cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16849
Views
25
Helpful
15
Replies

IPSec tunnel between two cisco router is doesn't work

MrBeginner
Spotlight
Spotlight

Dear All,

I am beginner in VPN. i am trying to setup site to site VPN with IKEv2 using CA authenication.But i didn't any ike 

negotiation and my ipsec tunnel is doesn't work.Please see below config and please advice me.IKEv2 session and status show nothing.

 

R1#sh crypto ikev2 session
R1#sh crypto ikev2 session
%Error opening tftp://255.255.255.255/network-confg (Timed out)
R1#sh crypto ikev2 session
*Nov 22 16:30:56: %SYS-4-CONFIG_RESOLVE_FAILURE: System config parse from (tftp://255.255.255.255/network-confg) fa
R1#sh crypto ikev2 sta
R1#sh crypto ikev2 stats
--------------------------------------------------------------------------------
Crypto IKEv2 SA Statistics
--------------------------------------------------------------------------------
System Resource Limit: 0 Max IKEv2 SAs: 0 Max in nego(in/out): 40/400
Total incoming IKEv2 SA Count: 0 active: 0 negotiating: 0
Total outgoing IKEv2 SA Count: 0 active: 0 negotiating: 0
Incoming IKEv2 Requests: 5 accepted: 5 rejected: 0
Outgoing IKEv2 Requests: 5 accepted: 5 rejected: 0
Rejected IKEv2 Requests: 0 rsrc low: 0 SA limit: 0
IKEv2 packets dropped at dispatch: 0
Incoming Requests dropped as LOW Q limit reached : 0
Incoming IKEV2 Cookie Challenged Requests: 0
accepted: 0 rejected: 0 rejected no cookie: 0
Total Deleted sessions of Cert Revoked Peers: 0

R1#

1 Accepted Solution

Accepted Solutions

Hi , try crypto pki certificate map , i think it makes your problem right , use the below link as an example : http://itbundle.net/archives/2934

View solution in original post

15 Replies 15

Shakti Kumar
Cisco Employee
Cisco Employee

hello,

 

Can you provide the below debugs from both the sides

 

debug crypto condition peer ipv4 <public ip address of the peer>

debug crypto ikev2 error

debug crypto ikev2

debug crypto ikev2 internal

debug crypto ikev2 packet

debug crypto ipsec error

debug crypto ipsec

debug crypto ipsec error

debug crypto pki message

debug crypto pki transactions

debug crypto unmatched ikev2

Hi,

Please see below log and please help me to troubleshoot.

I think my certificate authentication is something wrong.but i don't know which one is wrong. May be identity type or subject name part ?

 

May i know if i didn't put rsakeypair my-ca 2048 command

in router,i got the minimum public key error in when i request CA .Why ?

seems that we are getting authentication failed from the remote end

 




*Nov 22 19:35:48: IKEv2:(SESSION ID = 6,SA ID = 1):Received Packet [From 10.1.14                                                                                            .80:500/To 10.1.14.70:500/VRF i0:f0]

Initiator SPI : AA4F316ED4E912E9 - Responder SPI : 5F3A8A76E29AE34A Message id:                                                                                             1

IKEv2 IKE_AUTH Exchange RESPONSE

*Nov 22 19:35:48: IKEv2-PAK:(SESSION ID = 6,SA ID = 1):Next payload: ENCR, versi                                                                                            on: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, le                                                                                            ngth: 80

Payload contents:

 NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8

    Security protocol id: Unknown - 0, spi size: 0, type: AUTHENTICATION_FAILED

 

 

can you provide the debugs from the remote end

 

 

Thank

Shakti

Hi ,
I remote end didn't show debug message. how to see ?

Hi ,

Please the R1 log and R2 log.

i also thought authentication part of certificate.but i don't know which field is wrong and which part do we need to correct ?

hi,

 

seems ikev2 is not able to pick up the correct profile

 

please provide me with below debug and output from both the devices.

 

sh crypto pki certificates

debug crypto unmatched ikev2

 

 

Hi , authentication with certificate has serveral matter 1- time of your devices be synced 2- they be validate(for you doesn't matter because of revocation) 3- parameters you have defined in your trustpoint and ipsec part
as i see here the problem is here:
Nov 22 14:49:24.646: IKEv2:(SESSION ID = 24,SA ID = 1):Searching policy based on peer's identity 'cn=r1' of type 'DER ASN1 DN'
*Nov 22 14:49:24.646: IKEv2-ERROR:(SESSION ID = 24,SA ID = 1):: Failed to locate an item in the database

get a show from your certificate and look in it if you don't have this part in your certificate , for that you can use the parts that you have instead of example: cn=r1

hi,

Please see the certificate for R1 and R2.

R1#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
Certificate Usage: General Purpose
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
Name: r1
cn=r1
CRL Distribution Points:
ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:41:07 SGD Nov 23 2018
end date: 01:51:07 SGD Nov 23 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
--More--
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 7DFC4674 058DAB98 E7361C53 20A75EAB
Fingerprint SHA1: 8308D607 9997B283 3E029256 C2077EBD 12DC12EF
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 4A443231 4DC63BC9 F5DC7F83 8E872C7C AC98B7E8
X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
Authority Info Access:
Extended Key Usage:
Client Auth
1.3.6.1.5.5.8.2.2
IPSEC Tunnel
Server Auth
Associated Trustpoints: my-ca
Key Label: my-ca

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
Certificate Usage: Signature
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Validity Date:
start date: 18:08:09 SGD Oct 8 2018
end date: 18:18:08 SGD Oct 8 2023
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: my-ca


R1#

R1#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
Certificate Usage: General Purpose
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
Name: r1
cn=r1
CRL Distribution Points:
ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:41:07 SGD Nov 23 2018
end date: 01:51:07 SGD Nov 23 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
--More--
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 15:07:10: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 7DFC4674 058DAB98 E7361C53 20A75EAB
Fingerprint SHA1: 8308D607 9997B283 3E029256 C2077EBD 12DC12EF
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: 4A443231 4DC63BC9 F5DC7F83 8E872C7C AC98B7E8
X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
Authority Info Access:
Extended Key Usage:
Client Auth
1.3.6.1.5.5.8.2.2
IPSEC Tunnel
Server Auth
Associated Trustpoints: my-ca
Key Label: my-ca

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
Certificate Usage: Signature
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Validity Date:
start date: 18:08:09 SGD Oct 8 2018
end date: 18:18:08 SGD Oct 8 2023
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: my-ca


R1#
R1#
************************************************************
* [WARNING] *
* You have accessed a Singapore Government System. *
* Unauthorised attempts to access, use or change *
* information on this system are strictly prohibited and *
* may be punishable under the Computer Misuse Act. *
* *
* The Singapore Government may monitor and audit the usage *
* of this system. All persons are hereby notified *
* that use of this system constitutes consent to *
* monitoring and auditing. *
************************************************************

r2>
r2>
r2>en
r2#sh cryp
r2#sh crypto pk
r2#sh crypto pki cer
r2#sh crypto pki certificates ver
r2#sh crypto pki certificates verbose
Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 5500000022714B1CD619EFCABB000000000022
Certificate Usage: General Purpose
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
Name: r1
cn=r1
CRL Distribution Points:
ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 17:44:08 UTC Nov 22 2018
end date: 17:54:08 UTC Nov 22 2020
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
--More--
*Nov 23 07:07:42.854: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 07:07:42.866: CRYPTO_PKI: unable to build cert attributes list
*Nov 23 07:07:42.866: CRYPTO_PKI: unable to build cert attri Fingerprint MD5: 46AAE612 2CBF045D 00D22513 277AD8EF
Fingerprint SHA1: 34F7578E 8CC3A336 49EBE6EE E21E54A8 D1B5A9E8
X509v3 extensions:
X509v3 Key Usage: A0000000
Digital Signature
Key Encipherment
X509v3 Subject Key ID: F28BB25B EE7B2FE4 4B09E19F 378BD709 C6BC593D
X509v3 Authority Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
Authority Info Access:
Extended Key Usage:
Client Auth
1.3.6.1.5.5.8.2.2
IPSEC Tunnel
Server Auth
Associated Trustpoints: my-ca
Key Label: my-ca

CA Certificate
Status: Available
Version: 3
Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
Certificate Usage: Signature
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Validity Date:
start date: 10:08:09 UTC Oct 8 2018
end date: 10:18:08 UTC Oct 8 2023
Subject Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Signature Algorithm: SHA256 with RSA Encryption
Fingerprint MD5: 8B1230F4 E3F89E9E 5BA755F4 E97FC9A8
Fingerprint SHA1: F634D3C2 79A412AF 22351C6E 2EEAB870 886BC27B
X509v3 extensions:
X509v3 Key Usage: 86000000
Digital Signature
Key Cert Sign
CRL Signature
X509v3 Subject Key ID: CFCB254D BD6E4EC9 8F19178C 4D30D9A7 A74DD044
X509v3 Basic Constraints:
CA: TRUE
Authority Info Access:
Associated Trustpoints: my-ca


r2#

 

Hi , try crypto pki certificate map , i think it makes your problem right , use the below link as an example : http://itbundle.net/archives/2934

Hi,
I am trying to fix.but still not working

Hi,
do the logs have any change for failure ?

Hi,

Please see below error. i create new lab and create again.

 

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.11.29 22:44:20 =~=~=~=~=~=~=~=~=~=~=~=

*Nov 30 06:44:46: IKEv2:Adding Proposal aes-cbc-256-proposal to toolkit policy
*Nov 30 06:44:46: IKEv2:(1): Choosing IKE profile profile1
*Nov 30 06:44:46: IKEv2:New ikev2 sa request admitted
*Nov 30 06:44:46: IKEv2:Incrementing outgoing negotiating sa count by one
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Setting configured policies
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
*Nov 30 06:44:46: IKE
R2(config-ikev2-policy)#v2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_PKI_SESH_OPEN
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Opening a PKI session
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Action: Action_Null
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
*Nov 30 06:44:46: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT e
R2(config-ikev2-policy)#xch
*Nov 30 06:44:46: IKEv2:No config data to send to toolkit:
*Nov 30 06:44:46: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=960F0E0F21802591 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
*Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: DELETE-REASON
*Nov 30 06:44:46: IKEv2:Construct Vendor Specific Payload: (CUSTOM)
*Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP
*Nov 30 06:44:46: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
*Nov 30 06:44:46: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: I

Dear all,

After i changed match identity remote dn any to address and local dn to local address
Now tunnel is up and work.

i got below message message. IPSec SA is alos Active/Active.May i know below message is some error ?

 

R1(config-if)#
*Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:16: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, chang ed state to up
R1(config-if)#
*Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with
*Nov 30 18:28:44: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 1.0.12.2 (type 1) and certificate addr with

 

R1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 1.0.12.1/500 1.0.12.2/500 none/none READY
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/1245 sec

IPv6 Crypto IKEv2 SA

R1#

 

that is just a warning message

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: