12-20-2012 08:03 AM
Hi,
I have a 881+7 (15.2(4)M2) connected to an ASR 1001 (03.07.01.S) via the Internet. The goal is to setup DVTI on the ASR, use FlexVPN on the CPE and inject crypto IKEv2 routes in the VRF on the PE for the protected subnets on the CPE while using pre-shared-keys for authentication and RADIUS to send back the attributes.
I can get the tunnel working fine but I cannot get the crypto routes.
My configs:
881+7 CPE:
crypto ikev2 keyring KEYRING-CPE
peer ASR
address <ASR_IP>
pre-shared-key abcd
!
crypto ikev2 profile IKEV2-PROFILE-CPE
match identity remote address <ISR_IP> 255.255.255.255
identity local fqdn cpe.ipsec.net
authentication remote pre-share
authentication local pre-share
keyring local KEYRING-CPE
dpd 30 2 periodic
!
crypto ipsec transform-set TFS-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile default
set transform-set TFS-AES256-SHA-HMAC
set ikev2-profile IKEV2-PROFILE-CPE
!
crypto ikev2 client flexvpn FLEX
peer 1 <ASR_IP>
client inside Loopback0
client connect Tunnel0
!
interface Loopback0
ip address <PROTECTED_CPE_SUBNET> 255.255.255.255
!
interface Tunnel0
ip address negotiated
tunnel source Dialer2
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile default
ASR PE:
aaa authorization network IPSEC-AUTHOR group AAA-GROUP-IPSEC-RADIUS
!
crypto ikev2 dpd 60 2 periodic
!
crypto ikev2 profile IKEV2-PROFILE-ASR
match fvrf FVRF
match identity remote fqdn domain ipsec.net
authentication remote pre-share
authentication local pre-share
keyring aaa IPSEC-AUTHOR
aaa authorization user psk list IPSEC-AUTHOR
virtual-template 1
!
crypto ipsec transform-set TFS-AES256-SHA-HMAC esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile default
set transform-set TFS-AES256-SHA-HMAC
set ikev2-profile RADU
responder-only
!
interface Virtual-Template1 type tunnel
no ip address
tunnel source GigabitEthernet0/0/3
tunnel mode ipsec ipv4
tunnel vrf FVRF
tunnel protection ipsec profile default
RADIUS username definition:
cpe.ipsec.net
Tunnel-Password = abcd,
Framed-IP-Address=172.16.0.254,
Framed-IP-Netmask=255.255.255.254,
cisco-avpair="ip:interface-config=vrf forwarding test",
cisco-avpair="ip:interface-config=ip address 172.16.0.255 255.255.255.254",
cisco-avpair="ipsec:route-set=interface",
cisco-avpair="ipsec:route-set=prefix <PROTECTED_CPE_SUBNET>/32",
cisco-avpair="ipsec:route-accept=any"
The tunnel interface is coming UP on the CPE, the virtual-access interface is UP on the ASR. I could use BGP to exchange routing information between PE and CPE but I want to use IKE.
I think the problem is because I don't know how to invoke an IKEv2 authorization policy on the CPE (in which I could configure an access-list for the <PROTECTED_SUBNET>). But on the CPE I have the following limitations:
I want to use PSK for authentication, but no RADIUS server is available. So, the only other option for PSK authentication is a locally defined keyring, as there is no way to use an locally defined username (local authentication) with a keyring.
Then how can I trigger an IKEv2 authorization policy under the IKEv2 profile?
CPE(config-ikev2-profile)#aaa authorization user psk list ?
WORD AAA list name
If I define a local aaa authorization list, then the whole authentication fails:
aaa authorization network default local
crypto ikev2 profile IKEV2-PROFILE-CPE
aaa authorization user psk list default
*Dec 20 15:52:27.042 UTC: %IKEV2-3-NEG_ABORT: Negotiation aborted due to ERROR: Auth exchange failed
And there is no way to trigger the autorization policy if I don't configure the command above, isn't it? I tried altering the default authorization policy with the access-list but it's not taken into account.
If I'm using a crypto map with an access-list and IKEv2, I can get the crypto route on the ASR. But I want to use FlexVPN on the CPE.
Is there a way to achieve this?
Also the IOS configuration guides are not of too much help
Thank you,
Radu
Solved! Go to Solution.
12-21-2012 02:19 AM
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162
Not sure how your config looks like but here it says it can't find
crypto ikev2 authorization policy 87.84.214.31
<...>
Is it configured?
12-20-2012 09:42 AM
Hello,
Instead of
aaa authorization user psk list default
U should have
aaa authorization group psk list default
If that's the case, you hit CSCtw74492
Cheers,
Olivier
12-21-2012 01:29 AM
Thanks for the reply Olivier!
I've tried with both user | group and the result is the same:
.Dec 21 09:12:42.295 UTC: IKEv2:Adding Proposal default to toolkit policy
.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):Using IKEv2 profile 'IKEV2-PROFILE-CPE'
.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_POLICY_BY_PEERID
.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_AUTH_TYPE
.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_GET_PRESHR_KEY
.Dec 21 09:12:42.295 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_VERIFY_AUTH
.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK_EAP
.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NOTIFY_AUTH_DONE
.Dec 21 09:12:42.299 UTC: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=AE319370B15625DB R_SPI=59F98CFBB392558D (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_NO_EVENT
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162
I don't think local authorization can work with PSK, since it is said here that "Local AAA is not supported for AAA-based preshared keys."
12-21-2012 02:19 AM
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA author request for '87.84.214.31'
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 local AAA - policy '87.84.214.31' does not exist.
.Dec 21 09:12:42.299 UTC: IKEv2:IKEv2 authorization error 162
Not sure how your config looks like but here it says it can't find
crypto ikev2 authorization policy 87.84.214.31
<...>
Is it configured?
12-21-2012 10:19 AM
Thank you Olivier!!!
I see now where I was wrong and now it's working!
Merry Christmas to you, you saved my week
Radu
12-21-2012 11:38 AM
Excellent!
Can you mark the question has answered?
Merry Xmas and Happy new year!
12-04-2014 07:41 AM
I am trying to do something similar. Any chance you can share your working config?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide