cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
2
Helpful
8
Replies

New Cisco 9300X IOS-XE Version 17.13.01 : IKEv2 Tunnel doesn't work

Steve Adams
Level 1
Level 1

REFERENCE: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-13/configuration_guide/sec/b_1713_sec_9300_cg/configuring_ipsec.html

I can get IKEv1 working no problem, but I cannot get IKEv2 working at all.

Configuration: (Similar to the LINK Above)

crypto ikev2 proposal IKEv2_KEY1
encryption aes-gcm-256
prf sha256 sha384 sha512
group 19 20 21
!
! ============================
! DEVICE-3 Policy
! ============================
crypto ikev2 policy IKEv2_PROPOSAL
match fvrf any
match address local 10.0.3.3
proposal IKEv2_KEY1
!
! ============================
! DEVICE-4 Policy
! ============================
crypto ikev2 policy IKEv2_PROPOSAL
match fvrf any
match address local 10.0.4.4
proposal IKEv2_KEY1
!
crypto ikev2 keyring IKEv2_KEYRING
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key cisco123
!
crypto ikev2 profile IKEv2-Profile
match fvrf any
match address local interface TenGigabitEthernet1/0/48
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING
!
!
crypto ipsec transform-set IKEv2_GCM esp-gcm 256
mode tunnel
!
crypto ipsec profile IPSEC-IKEv2
set transform-set IKEv2_GCM
set ikev2-profile IKEv2-Profile
!
!
! ============================
! # DEVICE-3 #
! ============================
!
interface Tunnel4000
ip address 10.0.200.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source 10.0.3.3
tunnel mode ipsec ipv4
tunnel destination 10.0.4.4
tunnel protection ipsec profile IPSEC-IKEv2
!
interface TenGigabitEthernet1/0/48
no switchport
ip address 10.0.3.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
no cdp enable
no lldp transmit
!
ip route 0.0.0.0 0.0.0.0 10.0.3.10
!
! ============================
! # DEVICE-4 #
! ============================
!
interface Tunnel4000
ip address 10.0.200.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel source 10.0.4.4
tunnel mode ipsec ipv4
tunnel destination 10.0.3.3
tunnel protection ipsec profile IPSEC-IKEv2
!
interface TenGigabitEthernet1/0/48
no switchport
ip address 10.0.4.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex full
no cdp enable
no lldp transmit
!
ip route 0.0.0.0 0.0.0.0 10.0.4.10
!
!
!
NOTE: Devices connected to a NXOS switch with INNER-VLAN routing
NOTE: Device 3 can ping the gateway 10.0.3.10 and 10.0.4.4
NOTE: Device 4 can ping the gateway 10.0.4.10 and 10.0.3.3
NOTE: GRE Tunnel comes up when 'tunnel mode ipsec ipv4' and 'tunnel protection ipsec profile IPSEC-IKEv2' are removed.
NOTE: I can get DMVPN configuration to work with 9300X's only, but not any other Cisco product: like a 4351/K9 router. (IKEv1 Only)

I can get IKEv1 working no problem, but I cannot get IKEv2 working at all.
I have tried different 'ikev2 proposal' and 'crypto ipsec transform-set' and nothing seems to work.
According to the link above, should it work?
Is the Cisco 9300X Version 17.13.1 broken or this not intended to work with IKEv2?

Is there an IKEv2 tunnel configuration that should work on the 9300X -to- 9300X ?

1 Accepted Solution

Accepted Solutions

Hello MHM Cisco World,

I worked with a Cisco TAC, and I was able to get IKEv2 working with these changes:

crypto ikev2 profile IKEv2-Profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEv2_KEYRING

 

-Steve

 

 

View solution in original post

8 Replies 8

@Steve Adams what the the IKEv2 Profile configuration of device 3? The IKEv2 profile was not matched against the peer's identity and authentication failed.

BAE3-ML1-XTR#b 22 15:59:04.084: IKEv2:(SESSION ID = 2605,SA ID = 1):Searching policy based on peer's identity '10.0.4.4' of type 'IPv4 address'
*Feb 22 15:59:04.085: IKEv2-ERROR:(SESSION ID = 2605,SA ID = 1):% IKEv2 profile not found
*Feb 22 15:59:04.086: ISAKMP: (0):peer matches *none* of the profiles
*Feb 22 15:59:04.088: IKEv2-ERROR:(SESSION ID = 2605,SA ID = 1):: Failed to locate an item in the database
*Feb 22 15:59:04.088: IKEv2:(SESSION ID = 2605,SA ID = 1):Verification of peer's authentication data FAILED

 

Hello Rob,

Thanks for your reply!

The config has been cut/paste directly into the post: Both Device-3 & Device-4 configurations are identical except ip addresses in the policy config. I have seen other similar posts with the error "peer matches *none" of the profiles", but never saw a resolution to those cases. I would like to think I am missing something in my config, but I posted the entire configuration. Am I missing something?

crypto ikev2 profile IKEv2-Profile
match fvrf any
match address local interface TenGigabitEthernet1/0/48
match identity remote any
authentication remote pre-share
authentication local pre-share
keyring local IKEv2_KEYRING

 

deb crypto ikev2 packet

Share this debug 

MHM 

Hello MHM Cisco World,

Thanks for your response!

I have attached the debug output for 'debug crypto ikev2 packet'

-Steve

Can you share both router config 

Tunnel

Ikev2 proposal 

Ikev2 keyring 

Ikev2 policy 

Ikev2 profile 

Ipsec profile 

Let me run lab and test this config in my side' your original post is OK but I need to see exact config in both routers

MHM

Hello MHM Cisco World,

Thanks for the quick replies, I have attached the isolated configurations I have for each device.

On the switch that I have these connected to, I am doing SIMPLE INNER-VLAN routing with VLAN interfaces as the gateways. Since I can ping everything, I left that part out. If you need a diagram, I can draft one up fast.

Hello MHM Cisco World,

I worked with a Cisco TAC, and I was able to get IKEv2 working with these changes:

crypto ikev2 profile IKEv2-Profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local IKEv2_KEYRING

 

-Steve

 

 

Hi friend again 

Sorry your post is remove from community' I dont know why!!

But anyway what TAC do is same in my mind' by check profile with use local address.

I glad issue is solved. Please clost it.

Have a nice day 

MHM