Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4139
Views
15
Helpful
17
Replies

IKEV2 on ASR1001 using crypto map

Go to solution
bbqbruce
Level 1
Level 1

‎06-16-2022 06:39 AM

Hi guys, hoping someone might have some pointers.

I'm tryng to set up an IKEv2 vpn but going round in circles.

 

I have a number of IKEv1 vpn's connected using crypto maps on our external interface. I've been told that the most recent config advice would be to use VTI's, however we aren't able to create a VTI as we would need to remove the crypto maps of the existing connections. We should be able to use IKEv2 in the current setup using crypto map to route through the existing external interface.

 

I'm running:

 

Cisco IOS XE Software, Version 03.10.02.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S2, RELEASE SOFTWARE (fc3)

 

Config applied:

 

crypto ikev2 proposal policy-7
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 policy 7
 match fvrf any
 proposal policy-7

crypto ikev2 keyring ikev2-setup-keyring
 peer ikev2-setup
  address site2smppip 255.255.255.248
  identity address site2vpnip
  pre-shared-key local presharedkey
  pre-shared-key remote presharedkey

crypto ikev2 profile ikev2-setup-profile
 match identity remote address site2vpnip 255.255.255.255
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2-setup-keyring
 lifetime 36000
 dpd 60 5 periodic

crypto ipsec transform-set Transform-Set-5 esp-aes 256 esp-sha256-hmac
 mode tunnel

crypto ipsec profile ikev2-setup
 set transform-set Transform-Set-5
 set pfs group14
 set ikev2-profile ikev2-setup-profile
 responder-only

crypto map CMAP 246 ipsec-isakmp
 set peer site2vpnip
 set transform-set Transform-Set-5
 set pfs group14
 set ikev2-profile ikev2-setup-profile
 match address ikev2-setup_acl

interface GigabitEthernet0/0/0
 description Internet-Vlan
 ip address site1pubip 255.255.255.224
 ip access-group PublicInterface_ACL in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 101 ip site1vpnip
 standby 101 priority 101
 standby 101 preempt
 standby 101 name standby101
 standby 101 track 2 decrement 10
 speed 1000
 no negotiation auto
 crypto map CMAP redundancy standby101

interface GigabitEthernet0/0/1.1234
 description VPN-Private-Vlan1234
 encapsulation dot1Q 1234
 ip address site1privip 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 standby 103 ip site1privip2
 standby 103 priority 101
 standby 103 preempt
 standby 103 track 1 decrement 10

ip route site2smppip 255.255.255.248 site1routetointernetip name ikev2-setup_sms_gateway

ip access-list extended PublicInterface_ACL
 remark Permitted traffic from VPN Peers inbound
 permit ip host site2vpnip host site1vpnip

ip access-list extended ikev2-setup_acl
 permit ip host site1smppip site2smppip 0.0.0.7
 
However the logs show failures inserting the ipsec SA into the DB:
 
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Received Packet [From site1vpnip:500/To site2vpnip:500/VRF i0:f0]
Initiator SPI : DB5A01A5279C76AA - Responder SPI : C9F661B4B6955A34 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 IDi AUTH SA TSi TSr

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Stopping timer to wait for auth message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Checking NAT discovery
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):NAT not found
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Searching policy based on peer's identity 'site1vpnip' of type 'IPv4 address'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verify peer's policy
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Peer's policy verified
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Peer's authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verify peer's authentication data
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Use preshared key for id site1vpnip, key len 21
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Verification of peer's authenctication data PASSED
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Processing IKE_AUTH message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get my authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):My authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get peer's preshared key for site1vpnip
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Generate my authentication data
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Use preshared key for id site2vpnip, key len 21
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Get my authentication method
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):My authentication method is 'PSK'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Generating IKE_AUTH message
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Constructing IDr payload: 'site2vpnip' of type 'IPv4 address'
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA256   Don't use ESN
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Sending Packet [To site1vpnip:500/From site2vpnip:500/VRF i0:f0]
Initiator SPI : DB5A01A5279C76AA - Responder SPI : C9F661B4B6955A34 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (36000 sec) started
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Session with IKE ID PAIR (site1vpnip, site2vpnip) is UP
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Initializing DPD, configured for 60 seconds
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Load IPSEC key material
Jun 16 14:30:20: KMI: Crypto IKEv2 sending message KEY_MGR_CREATE_IPSEC_SAS to IPSEC key engine.
Jun 16 14:30:20: KMI: IPSEC key engine received message KEY_MGR_CREATE_IPSEC_SAS from Crypto IKEv2.
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (STATES) SADB_ROOT_SM (sadb_root_process_kmi_message) called static seqno 246 dynamic seqno 0
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FC0717E5748
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0
Jun 16 14:30:20: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FC07621D000
Jun 16 14:30:20: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 16 14:30:20: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
Jun 16 14:30:20: KMI: (Session ID: 627759) IPSEC key engine sending message KEY_ENG_DELETE_SAS to Crypto IKEv2.
Jun 16 14:30:20: IPSEC(MESSAGE): SADB_ROOT_SM (print_message_to_acl_state_machine) Sent MSG_ACL_KMI_CREATE_SA message to ACL ikev2-setup_acl, static seqno 246 dynamic seqno 0
Jun 16 14:30:20: KMI: (Session ID: 627759) Crypto IKEv2 received message KEY_ENG_DELETE_SAS from IPSEC key engine.
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Queuing IKE SA delete request reason: unknown
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x96EE3596]
Jun 16 14:30:20: IKEv2:(SESSION ID = 627759,SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE
 
Any advice would be gratefully received!
 

 

Labels:
0 Helpful
17 Replies 17

Go to solution
bbqbruce
Level 1
Level 1
In response to Sheraz.Salim

‎06-20-2022 04:31 AM

Excellent! Thanks guys. Yes it needed to be SHA1.

 

The Azure V-WAN initiating the connection does not give SHA1 as an option for Phase1 or 2 in custom settings - However the documentation shows selecting "Default" for IPSEC config has a list of 4 Phase 1 & 4 Phase 2 combinations.

This isn't evident from the GUI - no details are shown identifying the settings being used.

 

Phase-1

  • AES_256, SHA1, DH_GROUP_2
  • AES_256, SHA_256, DH_GROUP_2
  • AES_128, SHA1, DH_GROUP_2
  • AES_128, SHA_256, DH_GROUP_2

Phase-2

  • GCM_AES_256, GCM_AES_256, PFS_NONE
  • AES_256, SHA_1, PFS_NONE
  • AES_256, SHA_256, PFS_NONE
  • AES_128, SHA_1, PFS_NONE

I've created an acceptable IKEv2 proposal and added it to the policy:

 

crypto ikev2 proposal policy-1
encryption aes-cbc-256
integrity sha256
group 2

 

crypto ikev2 policy 1
match fvrf any
proposal policy-1
proposal policy-2

 

The Azure side needs to have "Policy Based Traffic Selector" enabled, to match the ACL on the ASR.

 

Really appreciate all you help guys!

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-16-2022 01:01 PM - edited ‎06-17-2022 05:02 PM

please find below my comment 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎06-17-2022 04:47 PM - edited ‎06-17-2022 05:01 PM

your debug is make me find the bug 
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0 <- SPI never be ""0""



 
 
please change the transform set as suggest in cisco detail.

 

 

0 Helpful
Customers Also Viewed These Support Documents