05-03-2017 12:34 AM
【R1】12.1.1.1——12.1.1.2【R2】23.1.1.2——23.1.1.3【R3】34.1.1.3——34.1.1.4【R4】45.1.1.4——45.1.1.5【R5】
R1 and R5 : PC client
R2 and R4 : VPN-Gateway
R3 :NAT device
R2 can not create crypto ikev2 sa
debug
————————————————————————————————————————————————————————
debug crypto ikev2
IKEv2 default debugging is on
*May 3 14:24:35.443: IKEv2:% Getting preshared key from profile keyring ikev2-keyring
*May 3 14:24:35.447: IKEv2:% Matched peer block 'ccie43413'
*May 3 14:24:35.447: IKEv2:Searching Policy with fvrf 0, local address 23.1.1.2
*May 3 14:24:35.451: IKEv2:Found Policy 'ikev2-policy'
*May 3 14:24:35.471: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 16
*May 3 14:24:35.475: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:35.479: IKEv2:(SA ID = 1):Request queued for computation of DH key
*May 3 14:24:35.483: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 3 14:24:35.487: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*May 3 14:24:35.491: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_4096_MODP/Group 16
*May 3 14:24:35.503: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*May 3 14:24:35.519: IKEv2:(SA ID = 1):Insert SA
*May 3 14:24:36.511: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:500/To 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKU
P_SUPPORTED)
*May 3 14:24:36.535: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.539: IKEv2:(SA ID = 1):Verify SA init message
*May 3 14:24:36.543: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.571: IKEv2:(SA ID = 1):Checking NAT discovery
*May 3 14:24:36.575: IKEv2:(SA ID = 1):NAT OUTSIDE found
*May 3 14:24:36.579: IKEv2:(SA ID = 1):NAT detected float to init port 4500, resp port 4500
*May 3 14:24:36.583: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 16
*May 3 14:24:37.871: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:37.875: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*May 3 14:24:37.879: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 3 14:24:37.887: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 3 14:24:37.891: IKEv2:(SA ID = 1):Completed SA init exchange
*May 3 14:24:37.895: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.899: IKEv2:(SA ID = 1):Generate my authentication data
*May 3 14:24:37.903: IKEv2:(SA ID = 1):Use preshared key for id 23.1.1.2, key len 9
*May 3 14:24:37.903: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 3 14:24:37.907: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 3 14:24:37.911: IKEv2:(SA ID = 1):Get my authentication method
*May 3 14:24:37.911: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*May 3 14:24:37.915: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.919: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*May 3 14:24:37.923: IKEv2:(SA ID = 1):Constructing IDi payload: '23.1.1.2' of type 'IPv4 address'
*May 3 14:24:37.923: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 3 14:24:37.931: IKEv2:(SA
ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:37.951: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:4500/From 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
*May 3 14:24:38.115: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:4500/To 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:38.139: IKEv2:(SA ID = 1):Process auth response notify
*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database
*May 3 14:24:38.203: IKEv2:(SA ID = 1):
*May 3 14:24:38.207: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.215: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.219: IKEv2:(SA ID = 1):Abort exchange
*May 3 14:24:38.247: IKEv2:(SA ID = 1):Deleting SA
un all
All possible debugging has been turned off
————————————————————————————————————————————————————————
see attached
I do not know where something goes wrong, please tell me
At this point
Thank you
Lv Pin
05-03-2017 02:27 AM
*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database
You can try this on R2
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!
05-04-2017 12:11 AM
hi,a.alekseev
Thank you for your answer
The problem is still
——————————————————————————————————————
*May 4 07:05:46.655: IKEv2:(SA ID = 1):Process auth response notify
*May 4 07:05:46.659: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 4 07:05:46.719: IKEv2:(SA ID = 1):Failed to locate an item in the database
*May 4 07:05:46.719: IKEv2:(SA ID = 1):
*May 4 07:05:46.723: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.731: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.735: IKEv2:(SA ID = 1):Abort exchange
*May 4 07:05:46.763: IKEv2:(SA ID = 1):Deleting SA
R2#
R2#un all
All possible debugging has been turned off
R2#
R2#show run | s ikev2-keyring
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
keyring local ikev2-keyring
R2#
——————————————————————————————————————————
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide