Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- ikev2 profile certificate map problem
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
2287
Views
2
Helpful
20
Replies
ikev2 profile certificate map problem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2024 02:45 AM
I am trying to make two different ikev2 profiles for two different group of users. I am trying to distinguish between them based on the serial number of certificate. However any certificate that is issued by the CA always fall under the first profile. Even when I put there bogus serial number, it always connect with VPN-1. I have C1101. Any idea what might be wrong?
crypto pki certificate map CERT-MAP-1 10
serial-number eq 582228888
crypto pki certificate map CERT-MAP-2 10
serial-number eq 5111111111
crypto ikev2 profile VPN-1
match identity remote key-id *$AnyConnectClient$*
match certificate CERT-MAP-1
identity local dn
authentication remote ecdsa-sig
authentication local ecdsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint TP
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy-1-VPN
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-1-VPN
virtual-template 100
anyconnect profile acvpn
crypto ikev2 profile VPN-2
match identity remote key-id *$AnyConnectClient$*
match certificate CERT-MAP-2
identity local dn
authentication remote ecdsa-sig
authentication local ecdsa-sig
authentication remote anyconnect-eap aggregate cert-request
pki trustpoint TP
aaa authentication anyconnect-eap AUTHEN
aaa authorization group cert list AUTHOR ikev2-auth-policy-VPN-2
aaa authorization group anyconnect-eap list AUTHOR ikev2-auth-policy-VPN-2
aaa authorization user anyconnect-eap cached
virtual-template 101
anyconnect profile acvpn
interface Virtual-Template100 type tunnel
ip unnumbered Loopback100
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-1
interface Virtual-Template101 type tunnel
ip unnumbered Loopback101
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-2
crypto ipsec profile VPN-1
set transform-set GCM
set pfs group21
set ikev2-profile VPN-1
crypto ipsec profile VPN-2
set transform-set GCM
set pfs group21
set ikev2-profile VPN-2
Labels:
- Labels:
-
AnyConnect
-
FlexVPN
20 Replies 20
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2024 06:04 AM
ikev2-auth-policy-1-VPNThis named of ikev2 policy correct' only double check it.
Did you try connect after you add ""no crypto ikev2 http-url cert""??
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2024 06:39 AM
Name looks correct. I had there "no crypto ikev2 http-url cert" all the time so nothing has changed. If I remove "match identity remote key-id *$AnyConnectClient$*" I am not able to connect at all.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2024 09:52 AM
I have a feeling that something like this is not possible at all. I was trying to find solution whole day but did not find anything that would work.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2024 04:17 AM - edited 11-06-2024 04:18 AM
So as @Rob Ingram suggested, I tried to make only certificate authentication with name-mangler. However I am not very successful here as well. Any idea what is wrong?
Config
aaa new-model
aaa authentication login AUTHEN local
aaa attribute list TEST-ADMIN
crypto pki certificate map CERT-MAP-INT 10
issuer-name co testca
!
crypto ikev2 authorization policy TEST-ADMIN
pool VPN-ADMIN-POOL
dns 172.17.10.1
netmask 255.255.255.0
aaa attribute list TEST-ADMIN
route set access-list split_tunnel-ADMIN-VPN
!
crypto ikev2 proposal default
encryption aes-cbc-256
integrity sha512
group 21
crypto ikev2 profile VPN-INT-1
match certificate CERT-MAP-INT
identity local dn
authentication remote ecdsa-sig
authentication local ecdsa-sig
pki trustpoint TP-VPN
aaa authorization group cert list AUTHOR name-mangler INT_MN
virtual-template 101
anyconnect profile acvpn
!
crypto vpn anyconnect profile acvpn bootflash:/acvpn.xml
crypto ipsec transform-set GCM esp-gcm 256
mode transport
crypto ipsec profile VPN-INT
set transform-set GCM
set pfs group21
set ikev2-profile VPN-INT-1
!
ip local pool VPN-ADMIN-POOL 172.17.10.2 172.17.10.3
!
crypto ikev2 name-mangler INT_MN
dn organization-unit
!
nterface Virtual-Template101 type tunnel
description VPN-INT
ip unnumbered Loopback101
ip mtu 1400
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-INT
An I am receiving following error
Nov 6 13:15:45.752: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 698
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 276
last proposal: 0x2, reserved: 0x0, length: 124
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 13 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: None
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_4096_MODP/Group 16
last proposal: 0x0, reserved: 0x0, length: 148
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 16 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_4096_MODP/Group 16
KE Next payload: N, reserved: 0x0, length: 72
DH group: 19, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 59
VID Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 20
VID Next payload: VID, reserved: 0x0, length: 26
VID Next payload: NOTIFY, reserved: 0x0, length: 29
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
VID Next payload: CFG, reserved: 0x0, length: 20
CFG Next payload: NOTIFY, reserved: 0x0, length: 14
cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0
attrib type: Unknown - 28728, length: 2
NOTIFY(REDIRECT_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: REDIRECT_SUPPORTED
Nov 6 13:15:45.756: IKEv2-ERROR:(SESSION ID = 237,SA ID = 1):: The peer's KE payload contained the wrong DH group
Nov 6 13:15:45.756: IKEv2-PAK:(SESSION ID = 237,SA ID = 1):Next payload: NOTIFY, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 38
Payload contents:
NOTIFY(INVALID_KE_PAYLOAD) Next payload: NONE, reserved: 0x0, length: 10
Security protocol id: Unknown - 0, spi size: 0, type: INVALID_KE_PAYLOAD
Nov 6 13:15:45.757: IKEv2-ERROR:(SESSION ID = 237,SA ID = 1):Initial exchange failed: Initial exchange failed
Nov 6 13:15:45.776: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 766
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 276
last proposal: 0x2, reserved: 0x0, length: 124
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 13 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: None
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_4096_MODP/Group 16
last proposal: 0x0, reserved: 0x0, length: 148
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 16 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_4096_MODP/Group 16
KE Next payload: N, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 59
VID Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 20
VID Next payload: VID, reserved: 0x0, length: 26
VID Next payload: NOTIFY, reserved: 0x0, length: 29
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: VID, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
VID Next payload: CFG, reserved: 0x0, length: 20
CFG Next payload: NOTIFY, reserved: 0x0, length: 14
cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0
attrib type: Unknown - 28728, length: 2
NOTIFY(REDIRECT_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: REDIRECT_SUPPORTED
Nov 6 13:15:45.930: IKEv2-PAK:(SESSION ID = 238,SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 541
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA512
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
KE Next payload: N, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 36
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 59
VID Next payload: VID, reserved: 0x0, length: 19
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: VID, reserved: 0x0, length: 24
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28
Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
CERTREQ Next payload: NONE, reserved: 0x0, length: 45
Cert encoding X.509 Certificate - signature
Nov 6 13:15:45.951: IKEv2-PAK:(SESSION ID = 238,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 768
Payload contents:
VID Next payload: IDi, reserved: 0x0, length: 20
IDi Next payload: CERTREQ, reserved: 0x0, length: 28
Id type: Group name, Reserved: 0x0 0x0
CERTREQ Next payload: CFG, reserved: 0x0, length: 25
Cert encoding X.509 Certificate - signature
CFG Next payload: SA, reserved: 0x0, length: 259
cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0
attrib type: internal IP4 address, length: 0
attrib type: internal IP4 netmask, length: 0
attrib type: internal IP4 DNS, length: 0
attrib type: internal IP4 NBNS, length: 0
attrib type: internal address expiry, length: 0
attrib type: application version, length: 28
attrib type: internal IP4 subnet, length: 0
attrib type: internal IP6 address, length: 0
attrib type: internal IP6 DNS, length: 0
attrib type: internal IP6 subnet, length: 0
attrib type: Unknown - 28682, length: 15
attrib type: Unknown - 28704, length: 0
attrib type: Unknown - 28742, length: 0
attrib type: Unknown - 28743, length: 0
attrib type: Unknown - 28705, length: 0
attrib type: Unknown - 28706, length: 0
attrib type: Unknown - 28707, length: 0
attrib type: Unknown - 28708, length: 0
attrib type: Unknown - 28709, length: 0
attrib type: Unknown - 28710, length: 0
attrib type: Unknown - 28672, length: 0
attrib type: Unknown - 28684, length: 0
attrib type: Unknown - 28711, length: 2
attrib type: Unknown - 28674, length: 0
attrib type: Unknown - 28712, length: 0
attrib type: Unknown - 28675, length: 0
attrib type: Unknown - 28679, length: 0
attrib type: Unknown - 28683, length: 0
attrib type: Unknown - 28717, length: 0
attrib type: Unknown - 28718, length: 0
attrib type: Unknown - 28719, length: 0
attrib type: Unknown - 28720, length: 0
attrib type: Unknown - 28721, length: 0
attrib type: Unknown - 28722, length: 0
attrib type: Unknown - 28723, length: 0
attrib type: Unknown - 28724, length: 0
attrib type: Unknown - 28725, length: 0
attrib type: Unknown - 28726, length: 0
attrib type: Unknown - 28727, length: 0
attrib type: Unknown - 28729, length: 0
attrib type: Unknown - 28730, length: 0
attrib type: Unknown - 28731, length: 0
attrib type: Unknown - 28732, length: 0
attrib type: Unknown - 28734, length: 0
attrib type: Unknown - 28736, length: 0
attrib type: Unknown - 28733, length: 4
attrib type: Unknown - 28735, length: 4
attrib type: Unknown - 28737, length: 0
attrib type: Unknown - 28738, length: 2
SA Next payload: NOTIFY, reserved: 0x0, length: 156
last proposal: 0x2, reserved: 0x0, length: 64
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 5 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-GCM
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: None
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
last proposal: 0x0, reserved: 0x0, length: 88
Proposal: 2, Protocol id: ESP, SPI size: 4, #trans: 8 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA384
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA512
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
NOTIFY(IPCOMP_SUPPORTED) Next payload: TSi, reserved: 0x0, length: 11
Security protocol id: IKE, spi size: 0, type: IPCOMP_SUPPORTED
TSi Next payload: TSr, reserved: 0x0, length: 64
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TS type: TS_IPV6_ADDR_RANGE, proto id: 0, length: 40
start port: 0, end port: 65535
start addr: ::, end addr: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
TSr Next payload: NOTIFY, reserved: 0x0, length: 64
Num of TSs: 2, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 0.0.0.0, end addr: 255.255.255.255
TS type: TS_IPV6_ADDR_RANGE, proto id: 0, length: 40
start port: 0, end port: 65535
start addr: ::, end addr: FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(USE_TRANSPORT_MODE) Next payload: OA, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: USE_TRANSPORT_MODE
OA Next payload: OA, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
OA Next payload: NOTIFY, reserved: 0x0, length: 12
Id type: IPv4 address, Reserved: 0x0 0x0
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
Nov 6 13:15:45.958: IKEv2-ERROR:% IKEv2 profile not found
Nov 6 13:15:45.958: IKEv2-ERROR:(SESSION ID = 238,SA ID = 1):: Failed to locate an item in the database
Payload contents:
NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED
Nov 6 13:15:45.959: IKEv2-PAK:(SESSION ID = 238,SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 96
Payload contents:
ENCR Next payload: NOTIFY, reserved: 0x0, length: 68
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2024 10:42 PM
first undebug all
then
debug crypto ikev2 error
show crypto ikev2 sa detail
show crypto session detail
share above, send it to me as PM
MHM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2024 10:00 AM
Still waiting
MHM
- « Previous
-
- 1
- 2
- Next »
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents