Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
421
Views
0
Helpful
1
Replies

KEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR

chrisb58
Level 1
Level 1

‎03-27-2025 09:16 PM

Dear experts,
I'm having some issue; I currently have IKEv2 configured trying to set up flex a FlexVPN between two routers. The configuration looks good, but I can't get the SA's to come up. Please help. 

////LOGS RTR2


*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: Received no proposal chosen notify
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xAE1D25CB]
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window

*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.1.1:500/From 192.0.2.2:500/VRF i0:f0]
Initiator SPI : 689253DDD64DA5B8 - Responder SPI : 1321155111869F57 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x689253DDD64DA5B8 RSPI: 0x1321155111869F57]
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
*Mar 28 04:03:03.211: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.1.1.1:500/To 192.0.2.2:500/VRF i0:f0]
Initiator SPI : 689253DDD64DA5B8 - Responder SPI : 1321155111869F57 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):parsing ENCR payload

*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Mar 28 04:03:03.240: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.1.1.1:500/From 192.0.2.2:500/VRF i0:f0]
Initiator SPI : 689253DDD64DA5B8 - Responder SPI : 1321155111869F57 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Mar 28 04:03:03.272: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.1.1.1:500/To 192.0.2.2:500/VRF i0:f0]
Initiator SPI : 689253DDD64DA5B8 - Responder SPI : 1321155111869F57 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Mar 28 04:03:03.272: IKEv2:(SESSION ID = 1,SA ID = 1):parsing ENCR payload

*Mar 28 04:03:03.272: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Mar 28 04:03:03.272: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

 

 

//////RTR1_HUB////////////

 

crypto ikev2 proposal VPN_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy VPN_POLICY
proposal VPN_PROPOSAL
!
crypto ikev2 keyring VPN_KEYRING
peer RTR2_SPOKE
address 192.0.2.2
hostname RTR2_SPOKE
pre-shared-key cisco123
!
peer RTR3_SPOKE
address 198.51.100.2
hostname RTR3_SPOKE
pre-shared-key cisco456
!
peer RTR4_SPOKE
address 203.0.113.2
hostname RTR4_SPOKE
pre-shared-key cisco789
!
!
!
crypto ikev2 profile VPN_PROFILE
match identity remote address 192.0.2.2 255.255.255.255
identity local address 10.1.1.1
authentication remote pre-share
authentication local pre-share
keyring local VPN_KEYRING
dpd 30 2 on-demand
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set VPN_TS
set ikev2-profile VPN_PROFILE

!
interface Loopback0
ip address 10.1.1.1 255.255.255.255
!
interface Loopback1
description HUB_LAN_SUBNET
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet1
description LINK to RTR2
ip address 192.0.2.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
description LINK TO RTR3
ip address 198.51.100.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
description LINK to RTR4
ip address 203.0.113.1 255.255.255.0
negotiation auto
!
interface GigabitEthernet4
no ip address
shutdown
negotiation auto
!
interface Virtual-Template500
description Dynamic tunnel template for spokes
no ip address
!
interface Virtual-Template504 type tunnel
ip address 172.16.100.1 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE

ip route 192.168.2.0 255.255.255.0 172.16.100.2 name RTR2_SPOKE
ip route 192.168.3.0 255.255.255.0 172.16.100.3 name Route-to-SPOKE3-LAN
ip route 192.168.4.0 255.255.255.0 172.16.100.4 name Route-to-SPOKE4-LAN
ip ssh bulk-mode 131072

////RTR2/////

crypto ikev2 proposal VPN_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy VPN_POLICY
proposal VPN_PROPOSAL
!
crypto ikev2 keyring VPN_KEYRING
peer RTR1_HUB
address 10.1.1.1
hostname RTR1_HUB
pre-shared-key cisco123
!
!
!
crypto ikev2 profile VPN_PROFILE
match identity remote address 10.1.1.1 255.255.255.255
identity local address 192.0.2.2
authentication remote pre-share
authentication local pre-share
keyring local VPN_KEYRING
dpd 30 2 on-demand
!
!
crypto ipsec transform-set VPN_TS esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile IPSEC_PROFILE
set transform-set VPN_TS
set ikev2-profile VPN_PROFILE
!
!
!
interface Loopback0
ip address 10.2.2.2 255.255.255.255
!
interface Loopback1
description SPOKE LAN SUBNET
ip address 192.168.2.1 255.255.255.0
!
interface Tunnel0
description tunnel to hub
ip address 172.16.100.2 255.255.255.0
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 10.1.1.1
tunnel protection ipsec profile IPSEC_PROFILE
!
interface GigabitEthernet1
description LINK To HUB
ip address 192.0.2.2 255.255.255.0
negotiation auto

ip route 0.0.0.0 0.0.0.0 192.0.2.1 name Default-Route-to-Hub-LAN
ip route 192.168.1.0 255.255.255.0 172.16.100.1 name rout-to-hub-lan

 

 

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎03-27-2025 11:57 PM - edited ‎03-28-2025 12:59 AM

@chrisb58 you don't have the virtual-template referenced under the IKEv2 profile on the hub, try this:-

crypto ikev2 profile VPN_PROFILE
 virtual-template 504

You've got keyrings for additional spokes, but they would never work as there is no remote identity to match under the IKEv2 profile (only RTR2), you might be better off using fqdn domain for the identity in the IKEv2 profile when using a dVTI with multiple spokes. Example.

0 Helpful
Customers Also Viewed These Support Documents