11-22-2018 12:31 AM - edited 02-21-2020 09:30 PM
Dear All,
I am beginner in VPN. i am trying to setup site to site VPN with IKEv2 using CA authenication.But i didn't any ike
negotiation and my ipsec tunnel is doesn't work.Please see below config and please advice me.IKEv2 session and status show nothing.
R1#sh crypto ikev2 session
R1#sh crypto ikev2 session
%Error opening tftp://255.255.255.255/network-confg (Timed out)
R1#sh crypto ikev2 session
*Nov 22 16:30:56: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) fa
R1#sh crypto ikev2 sta
R1#sh crypto ikev2 stats
--------------------------------------------------------------------------------
 Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0 negotiating: 0
Incoming IKEv2 Requests: 5 accepted: 5 rejected: 0
Outgoing IKEv2 Requests: 5 accepted: 5 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
 accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0
R1#
Solved! Go to Solution.
11-23-2018 03:37 AM
Hi , try crypto pki certificate map , i think it makes your problem right , use the below link as an example : http://itbundle.net/archives/2934
 
					
				
		
11-22-2018 01:46 AM
hello,
Can you provide the below debugs from both the sides
debug crypto condition peer ipv4 <public ip address of the peer>
debug crypto ikev2 error
debug crypto ikev2
debug crypto ikev2 internal
debug crypto ikev2 packet
debug crypto ipsec error
debug crypto ipsec
debug crypto ipsec error
debug crypto pki message
debug crypto pki transactions
debug crypto unmatched ikev2
11-22-2018 03:53 AM
Hi,
Please see below log and please help me to troubleshoot.
I think my certificate authentication is something wrong.but i don't know which one is wrong. May be identity type or subject name part ?
May i know if i didn't put rsakeypair my-ca 2048 command
in router,i got the minimum public key error in when i request CA .Why ?
 
					
				
		
11-22-2018 04:45 AM
seems that we are getting authentication failed from the remote end
*Nov 22 19:35:48: IKEv2:(SESSION ID = 6,SA ID = 1):Received Packet [From 10.1.14                                                                                            .80:500/To 10.1.14.70:500/VRF i0:f0]
Initiator SPI : AA4F316ED4E912E9 - Responder SPI : 5F3A8A76E29AE34A Message id:                                                                                             1
IKEv2 IKE_AUTH Exchange RESPONSE
*Nov 22 19:35:48: IKEv2-PAK:(SESSION ID = 6,SA ID = 1):Next payload: ENCR, versi                                                                                            on: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, le                                                                                            ngth: 80
Payload contents:
 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED
can you provide the debugs from the remote end
Thank
Shakti
11-22-2018 06:41 AM
11-22-2018 07:02 AM
 
					
				
		
11-22-2018 07:30 AM
hi,
seems ikev2 is not able to pick up the correct profile
please provide me with below debug and output from both the devices.
sh crypto pki certificates
debug crypto unmatched ikev2
11-22-2018 07:38 AM
11-22-2018 11:09 PM
hi,
Please see the certificate for R1 and R2.
R1#sh crypto pki certificates verbose
Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
 Certificate Usage: General Purpose
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 Name: r1
 cn=r1
 CRL Distribution Points:
 ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
 Validity Date:
 start date: 01:41:07 SGD Nov 23 2018
 end date: 01:51:07 SGD Nov 23 2020
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 --More--
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 7DFC4674 058DAB98 E7361C53 20A75EAB
 Fingerprint SHA1: 8308D607 9997B283 3E029256 C2077EBD 12DC12EF
 X509v3 extensions:
 X509v3 Key Usage: A0000000
 Digital Signature
 Key Encipherment
 X509v3 Subject Key ID: 4A443231 4DC63BC9 F5DC7F83 8E872C7C AC98B7E8
 X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 Authority Info Access:
 Extended Key Usage:
 Client Auth
 1.3.6.1.5.5.8.2.2
 IPSEC Tunnel
 Server Auth
 Associated Trustpoints: my-ca
 Key Label: my-ca
CA Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
 Certificate Usage: Signature
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Validity Date:
 start date: 18:08:09 SGD Oct 8 2018
 end date: 18:18:08 SGD Oct 8 2023
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
 Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
 X509v3 extensions:
 X509v3 Key Usage: 86000000
 Digital Signature
 Key Cert Sign
 CRL Signature
 X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 X509v3 Basic Constraints:
 CA: TRUE
 Authority Info Access:
 Associated Trustpoints: my-ca
R1#
R1#sh crypto pki certificates verbose
Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
 Certificate Usage: General Purpose
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 Name: r1
 cn=r1
 CRL Distribution Points:
 ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
 Validity Date:
 start date: 01:41:07 SGD Nov 23 2018
 end date: 01:51:07 SGD Nov 23 2020
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 --More--
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 7DFC4674 058DAB98 E7361C53 20A75EAB
 Fingerprint SHA1: 8308D607 9997B283 3E029256 C2077EBD 12DC12EF
 X509v3 extensions:
 X509v3 Key Usage: A0000000
 Digital Signature
 Key Encipherment
 X509v3 Subject Key ID: 4A443231 4DC63BC9 F5DC7F83 8E872C7C AC98B7E8
 X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 Authority Info Access:
 Extended Key Usage:
 Client Auth
 1.3.6.1.5.5.8.2.2
 IPSEC Tunnel
 Server Auth
 Associated Trustpoints: my-ca
 Key Label: my-ca
CA Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
 Certificate Usage: Signature
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Validity Date:
 start date: 18:08:09 SGD Oct 8 2018
 end date: 18:18:08 SGD Oct 8 2023
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
 Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
 X509v3 extensions:
 X509v3 Key Usage: 86000000
 Digital Signature
 Key Cert Sign
 CRL Signature
 X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 X509v3 Basic Constraints:
 CA: TRUE
 Authority Info Access:
 Associated Trustpoints: my-ca
R1#
R1#
************************************************************
* [WARNING] *
* You have accessed a Singapore Government System. *
* Unauthorised attempts to access, use or change *
* information on this system are strictly prohibited and *
* may be punishable under the Computer Misuse Act. *
* *
* The Singapore Government may monitor and audit the usage *
* of this system. All persons are hereby notified *
* that use of this system constitutes consent to *
* monitoring and auditing. *
************************************************************
r2>
r2>
r2>en
r2#sh cryp
r2#sh crypto pk
r2#sh crypto pki cer
r2#sh crypto pki certificates ver
r2#sh crypto pki certificates verbose
Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 5500000022714B1CD619EFCABB000000000022
 Certificate Usage: General Purpose
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 Name: r1
 cn=r1
 CRL Distribution Points:
 ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
 Validity Date:
 start date: 17:44:08 UTC Nov 22 2018
 end date: 17:54:08 UTC Nov 22 2020
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 --More--
*Nov 23 07:07:42.854: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 07:07:42.866: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 07:07:42.866: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 46AAE612 2CBF045D 00D22513 277AD8EF
 Fingerprint SHA1: 34F7578E 8CC3A336 49EBE6EE E21E54A8 D1B5A9E8
 X509v3 extensions:
 X509v3 Key Usage: A0000000
 Digital Signature
 Key Encipherment
 X509v3 Subject Key ID: F28BB25B EE7B2FE4 4B09E19F 378BD709 C6BC593D
 X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 Authority Info Access:
 Extended Key Usage:
 Client Auth
 1.3.6.1.5.5.8.2.2
 IPSEC Tunnel
 Server Auth
 Associated Trustpoints: my-ca
 Key Label: my-ca
CA Certificate
 Status: Available
 Version: 3
 Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
 Certificate Usage: Signature
 Issuer:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Subject:
 cn=crypto-CASVR-CA-1
 dc=crypto
 dc=local
 Validity Date:
 start date: 10:08:09 UTC Oct 8 2018
 end date: 10:18:08 UTC Oct 8 2023
 Subject Key Info:
 Public Key Algorithm: rsaEncryption
 RSA Public Key: (2048 bit)
 Signature Algorithm: SHA256 with RSA Encryption
 Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
 Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
 X509v3 extensions:
 X509v3 Key Usage: 86000000
 Digital Signature
 Key Cert Sign
 CRL Signature
 X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
 X509v3 Basic Constraints:
 CA: TRUE
 Authority Info Access:
 Associated Trustpoints: my-ca
r2#
11-23-2018 03:37 AM
Hi , try crypto pki certificate map , i think it makes your problem right , use the below link as an example : http://itbundle.net/archives/2934
11-23-2018 06:09 PM
11-29-2018 03:19 AM
11-29-2018 07:00 AM - edited 11-29-2018 06:37 PM
Hi,
Please see below error. i create new lab and create again.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.29 22:44:20 =~=~=~=~=~=~=~=~=~=~=~=
*Nov 30 06:44:46: IKEv2:Adding Proposal aes-cbc-256-proposal to toolkit policy
*Nov 30 06:44:46: IKEv2:(1): Choosing IKE profile profile1
*Nov 30 06:44:46: IKEv2:New ikev2 sa request admitted
*Nov 30 06:44:46: IKEv2:Incrementing outgoing negotiating sa count by one
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Setting configured policies
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
*Nov 30 06:44:46: IKE
R2(config-ikev2-policy)#v2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Opening a PKI session
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Action: Action_Null
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
*Nov 30 06:44:46: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT e
R2(config-ikev2-policy)#xch
*Nov 30 06:44:46: IKEv2:No config data to send to toolkit:
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
*Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: DELETE-REASON
*Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: (CUSTOM)
*Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP
*Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: I
11-29-2018 06:36 PM - edited 11-29-2018 06:52 PM
Dear all,
After i changed match identity remote dn any to address and local dn to local address
Now tunnel is up and work.
i got below message message. IPSec SA is alos Active/Active.May i know below message is some error ?
R1(config-if)#
*Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, chang ed state to up
R1(config-if)#
*Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SATunnel-id Local Remote fvrf/ivrf Status
1 1.0.12.1/500 1.0.12.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/1245 secIPv6 Crypto IKEv2 SA
R1#
 
					
				
		
11-29-2018 07:27 PM
that is just a warning message
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide