1)  Tunnel-id Local Remote fvrf/ivrf Status
1 X.X.X.X/500 X.X.X.X/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17465 sec

 

 

 

2)  sh crypto ipsec sa peer X.X.X.X

interface: Tunnel32
Crypto map tag: Tunnel32-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 66774

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0x27158FEB(655724523)
PFS (Y/N): Y, DH group: group14

inbound esp sas:
spi: 0xC317A9ED(3273107949)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 261, flow_id: Onboard VPN:261, sibling_flags 80000040, crypto map: Tunnel32-head-0
sa timing: remaining key lifetime (k/sec): (4203393/1105)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x27158FEB(655724523)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel, }
conn id: 262, flow_id: Onboard VPN:262, sibling_flags 80000040, crypto map: Tunnel32-head-0
sa timing: remaining key lifetime (k/sec): (4203459/1105)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Traffic seems to be one way:

 

interface: Tunnel32
Crypto map tag: Tunnel32-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15   <----------egress
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0    <----ingresss
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 66774

 

seems like a problem on the huwaie end.seeing no traffic coming into the tunnel from Huwaei  (0 decapsulations)

interface: Tunnel32
Crypto map tag: Tunnel32-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 15, #pkts encrypt: 15, #pkts digest: 15 <----------egress
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 <----ingresss
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 66774 <--------------errors



and what could be causing this error?
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection



thanks Dennis,

MAC is: message authentication code, you are using HMAC on the cisco end. get on the huwaei and confirm you are using the same parameters otherwise you will never fix this issue.

CISCO

crypto ikev2 proposal V2MASTER
encryption aes-cbc-256
prf sha256
integrity sha256
group 14 19
crypto ikev2 policy POL-MASTER
match address local X.X.X.X
proposal V2MASTER
crypto ikev2 keyring KR-MASTER
!
peer N1
address X.X.X.Y
pre-shared-key *******
!
crypto ikev2 profile PRO-MASTER
match identity remote any
authentication local pre-share
authentication remote pre-share
keyring local KR-MASTER

crypto ipsec transform-set AES-256-SHA-256 esp-aes 256 esp-sha256-hmac
mode tunnel

crypto ipsec profile IPSEC-PRO-ALL
set transform-set AES-256-SHA-256
set pfs group14
set ikev2-profile PRO-MASTER

interface Tunnel32
ip address 10.10.10.3 255.255.255.254
ip mtu 1467
no ip route-cache
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination X.X.X.Y
tunnel protection ipsec profile IPSEC-PRO-ALL



HUAWEI

ipsec proposal ipsec_prop_elk
esp authentication-algorithm sha2-256
esp encryption-algorithm aes-256

ike proposal 2
encryption-algorithm aes-cbc-256
dh group14
authentication-algorithm sha2-256
prf hmac-sha2-256

ike peer el-r1 v2
pre-shared-key simple ********
ike-proposal 2
local-address X.X.X.Y
dpd type periodic
dpd idle-time 40
dpd retransmit-interval 10
sa binding vpn-instance Internet

ipsec profile ipsec_elk1
ike-peer el-r1
proposal ipsec_prop_elk
pfs dh-group14

interface LoopBack10
ip binding vpn-instance Internet
ip address X.X.X.Y 255.255.255.255

interface Tunnel0/0/500
mtu 1467
ip binding vpn-instance PC-Side
tcp adjust-mss 1360
ip address 10.10.10.2 255.255.255.254
tunnel-protocol ipsec
source LoopBack10
destination vpn-instance Internet X.X.X.X
ipsec profile ipsec_elk1

https://bugzilla.redhat.com/show_bug.cgi?id=1077641
It looks like cisco implements a draft version of the SHA2-256 truncation instead of the final RFC version.

If you want to use SHA2 algorithm between cisco and huawei you must activate compatible version of this algorithm (on side Huawei). F.E (Huawei AR 2240 in system view you need to put this command ip authentication sha2 compatible enable). I had a similar problem, this was solution.

Also if you want to use Huawei DPD mechanism (alternative Cisco keepalive) between Cisco and Huawei, you should change sequence of DPD message on side Huawei in configuration ike peer with this command dpd msg seq-hash-notify.