Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Re: IKEv2 Policy Mismatch when both Remote Access and Site to Site VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
9360
Views
15
Helpful
22
Replies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-17-2022 12:06 AM
Hi,
I have two Cisco ISR 897VA routers with advanced IP services IOS on each site. Both the routers have one WAN/Outside interface with only one IP address assigned. Both routers are connected through IKEv2 Site to Site VPN tunnel and one of these routers have IKEv2 Remote Access VPN configured on them.
Site to Site and Remote Access VPN both work fine when configured/enabled individually but stop working when both are configured/enabled simultaneously. Meaning when I remove the ikev2 policy for Remote Access, Site to Site VPN starts working fine and vice versa. I even tried merging both the ikev2 policy in one but the issue persists.
I would appreciate if you guys can let me know a workaround so both VPNs can work simultaneously.
Attached are the config and debug for crypto ikev2.
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network FlexVPN local
crypto pki server FlexVPN-CA
no database archive
grant auto
eku server-auth client-auth
shutdown
!
crypto pki trustpoint FlexVPN-CA
revocation-check crl
rsakeypair FlexVPN-CA
!
crypto pki trustpoint FlexVPN
enrollment url http://96.65.7.4:80
subject-name cn=example.net
revocation-check none
rsakeypair FlexVPN
!
!
!
crypto pki certificate map FlexVPN 10
issuer-name co cn = flexvpn-ca
crypto ikev2 authorization policy FlexVPN
pool FlexVPN
dns 8.8.8.8 8.8.4.4
netmask 255.255.255.0
def-domain example.net
!
crypto ikev2 proposal FlexVPN
encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
integrity sha256
group 19
no crypto ikev2 proposal default
crypto ikev2 proposal ikev2proposal
encryption aes-gcm-128
prf sha256
group 19
!
crypto ikev2 policy FlexVPN
proposal FlexVPN
no crypto ikev2 policy default
crypto ikev2 policy ikev2policy
proposal ikev2proposal
!
crypto ikev2 keyring ikev2keyring
peer TEST
address 203.130.1.2
pre-shared-key local Testing123
pre-shared-key remote Testing123
crypto ikev2 profile FlexVPN
match identity remote key-id *$AnyConnectClient$*
authentication local rsa-sig
authentication remote anyconnect-eap aggregate
pki trustpoint FlexVPN
aaa authentication anyconnect-eap default
aaa authorization group anyconnect-eap list FlexVPN FlexVPN
aaa authorization user anyconnect-eap cached
virtual-template 10
!
crypto ikev2 profile ikev2profile
match identity remote fqdn 2.example.net
identity local fqdn 1.example.net
authentication remote pre-share
authentication local pre-share
keyring local ikev2keyring
!
no crypto ikev2 http-url cert
crypto ipsec transform-set ESP-GCM esp-gcm
mode tunnel
crypto ipsec transform-set FlexVPN esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FlexVPN
set transform-set FlexVPN
set ikev2-profile FlexVPN
!
no crypto ipsec profile default
!
crypto ipsec profile ipsecprofile
set transform-set ESP-GCM
set ikev2-profile ikev2profile
interface Tunnel0
bandwidth 10000000
ip unnumbered Vlan10
no ip proxy-arp
ip nat inside
ip tcp adjust-mss 1360
tunnel source GigabitEthernet8
tunnel mode ipsec ipv4
tunnel destination 203.130.1.2
tunnel path-mtu-discovery
tunnel bandwidth transmit 10000000
tunnel bandwidth receive 10000000
tunnel protection ipsec profile ipsecprofile
interface Virtual-Template10 type tunnel
ip unnumbered Vlan10
ip nat inside
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile FlexVPN
376476: Dec 14 00:18:13.871 Chicago: IKEv2:Received Packet [From 203.130.1.2:500/To 96.65.7.4:500/VRF i0:f0]
Initiator SPI : DC838A76CB5993D2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
376477: Dec 14 00:18:13.872 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Verify SA init message
376478: Dec 14 00:18:13.873 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Insert SA
376479: Dec 14 00:18:13.873 Chicago: IKEv2:Searching Policy with fvrf 0, local address 96.65.7.4
376480: Dec 14 00:18:13.873 Chicago: IKEv2:Found Policy 'FlexVPN'
376481: Dec 14 00:18:13.873 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Processing IKE_SA_INIT message
376482: Dec 14 00:18:13.876 Chicago: IKEv2-ERROR:(SESSION ID = 358580,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-GCM-128 SHA256 DH_GROUP_256_ECP/Group 19
376483: Dec 14 00:18:13.876 Chicago:
376484: Dec 14 00:18:13.876 Chicago:
376485: Dec 14 00:18:13.876 Chicago: IKEv2-ERROR:(SESSION ID = 358580,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-128 AES-CBC-256 SHA256 SHA256 DH_GROUP_256_ECP/Group 19
376486: Dec 14 00:18:13.877 Chicago:
376487: Dec 14 00:18:13.877 Chicago:
376488: Dec 14 00:18:13.877 Chicago: IKEv2-ERROR:(SESSION ID = 358580,SA ID = 1):: Failed to find a matching policy
376489: Dec 14 00:18:13.877 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Sending no proposal chosen notify
376490: Dec 14 00:18:13.877 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Sending Packet [To 203.130.1.2:500/From 96.65.7.4:500/VRF i0:f0]
Initiator SPI : DC838A76CB5993D2 - Responder SPI : 50E9ECBF1C0D0DD6 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
NOTIFY(NO_PROPOSAL_CHOSEN)
376491: Dec 14 00:18:13.878 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Failed SA init exchange
376492: Dec 14 00:18:13.878 Chicago: IKEv2-ERROR:(SESSION ID = 358580,SA ID = 1):Initial exchange failed: Initial exchange failed
376493: Dec 14 00:18:13.878 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Abort exchange
376494: Dec 14 00:18:13.878 Chicago: IKEv2:(SESSION ID = 358580,SA ID = 1):Deleting SA
Solved! Go to Solution.
Labels:
- Labels:
-
AnyConnect
-
FlexVPN
-
IPSEC
-
Remote Access
-
VPN
22 Replies 22
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2022 07:53 AM
Since the beginning either one works depending on which ikev2 policy i configure. When L2L tunnel is up, anyconnect flexvpn gives an errorafter entering credentials that the connection was terminated due to an authentication failure or timeout and the last debug I sent was for this scenario.
Is there another way to check accessability or reach AAA/CA when the tunnel is up?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2022 08:06 AM
This is interesting. What if you change the order of proposals in the policy like this? L2L should still work after the change, and for AnyConnect client, which can negotiate both AES-GCM and AES-CBC, AES-CBC should now take priority.
crypto ikev2 policy ikev2policy
proposal FlexVPN
proposal ikev2proposal
There is a bug which matches this behavior, although I'm not completely sure:
CSCvg84964 IOS-XE : Enhancement request to support GCM using Software Crypto engine
Symptom: AnyConnect over Ikev2 connection fails [after entering username/password] when AES-GCM-256 or AES-GCM-128 proposals are selected in IKE_SA_INIT exchange. The session establishes when any other encryption proposal [aes-cbc-256, aes-cbc-192, aes-cbc-128, 3des or des] is selected. The IKev2 and EAP debug output displays below message - IKEv2:(SESSION ID = XXX,SA ID = X):Verification of peer's authentication data FAILED IKEv2:(SESSION ID = XXX,SA ID = X):Sending authentication failure notify IKEv2-INTERNAL:Construct Notify Payload: AUTHENTICATION_FAILED
Conditions: The AnyConnect over Ikev2 connection will fail when AES-GCM-256 or AES-GCM-128 algorithm selected in IKE_SA_INIT exchange.
Workaround: Use a different encryption and integrity combination in the ikev2 profile that does not use aes-gcm [AES-GCM-256 or AES-GCM-128]. The algorithms that can be used are aes-cbc-256, aes-cbc-192, aes-cbc-128, 3des or des
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2022 10:35 AM
The priority is already like the one you mentioned in which FlexVPN is listed first. I am not sure if the bug affects our router IOS that is 15.7(3)M4a.
I can not change the L2L algorithm to CBC but I can change anyconnect to GCM. Does anyconnect support GCM, if yes will I have to make any other changes?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2022 07:53 AM
This is an enhancement request and it wasn't implemented in any IOS version. Although AnyConnect supports AES-GCM, SHA2 and DH group 19 for IKEv2, it seems you cannot use AES-GCM on the router for AnyConnect. It seems IKEv2 protection is performed by software crypto engine and AES-GCM is simply not implemented there, so IKEv2 negotiation fails, although this router is equipped with hardware crypto engine...
I noticed that you also use 256-bit elliptic curve DH (ECDH) group 19. Try to change it to group 14 (2048bit) as shown below. After that AnyConnect should be able to negotiate this proposal. If not, collect debug ikev2 again.
crypto ikev2 proposal FlexVPN
encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
integrity sha256
group 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-21-2022 03:30 PM
Changed the group to 14 and still not connecting. Following is the debug
790304: Dec 21 17:25:51.499 Chicago: IKEv2:Received Packet [From 119.160.2.5:34148/To 96.65.7.4:500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID CFG NOTIFY(REDIRECT_SUPPORTED)
790305: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verify SA init message
790306: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Insert SA
790307: Dec 21 17:25:51.503 Chicago: IKEv2:Searching Policy with fvrf 0, local address 96.65.7.4
790308: Dec 21 17:25:51.503 Chicago: IKEv2:Found Policy 'FlexVPN'
790309: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing IKE_SA_INIT message
790310: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received valid config mode data
790311: Dec 21 17:25:51.503 Chicago: IKEv2:Config data recieved:
790312: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Config-type: Config-request
790313: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Attrib type: unknown, length: 2, data: 0x2 0x40
790314: Dec 21 17:25:51.503 Chicago: IKEv2:IKEv2 responder - ignoring config data received in IKE_SA_INIT exch
790315: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Set received config mode data
790316: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
790317: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'FlexVPN' 'FlexVPN-CA' 'TP-self-signed-653483565'
790318: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
790319: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
790320: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Start PKI Session
790321: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Starting of PKI Session PASSED
790322: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
790323: Dec 21 17:25:51.503 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED
790324: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Request queued for computation of DH key
790325: Dec 21 17:25:51.503 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
790326: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] DH key Computation PASSED
790327: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Request queued for computation of DH secret
790328: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
790329: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
790330: Dec 21 17:25:51.527 Chicago: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
790331: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating IKE_SA_INIT message
790332: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 3
AES-GCM SHA256 DH_GROUP_256_ECP/Group 19
790333: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
790334: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): 'FlexVPN' 'FlexVPN-CA' 'TP-self-signed-653483565'
790335: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
790336: Dec 21 17:25:51.527 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
790337: Dec 21 17:25:51.527 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34148/From 96.65.7.4:500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ
790338: Dec 21 17:25:51.531 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Completed SA init exchange
790339: Dec 21 17:25:51.531 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (30 sec) to wait for auth message
790340: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi CERTREQ CFG SA NOTIFY(IPCOMP_SUPPORTED) TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
790341: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790342: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Checking NAT discovery
790343: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):NAT OUTSIDE found
790344: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):NAT detected float to init port 34149, resp port 4500
790345: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Searching policy based on peer's identity '*$AnyConnectClient$*' of type 'key ID'
790346: Dec 21 17:25:51.819 Chicago: IKEv2:found matching IKEv2 profile 'FlexVPN'
790347: Dec 21 17:25:51.819 Chicago: IKEv2:Searching Policy with fvrf 0, local address 96.65.7.4
790348: Dec 21 17:25:51.819 Chicago: IKEv2:Found Policy 'FlexVPN'
790349: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):not a VPN-SIP session
790350: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verify peer's policy
790351: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Peer's policy verified
790352: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)
790353: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
790354: Dec 21 17:25:51.819 Chicago: IKEv2:% Received cert hash is invalid, using configured trustpoints from profile for signing
790355: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting cert chain for the trustpoint FlexVPN
790356: Dec 21 17:25:51.819 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSED
790357: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Check for EAP exchange
790358: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Check for EAP exchange
790359: Dec 21 17:25:51.819 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generate my authentication data
790360: Dec 21 17:25:51.819 Chicago: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
790361: Dec 21 17:25:51.823 Chicago: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
790362: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Get my authentication method
790363: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):My authentication method is 'RSA'
790364: Dec 21 17:25:51.823 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sign authentication data
790365: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Getting private key
790366: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Getting of private key PASSED
790367: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> Crypto Engine] Sign authentication data
790368: Dec 21 17:25:51.823 Chicago: IKEv2:(SA ID = 4):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
790369: Dec 21 17:25:51.843 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Authentication material has been sucessfully signed
790370: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP request
790371: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'hello' request
790372: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Constructing IDr payload: '96.65.7.4' of type 'IPv4 address'
790373: Dec 21 17:25:51.847 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.
Payload contents:
VID IDr CERT CERT AUTH EAP
790374: Dec 21 17:25:51.851 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
790375: Dec 21 17:25:51.851 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message
790376: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 2
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
790377: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790378: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP response
790379: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Checking for Dual Auth
790380: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP AUTH request
790381: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'auth-request'
790382: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.
Payload contents:
EAP
790383: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 2
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
790384: Dec 21 17:25:53.287 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message
790385: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 3
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
790386: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790387: Dec 21 17:25:58.635 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP response
790388: Dec 21 17:25:58.635 Chicago: IKEv2:Using authentication method list default
790389: Dec 21 17:25:58.635 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> AAA] Authentication request sent
790390: Dec 21 17:25:58.639 Chicago: IKEv2-ERROR:AnyConnect EAP - failed to get author list
790391: Dec 21 17:25:58.639 Chicago: IKEv2:Received response from aaa for AnyConnect EAP
790392: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP VERIFY request
790393: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP 'VERIFY' request
790394: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.
Payload contents:
EAP
790395: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 3
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
790396: Dec 21 17:25:58.639 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message
790397: Dec 21 17:25:58.983 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 4
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
EAP
790398: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790399: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Processing AnyConnect EAP ack response
790400: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Generating AnyConnect EAP success request
790401: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending AnyConnect EAP success status message
790402: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.
Payload contents:
EAP
790403: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 4
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
790404: Dec 21 17:25:58.987 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Starting timer (90 sec) to wait for auth message
790405: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Received Packet [From 119.160.2.5:34149/To 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 5
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
AUTH
790406: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Stopping timer to wait for auth message
790407: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Send AUTH, to verify peer after EAP exchange
790408: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Verification of peer's authentication data FAILED
790409: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending authentication failure notify
790410: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
790411: Dec 21 17:25:59.271 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Sending Packet [To 119.160.2.5:34149/From 96.65.7.4:4500/VRF i0:f0]
Initiator SPI : E765AFE7BFDA9793 - Responder SPI : A2F962308637F71D Message id: 5
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
790412: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Auth exchange failed
790413: Dec 21 17:25:59.275 Chicago: IKEv2-ERROR:(SESSION ID = 4116,SA ID = 4):: Auth exchange failed
790414: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Abort exchange
790415: Dec 21 17:25:59.275 Chicago: IKEv2:(SESSION ID = 4116,SA ID = 4):Deleting SA
790416: Dec 21 17:25:59.275 Chicago: IKEv2:(SA ID = 4):[IKEv2 -> PKI] Close PKI Session
790417: Dec 21 17:25:59.275 Chicago: IKEv2:(SA ID = 4):[PKI -> IKEv2] Closing of PKI Session PASSED
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-23-2022 08:20 AM
Not sure why it still displays "IKEv2:Found Policy 'FlexVPN'". This policy should have been removed with "no crypto ikev2 policy FlexVPN" and only one left:
crypto ikev2 policy ikev2policy
proposal FlexVPN
proposal ikev2proposal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-24-2022 04:51 AM
@tvotna apologies for the confusion. I basically did vice versa, removed ikev2policy so following is the current config
crypto ikev2 policy FlexVPN
proposal FlexVPN
proposal ikev2proposal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-17-2023 01:41 AM
Changed the group on both proposals to unique group like 19 and 20 resolved the issue of conflict and mismatch.
crypto ikev2 proposal FlexVPN
encryption aes-cbc-128 aes-cbc-256 aes-cbc-192
integrity sha256
group 19
crypto ikev2 proposal ikev2proposal
encryption aes-gcm-128
prf sha256
group 20
- « Previous
-
- 1
- 2
- Next »
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents