Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1209
Views
0
Helpful
14
Replies

Problems with Flex VPN hub and spoke

Go to solution
EdgarMurray8920
Level 1
Level 1

‎11-11-2023 04:02 AM - edited ‎11-11-2023 04:37 AM

I am doing a lab with FLEX VPN before configuring any production and this is my first Flex VPN but is not coming up. 

I ran show monitor event-trace errors all, returning Flex VPN SA ID:0 SESSION ID:0 Failed to initiate sa. On the hub the errors is 500 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA

I have check the  keys and they are the same. Here is my config

 

Hub
---------------------------

interface Loopback1
ip address 172.16.1.254 255.255.255.255

crypto ikev2 keyring IKEV2_KEYRING
peer SPOKE_ROUTERS
address 0.0.0.0 0.0.0.0
pre-shared key local CISCO
pre-shared key remote CISCO



aaa new-model
aaa authorization network FLEXVPN_LOCAL local


crypto ikev2 name-mangler group_author_name_mangler
fqdn domain

crypto ikev2 authorization policy IKEV2_AUTHORIZATION
route set interface
route set access-list FLEXVPN_ROUTES

ip access-list standard FLEXVPN_ROUTES
permit any

crypto ikev2 profile IKEV2_PROFILE
match identity remote IKEV2_PROFILE domain example.com
identity local fqdn hq.example.com
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
aaa authorization group psk list group_author_list name-mangler group_author_
name_mangler
virtual-template 1 mode auto

interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel protection ipsec profile IKEV2_PROFILE

---------------------------------------------

Spoke 1

Spoke
crypto ikev2 keyring IKEV2_KEYRING
peer R8
address 18.1.1..8
pre-shared-key local CISCO
pre-shared-key remote CISCO

aaa new-model
aaa authorization network FLEXVPN_LOCAL local

crypto ikev2 authorization policy IKEV2_AUTHORIZATION
route set interface
route set access-list FLEXVPN_ROUTES

ip access-list standard FLEXVPN_ROUTES
permit host 2.2.2.2

 

crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn hq.example.com
identity local fqdn spk1.example.com
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING


crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE

interface Tunnel 0
ip address 172.16.1.1 255.255.255.0
tunnel source GigabitEthernet 0/0
tunnel destination 18.1.1.1.8
tunnel protection ipsec profile IPSEC_PROFILE

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to EdgarMurray8920

‎11-11-2023 01:06 PM - edited ‎11-11-2023 01:29 PM

@EdgarMurray8920 the extracted value from the name mangler is "example.com", you need an authorisation policy called "example.com". Change the existing policy IKEV2_AUTHORIZATION to example.com or don't use the name mangler.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Rob Ingram
VIP
VIP

‎11-11-2023 04:15 AM - edited ‎11-11-2023 04:15 AM

@EdgarMurray8920 the keys are in different case, which will matter. Please double check. Unless you've just incorrectlyedited for this post?

Hub
---------------------------

crypto ikev2 profile default
 authentication local pre-share key cisco
 authentication remote pre-share key cisco

---------------------------------------------

Spoke 1

Spoke
crypto ikev2 keyring IKEV2_KEYRING
 pre-shared-key local CISCO
 pre-shared-key remote CISCO

If there is still an issue enable the IKEv2 debugs and provide the full output for review.

0 Helpful

Go to solution
EdgarMurray8920
Level 1
Level 1
In response to Rob Ingram

‎11-11-2023 04:32 AM

It was an incorrect edit for the post. I will do debug when I get home and post it here.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎11-11-2023 04:54 AM - edited ‎11-11-2023 05:35 AM

tunnel mode ipsec ipv4 <<- add this under the virtual template AND spoke tunnel.
and in Spoke use local and remote key CISCO(or cisco, it must match with hub).

Thanks A Lot
MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎11-11-2023 05:27 AM

the default tunnel mode is gre and does not explictly appear in the running configuration. So by changing the tunnel mode to ipsec of the virtual-template on the hub will mean a mismatch as the spoke would still be gre.

0 Helpful

Go to solution
EdgarMurray8920
Level 1
Level 1
In response to Rob Ingram

‎11-11-2023 12:27 PM - edited ‎11-11-2023 12:29 PM

It seems that the error has to do with the Policy. Here are the debug messages

 

@Rob Ingram wrote:

the default tunnel mode is gre and does not explictly appear in the running configuration. So by changing the tunnel mode to ipsec of the virtual-template on the hub will mean a mismatch as the spoke would still be gre.

*Nov 11 20:21:44.113: IKEv2-INTERNAL:IKEv2 local AAA author request for 'example.com'
*Nov 11 20:21:44.114: IKEv2-INTERNAL:IKEv2 local AAA - policy 'example.com' does not exist.
*Nov 11 20:21:44.122: IKEv2-INTERNAL:IKEv2 authorization error 4

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to EdgarMurray8920

‎11-11-2023 12:42 PM

match identity remote fqdn domain example.com

This must use in hub side.

Add it and check again.

Thanks A Lot
MHM

0 Helpful

Go to solution
EdgarMurray8920
Level 1
Level 1
In response to MHM Cisco World

‎11-11-2023 12:58 PM - edited ‎11-11-2023 12:59 PM

The identity of the hub is hub.example.com and that is the one that I am referencing on the spoke, but the domain identity is example.com which is what I am referencing on the hub to accept any connexions from that domain

 

Hub

 

crypto ikev2 profile IKEV2_PROFILE
match identity remote IKEV2_PROFILE domain example.com
identity local fqdn hq.example.com
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
aaa authorization group psk list group_author_list name-mangler group_author_
name_mangler
virtual-template 1 mode auto

Spoke

crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn hq.example.com
identity local fqdn spk1.example.com
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to EdgarMurray8920

‎11-11-2023 01:06 PM

match identity remote fqdn domain example.com

Use this in hub ikev2 profile.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to EdgarMurray8920

‎11-11-2023 01:06 PM - edited ‎11-11-2023 01:29 PM

@EdgarMurray8920 the extracted value from the name mangler is "example.com", you need an authorisation policy called "example.com". Change the existing policy IKEV2_AUTHORIZATION to example.com or don't use the name mangler.

0 Helpful

Go to solution
EdgarMurray8920
Level 1
Level 1
In response to Rob Ingram

‎11-11-2023 01:43 PM

I did and I am now receiving

 

IKEv2-INTERNAL:Construct Notify Payload: AUTHENTICATION_FAILED

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to EdgarMurray8920

‎11-18-2023 01:19 PM

Still this issue not solved ?

If not 

Did you use fqdn domain...'as we suggest? If yes 

Use below in hub ikev2 profile 

aaa authorization group psk list FLEXVPN_LOCAL  IKEV2_AUTHORIZATION

0 Helpful

Go to solution
EdgarMurray8920
Level 1
Level 1
In response to MHM Cisco World

‎11-20-2023 07:24 AM

I finally solved by removing and applying the keyring. @Rob Ingram  change with the name mangler solved the issue for me. Thanks for the help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to EdgarMurray8920

‎11-20-2023 07:28 AM

You are welcome' suggestion was dont use mangler.

Anyway glad your lab done and success 

Have a nice day.

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-20-2023 08:21 AM - edited ‎11-20-2023 08:25 AM

 

//

MHM

0 Helpful
Customers Also Viewed These Support Documents