cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3195
Views
25
Helpful
6
Replies

IPSec error between HPE 6600 and cisco router

MrBeginner
Spotlight
Spotlight

Dear all,

I would like to request to help for my Gre-Over-IPsec problem.

I configuration gre over ipsec tunnel for my DC to branches.

I already create 3 links with certification authenication.Now i got error in two sites .My DC router is HP 6600 and my branches use cisco and HP router also.I got this issue in two site one site using HP routers and other site using HP MSR router.The below log is i collected from MSR braches router. Please see below config in HP 6600 of DC router. when i remove ike-profile 1 in ipsec policy ,the tunnel is up.when i assign again,tunnel is down. How can troubleshoot.It is certificate error ?

 

ipsec policy aksd 1 isakmp
transform-set trans1
security acl 3200
remote-address 192.16.1.2
ike-profile 1
#
#
ike profile 1
certificate domain aksd
local-identity address 192.16.1.2
match remote identity address 192.16.1.1
proposal 2

ike proposal 2
authentication-method rsa-signature
encryption-algorithm aes-cbc-256
dh group14

 

*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: IKE thread 366519743152 processes a job.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Decrypt the packet.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Hash Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Security Association Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Nonce Payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Identification Payload (IPsec DOI).
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Received ISAKMP Identification Payload (IPsec DOI).
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Process HASH payload.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Event: Validated HASH(1) successfully.
*Jun 5 16:52:34:113 2019 R2 IKE/7/Packet: Process IPsec ID payload.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Process IPsec ID payload.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP.
*Jun 5 16:52:34:114 2019 R2 IPSEC/7/Event:
The policy's acl or ike profile does not match the flow, Name = AKSD, Seqnum = 1
*Jun 5 16:52:34:114 2019 R2 IPSEC/7/Event:
The policy's acl or ike profile does not match the flow, Name = AKSD, Seqnum = 2
*Jun 5 16:52:34:114 2019 R2 IKE/7/Error: Failed to get IPsec policy for phase 2 responder. Delete IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Error: Failed to negotiate IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Event: Delete IPsec SA.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Encrypt the packet.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Construct notification packet: INVALID_ID_INFORMATION.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Sending packet to 192.16.1.2 remote port 500, local port 500.
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet:
I-Cookie: 50d6f8f4b4273993
R-Cookie: 55ba871bd6e9c0de
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Info
flags: ENCRYPT
message ID: ead936d0
length: 68
*Jun 5 16:52:34:114 2019 R2 IKE/7/Packet: Sending an IPv4 packet.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Enter IPsec output process, Flag : 0x1000080, Data length : 48.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Can't find block-flow node.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/packet:
Failed to find SA by SP.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/packet:
The reason of dropping packet is no available IPsec tunnel.
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/event:
Sent SA-Acquire message : SP ID = 1
*Jun 5 16:52:34:120 2019 R2 IPSEC/7/Event:
Received negotiatiate SA message from IPsec kernel.
*Jun 5 16:52:34:120 2019 R2 IKE/7/Event: Received SA acquire message from IPsec.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: Set IPsec SA state to IKE_P2_STATE_INIT.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IKE thread 366519743152 processes a job.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: Begin Quick mode exchange.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSPI.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Event: IKE thread 366519743152 pro cesses a job.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Set attributes according to phase 2 transform.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Encapsulation mode is Tunnel.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: in seconds
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Life duration is 3600.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: in kilobytes
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Life duration is 1843200.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Authentication algorithm is HMAC-SHA1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Key length is 256 bytes.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Transform ID is AES-CBC.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct transform 1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct IPsec proposal 1.
*Jun 5 16:52:34:121 2019 R2 IKE/7/Packet: Construct IPsec SA payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct NONCE payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct IPsec ID payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct IPsec ID payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Construct HASH(1) payload.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Encrypt the packet.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Event: IPsec SA state changed from IKE_P2_STATE_GETSPI to IKE_P2_STATE_SEND1.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Sending packet to 192.16.1.2 remote port 500, local port 500.
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet:
I-Cookie: 50d6f8f4b4273993
R-Cookie: 55ba871bd6e9c0de
next payload: HASH
version: ISAKMP Version 1.0
exchange mode: Quick
flags: ENCRYPT
message ID: 6fc97ac7
length: 164
*Jun 5 16:52:34:122 2019 R2 IKE/7/Packet: Sending an IPv4 packet.
*Jun 5 16:52:34:126 2019 R2 IKE/7/Packet: Received packet from 192.16.1.2 source port 500 destination port 500.
*Jun 5 16:52:34:127 2019 R2 IPSEC/7/error:
The SA doesn't exist in kernel.

1 Accepted Solution

Accepted Solutions

Certificate error will pop at later stage (during validation of
authenticity).

Try to use aes instead of aes 256. It might not be supported. Also try
group 2 instead of 14 as 14 might not be supported.

View solution in original post

6 Replies 6

Your phase 2 policies are mismatched. Check again and make sure that you
have same proposals

Hi ,

I already check proposal is same.

i worry proposal include certificate.will it be certificate error?

I only have HP router configuration.Please help me .

Certificate error will pop at later stage (during validation of
authenticity).

Try to use aes instead of aes 256. It might not be supported. Also try
group 2 instead of 14 as 14 might not be supported.

Hi ,

I already changed.But still got error.when i remove ike profile,Ipsec sa is still active.Let me know can i ping from interface that ipsec applyed to the interface that without ipsec plicy applied.

 

Hi,

Let me know hash payload doesn't match error also mean ike phase 1 ?