24

None

could you please setup these commands and show us the output please.

 

debug crypto condition peer ipv4 X.X.X.X

debug crypto ikev2

debug crypto ipsec

 

Take this off they not used any where

 

crypto ipsec profile ikev2-setup
 set transform-set Transform-Set-5
 set pfs group14
 set ikev2-profile ikev2-setup-profile
 responder-only
please do not forget to rate.

Thanks, ipsec profile removed.

Debugs are on:

IOSXE Conditional Debug Configs:

Conditional Debug Global State: Start

IOSXE Packet Tracing Configs:

 

UDP:
UDP packet debugging is on

 

Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto ISAKMP Error debugging is on
Crypto IPSEC debugging is on
Crypto IPSEC Error debugging is on
Crypto IPSEC states debugging is on
Crypto IPSEC message debugging is on
Crypto Key Management Interface debugging is on
Crypto Engine debugging is on
Crypto Engine Error debugging is on


IKEV2:
IKEv2 error debugging is on
IKEv2 default debugging is on

 

Conditional debug is on for the peer:

 

show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag: OFF
IKEV2 debug context unmatched flag: OFF
IPsec debug context unmatched flag: OFF
Crypto Engine debug context unmatched flag: OFF

 

IKE peer IP address filters:

site1vpnip

 

*******************************

A full exchange in the logs is:

 

Jun 17 10:24:04: IKEv2:Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID VID VID VID

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Verify SA init message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Insert SA
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Processing IKE_SA_INIT message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Request queued for computation of DH key
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Request queued for computation of DH secret
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Generating IKE_SA_INIT message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_2048_MODP/Group 14

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Completed SA init exchange
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Starting timer (30 sec) to wait for auth message

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi AUTH SA TSi TSr

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Stopping timer to wait for auth message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Checking NAT discovery
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):NAT not found
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Searching policy based on peer's identity 'site1vpnip' of type 'IPv4 address'
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Verify peer's policy
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Peer's policy verified
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Get peer's authentication method
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Peer's authentication method is 'PSK'
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Verify peer's authentication data
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Use preshared key for id site1vpnip, key len 21
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Verification of peer's authenctication data PASSED
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Processing IKE_AUTH message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Get my authentication method
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):My authentication method is 'PSK'
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Generate my authentication data
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Use preshared key for id site2vpnip, key len 21
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Get my authentication method
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):My authentication method is 'PSK'
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Generating IKE_AUTH message
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Constructing IDr payload: 'site2vpnip' of type 'IPv4 address'
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA256   Don't use ESN
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (36000 sec) started
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Session with IKE ID PAIR (site1vpnip, site2vpnip) is UP
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Initializing DPD, configured for 60 seconds
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Load IPSEC key material
Jun 17 10:24:04: KMI: Crypto IKEv2 sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine.
Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 246 dynamic seqno 0
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FC0717E5748
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0
Jun 17 10:24:04: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FC066EF2638
Jun 17 10:24:04: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 17 10:24:04: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
Jun 17 10:24:04: KMI: (Session ID: 628638) IPSEC key engine sending message KEY_ENG_DELETE_SAS to Crypto IKEv2.
Jun 17 10:24:04: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_KMI_CREATE_SA message to ACL ike-v2_acl, static seqno 246 dynamic seqno 0
Jun 17 10:24:04: KMI: (Session ID: 628638) Crypto IKEv2 received message KEY_ENG_DELETE_SAS from IPSEC key engine.
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Queuing IKE SA delete request reason: unknown
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x4BA623B7]
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Checking if request will fit in peer window

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 ENCR

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Check for existing IPSEC SA
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Delete all IKE SAs
Jun 17 10:24:04: KMI: Crypto IKEv2 sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
Jun 17 10:24:04: KMI: Crypto IKEv2 sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xD179FA2A903352F1 RSPI: 0x395184BD8BAD0E14]
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Checking if request will fit in peer window
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Check for existing active SA
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Delete all IKE SAs
Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC: still in use sa: 0x0
Jun 17 10:24:04: IPSEC: sa null
Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC: still in use sa: 0x0
Jun 17 10:24:04: IPSEC: sa null

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 0
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 DELETE

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Processing ACK to informational exchange
Jun 17 10:24:04: KMI: Crypto IKEv2 sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
Jun 17 10:24:04: KMI: Crypto IKEv2 sending message KEY_MGR_DELETE_SAS to IPSEC key engine.
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Check for existing IPSEC SA
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Delete all IKE SAs

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 1
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 ENCR

Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC: still in use sa: 0x0
Jun 17 10:24:04: IPSEC: sa null
Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_DELETE_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC: still in use sa: 0x0
Jun 17 10:24:04: IPSEC: sa null

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:


Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Processing ACK to informational exchange
Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Deleting SA

 

 

 

@bbqbruce looking into the logs seem like it could be both side some how not liking the phase2 with esp-aes 256 could you change them both side to esp-sha-hmac

 

and test it please.

please do not forget to rate.

I've created a new transform set which is the lowest acceptable by the initiator with PFS None.: 

 

crypto ipsec transform-set Transform-Set-10 esp-aes esp-sha256-hmac
mode tunnel

 

But error logs are still showingthe same.

Is there a link to where I can double check that these features are available on this OS?

 

I have also created:

 

crypto ipsec transform-set Transform-Set-11 esp-gcm
mode tunnel

 

And will see what shows in the logs.

Hi mate I asked to change them to phase2 with esp-aes 256 into esp-sha-hmac

crypto ipsec transform-set TSET esp-aes 256 esp-sha-hmac
or
crypto ipsec transform-set TSET esp-aes 128 esp-sha-hmac

where as you change this to

"crypto ipsec transform-set Transform-Set-10 esp-aes esp-sha256-hmac"

 

 

have a look at this Link kind of similar issue the one you having.

 

 

 

 

please do not forget to rate.

please find below my comment 

Thanks, we have dual vpn peers in active/standby. Connection to the VIP allows for automatic failover without intervention on the other end.

 

Active:

interface GigabitEthernet0/0/0
 description Internet-Vlan
 ip address site1pubip 255.255.255.224      <<<<< Public IP x.x.x.002
 ip access-group PublicInterface_ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 101 ip site1vpnip               <<<< Public VIP x.x.x.001
 standby 101 priority 101
 standby 101 preempt
 standby 101 name standby101
 standby 101 track 2 decrement 10
 speed 1000
 no negotiation auto
 crypto map CMAP redundancy standby101
 
Standby:
interface GigabitEthernet0/0/0
description Internet-Vlan
ip address site1pubip 255.255.255.224          <<<< Publich IP x.x.x.003
ip access-group PublicInterface_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
standby 101 ip site1vpnip                               <<<< Public VIP x.x.x.001
standby 101 priority 99
standby 101 preempt
standby 101 name standby101
speed 1000
no negotiation auto
crypto map CMAP redundancy standby101
 
 

pelase find below my comment 

Thanks, site2vpnip is the public vip.

The initiator shouldnt be aware of the the public ip range of the interfaces on the 2 separate boxes. Their config will be from their VPN peer IP to our VPN peer VIP.

 

I'm also looking at debugging their IKEv1 connection - i will post something separately, I'm hoping it might be easier to get that working

 

 

Your phase 1 come up. so there is no issue with HSRP.

In the debug we can see even the control plane connection is there before vpn-tunnel tear it down.

 

what you can do is to setup the "monitor session" and capture the packets and off load to your computer and see it wireshark. As in your logs we cant see the Payload contents:
IDi AUTH SA TSi TSr

 

 

Are your PSK key are correct? have to change the PSK key on both end?

basically in your logs the your ASR is the VPN initiator.

IInitiator SPI : D179FA2A903352F1 - Responder SPI : 0000000000000000 Message id: 0

Initiator SPI : D179FA2A903352F1 - Responder SPI : 395184BD8BAD0E14 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE

Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Completed SA init exchange



IKEv2 IKE_AUTH Exchange REQUEST

IKEv2 IKE_AUTH Exchange RESPONSE


Jun 17 10:24:04: IKEv2:(SESSION ID = 628638,SA ID = 1):Processing ACK to informational exchange

IKEv2 INFORMATIONAL Exchange REQUEST

 

 

 

 

Crypto IKEv2 sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine.
Jun 17 10:24:04: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKEv2.
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 246 dynamic seqno 0
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FC0717E5748
Jun 17 10:24:04: IPSEC:(SESSION ID = 628638) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0
Jun 17 10:24:04: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FC066EF2638

 

please do not forget to rate.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers