11-11-2023 04:02 AM - edited 11-11-2023 04:37 AM
I am doing a lab with FLEX VPN before configuring any production and this is my first Flex VPN but is not coming up.
I ran show monitor event-trace errors all, returning Flex VPN SA ID:0 SESSION ID:0 Failed to initiate sa. On the hub the errors is 500 Negotiation aborted due to ERROR: Failed to authenticate the IKE SA
I have check the keys and they are the same. Here is my config
Hub
---------------------------
interface Loopback1
ip address 172.16.1.254 255.255.255.255
crypto ikev2 keyring IKEV2_KEYRING
peer SPOKE_ROUTERS
address 0.0.0.0 0.0.0.0
pre-shared key local CISCO
pre-shared key remote CISCO
aaa new-model
aaa authorization network FLEXVPN_LOCAL local
crypto ikev2 name-mangler group_author_name_mangler
fqdn domain
crypto ikev2 authorization policy IKEV2_AUTHORIZATION
route set interface
route set access-list FLEXVPN_ROUTES
ip access-list standard FLEXVPN_ROUTES
permit any
crypto ikev2 profile IKEV2_PROFILE
match identity remote IKEV2_PROFILE domain example.com
identity local fqdn hq.example.com
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
aaa authorization group psk list group_author_list name-mangler group_author_
name_mangler
virtual-template 1 mode auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
tunnel protection ipsec profile IKEV2_PROFILE
---------------------------------------------
Spoke 1
Spoke
crypto ikev2 keyring IKEV2_KEYRING
peer R8
address 18.1.1..8
pre-shared-key local CISCO
pre-shared-key remote CISCO
aaa new-model
aaa authorization network FLEXVPN_LOCAL local
crypto ikev2 authorization policy IKEV2_AUTHORIZATION
route set interface
route set access-list FLEXVPN_ROUTES
ip access-list standard FLEXVPN_ROUTES
permit host 2.2.2.2
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn hq.example.com
identity local fqdn spk1.example.com
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING
crypto ipsec profile IPSEC_PROFILE
set ikev2-profile IKEV2_PROFILE
interface Tunnel 0
ip address 172.16.1.1 255.255.255.0
tunnel source GigabitEthernet 0/0
tunnel destination 18.1.1.1.8
tunnel protection ipsec profile IPSEC_PROFILE
Solved! Go to Solution.
11-11-2023 01:06 PM - edited 11-11-2023 01:29 PM
@emurray the extracted value from the name mangler is "example.com", you need an authorisation policy called "example.com". Change the existing policy IKEV2_AUTHORIZATION to example.com or don't use the name mangler.
11-11-2023 04:15 AM - edited 11-11-2023 04:15 AM
@emurray the keys are in different case, which will matter. Please double check. Unless you've just incorrectlyedited for this post?
Hub
---------------------------
crypto ikev2 profile default
authentication local pre-share key cisco
authentication remote pre-share key cisco
---------------------------------------------
Spoke 1
Spoke
crypto ikev2 keyring IKEV2_KEYRING
pre-shared-key local CISCO
pre-shared-key remote CISCO
If there is still an issue enable the IKEv2 debugs and provide the full output for review.
11-11-2023 04:32 AM
It was an incorrect edit for the post. I will do debug when I get home and post it here.
11-11-2023 04:54 AM - edited 11-11-2023 05:35 AM
tunnel mode ipsec ipv4 <<- add this under the virtual template AND spoke tunnel.
and in Spoke use local and remote key CISCO(or cisco, it must match with hub).
Thanks A Lot
MHM
11-11-2023 05:27 AM
the default tunnel mode is gre and does not explictly appear in the running configuration. So by changing the tunnel mode to ipsec of the virtual-template on the hub will mean a mismatch as the spoke would still be gre.
11-11-2023 12:27 PM - edited 11-11-2023 12:29 PM
It seems that the error has to do with the Policy. Here are the debug messages
@Rob Ingram wrote:the default tunnel mode is gre and does not explictly appear in the running configuration. So by changing the tunnel mode to ipsec of the virtual-template on the hub will mean a mismatch as the spoke would still be gre.
*Nov 11 20:21:44.113: IKEv2-INTERNAL:IKEv2 local AAA author request for 'example.com'
*Nov 11 20:21:44.114: IKEv2-INTERNAL:IKEv2 local AAA - policy 'example.com' does not exist.
*Nov 11 20:21:44.122: IKEv2-INTERNAL:IKEv2 authorization error 4
11-11-2023 12:42 PM
match identity remote fqdn domain example.com
This must use in hub side.
Add it and check again.
Thanks A Lot
MHM
11-11-2023 12:58 PM - edited 11-11-2023 12:59 PM
The identity of the hub is hub.example.com and that is the one that I am referencing on the spoke, but the domain identity is example.com which is what I am referencing on the hub to accept any connexions from that domain
Hub
crypto ikev2 profile IKEV2_PROFILE
match identity remote IKEV2_PROFILE domain example.com
identity local fqdn hq.example.com
authentication local pre-share key CISCO
authentication remote pre-share key CISCO
aaa authorization group psk list group_author_list name-mangler group_author_
name_mangler
virtual-template 1 mode auto
Spoke
crypto ikev2 profile IKEV2_PROFILE
match identity remote fqdn hq.example.com
identity local fqdn spk1.example.com
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING
11-11-2023 01:06 PM
match identity remote fqdn domain example.com
Use this in hub ikev2 profile.
11-11-2023 01:06 PM - edited 11-11-2023 01:29 PM
@emurray the extracted value from the name mangler is "example.com", you need an authorisation policy called "example.com". Change the existing policy IKEV2_AUTHORIZATION to example.com or don't use the name mangler.
11-11-2023 01:43 PM
I did and I am now receiving
IKEv2-INTERNAL:Construct Notify Payload: AUTHENTICATION_FAILED
11-18-2023 01:19 PM
Still this issue not solved ?
If not
Did you use fqdn domain...'as we suggest? If yes
Use below in hub ikev2 profile
aaa authorization group psk list FLEXVPN_LOCAL IKEV2_AUTHORIZATION
11-20-2023 07:24 AM
I finally solved by removing and applying the keyring. @Rob Ingram change with the name mangler solved the issue for me. Thanks for the help
11-20-2023 07:28 AM
You are welcome' suggestion was dont use mangler.
Anyway glad your lab done and success
Have a nice day.
MHM
11-20-2023 08:21 AM - edited 11-20-2023 08:25 AM
//
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide