Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
37533
Views
5
Helpful
2
Replies

Remote Access IKEv2 Auth exchange failed

Go to solution
mustafa.chapal
Level 1
Level 1

‎08-08-2018 01:52 PM - edited ‎03-12-2019 05:29 AM

Hi,

 

I am trying to remote access to my Cisco 897VA Router using pre shared key only through Windows 10, Mac OS X and iPhone builtin IKEv2 VPN. The VPN is not connecting at all. Help would really be appreciated.

 

 

Following is the router configuration:

 

crypto ikev2 authorization policy FlexVPN 

 pool FlexVPN

 dns 8.8.8.8 8.8.4.4

 netmask 255.255.255.0

!

crypto ikev2 proposal FlexVPN 

 encryption 3des aes-cbc-128 aes-cbc-192 aes-cbc-256

 integrity sha1 sha256 sha384 sha512

 group 1 14 15 16 19 2 24 5

crypto ikev2 proposal ikev2proposal 

 encryption aes-gcm-128

 prf sha256

 group 19

!

crypto ikev2 policy ikev2policy 

 proposal ikev2proposal

 proposal FlexVPN

!

crypto ikev2 keyring keys

 peer DYNAMIC

  address 0.0.0.0 0.0.0.0

  pre-shared-key ABCxyz123

 !

!

crypto ikev2 profile FlexVPN

 match identity remote any

 identity local address 1.1.1.1

 authentication remote pre-share

 authentication local pre-share

 keyring local keys

 virtual-template 2

!

!         

!

!

crypto ipsec transform-set ESP-GCM esp-gcm 

 mode tunnel

crypto ipsec transform-set AES-CBC esp-aes 256 esp-sha256-hmac 

 mode tunnel

crypto ipsec transform-set AES-CBC1 esp-aes esp-sha-hmac 

 mode tunnel

crypto ipsec transform-set AES-CBC2 esp-3des esp-sha-hmac 

 mode tunnel

!

crypto ipsec profile FlexVPN

 set transform-set AES-CBC AES-CBC1 AES-CBC2 ESP-GCM 

 set ikev2-profile FlexVPN

 

interface GigabitEthernet8

 ip address 1.1.1.1 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat outside

 ip virtual-reassembly in

 ip verify unicast reverse-path

 duplex auto

 speed auto

 no cdp enable

 

interface Virtual-Template2 type tunnel

 ip unnumbered Vlan10

 tunnel source GigabitEthernet8

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile FlexVPN

 

interface Vlan10

 ip address 10.7.1.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly in

 ip verify unicast reverse-path

 no autostate

 

ip local pool FlexVPN 10.7.1.231 10.7.1.239

 

 

Following is the output of above router debug crypto ikev2:

 

 

 

189014: *Aug  8 14:01:22.145 Chicago: IKEv2:Received Packet [From 2.2.2.2:500/To 1.1.1.1:500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0000000000000000 Message id: 0

IKEv2 IKE_SA_INIT Exchange REQUEST 

Payload contents: 

 SA KE N NOTIFY(REDIRECT_SUPPORTED) NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(Unknown - 16430) 

 

189015: *Aug  8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify SA init message

189016: *Aug  8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Insert SA

189017: *Aug  8 14:01:22.145 Chicago: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1

189018: *Aug  8 14:01:22.145 Chicago: IKEv2:Found Policy 'ikev2policy'

189019: *Aug  8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Processing IKE_SA_INIT message

189020: *Aug  8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

189021: *Aug  8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-653483565'   

189022: *Aug  8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints

189023: *Aug  8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED

189024: *Aug  8 14:01:22.145 Chicago: IKEv2:Failed to retrieve Certificate Issuer list

189025: *Aug  8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14

189026: *Aug  8 14:01:22.145 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED

189027: *Aug  8 14:01:22.145 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Request queued for computation of DH key

189028: *Aug  8 14:01:22.149 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14

189029: *Aug  8 14:01:22.149 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Request queued for computation of DH secret

189030: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED

189031: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA

189032: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED

189033: *Aug  8 14:01:22.161 Chicago: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch

189034: *Aug  8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Generating IKE_SA_INIT message

189035: *Aug  8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 

Num. transforms: 4

   AES-CBC   SHA256   SHA256   DH_GROUP_2048_MODP/Group 14

189036: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)

189037: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'TP-self-signed-653483565'   

189038: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints

189039: *Aug  8 14:01:22.161 Chicago: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED

189040: *Aug  8 14:01:22.161 Chicago: IKEv2:Failed to retrieve Certificate Issuer list 

 

189041: *Aug  8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Sending Packet [To 2.2.2.2:500/From 1.1.1.1:500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 0

IKEv2 IKE_SA_INIT Exchange RESPONSE 

Payload contents: 

 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

 

189042: *Aug  8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Completed SA init exchange

189043: *Aug  8 14:01:22.161 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Starting timer (30 sec) to wait for auth message 

 

189044: *Aug  8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST 

Payload contents: 

 IDi NOTIFY(INITIAL_CONTACT) NOTIFY(Unknown - 16396) IDr AUTH CFG NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) SA TSi TSr 

 

189045: *Aug  8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Stopping timer to wait for auth message

189046: *Aug  8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Checking NAT discovery

189047: *Aug  8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT OUTSIDE found

189048: *Aug  8 14:01:22.429 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):NAT detected float to init port 4500, resp port 4500

189049: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Searching policy based on peer's identity '10.5.1.70' of type 'IPv4 address'

189050: *Aug  8 14:01:22.433 Chicago: IKEv2:found matching IKEv2 profile 'FlexVPN'

189051: *Aug  8 14:01:22.433 Chicago: IKEv2:% Getting preshared key from profile keyring keys

189052: *Aug  8 14:01:22.433 Chicago: IKEv2:% Matched peer block 'DYNAMIC'

189053: *Aug  8 14:01:22.433 Chicago: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1

189054: *Aug  8 14:01:22.433 Chicago: IKEv2:Found Policy 'ikev2policy'

189055: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's policy

189056: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's policy verified

189057: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's authentication method

189058: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Peer's authentication method is 'PSK'

189059: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Get peer's preshared key for 10.5.1.70

189060: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verify peer's authentication data

189061: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Use preshared key for id 10.5.1.70, key len 7

189062: *Aug  8 14:01:22.433 Chicago: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

189063: *Aug  8 14:01:22.433 Chicago: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

189064: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Verification of peer's authenctication data PASSED

189065: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Processing INITIAL_CONTACT

189066: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Received valid config mode data

189067: *Aug  8 14:01:22.433 Chicago: IKEv2:Config data recieved:

189068: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Config-type: Config-request 

189069: *Aug  8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req

189070: *Aug  8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req

189071: *Aug  8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported attrib unknown in cfg-req

189072: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Error in settig received config mode data

189073: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Auth exchange failed

189074: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):: Auth exchange failed

189075: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Abort exchange

189076: *Aug  8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1):Deleting SA

189077: *Aug  8 14:01:25.429 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

 

189078: *Aug  8 14:01:25.429 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

189079: *Aug  8 14:01:25.429 Chicago: IKEv2:: A supplied parameter is incorrect

189080: *Aug  8 14:01:28.429 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

 

189081: *Aug  8 14:01:28.429 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

189082: *Aug  8 14:01:28.429 Chicago: IKEv2:: A supplied parameter is incorrect

189083: *Aug  8 14:01:31.433 Chicago: IKEv2:Couldn't find matching SA: Detected an invalid IKE SPI 

 

189084: *Aug  8 14:01:31.433 Chicago: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 2.2.2.2:4500/To 1.1.1.1:4500/VRF i0:f0] 

Initiator SPI : 8A15E970577C6140 - Responder SPI : 0550071FA9DFE718 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

189085: *Aug  8 14:01:31.433 Chicago: IKEv2:: A supplied parameter is incorrect

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-08-2018 02:04 PM

Hi,

You cannot use PSK for authentication of a Remote Access FlexVPN, see this screenshot below from Cisco live presentation BRKSEX-2881. You can only use PSK when the client is another FlexVPN hardware (router) client or Strongswan. Windows or MAC (native or AC) client can only use Certificates or EAP.

 

HTH

cisco live.PNG

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-08-2018 02:04 PM

Hi,

You cannot use PSK for authentication of a Remote Access FlexVPN, see this screenshot below from Cisco live presentation BRKSEX-2881. You can only use PSK when the client is another FlexVPN hardware (router) client or Strongswan. Windows or MAC (native or AC) client can only use Certificates or EAP.

 

HTH

cisco live.PNG

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-09-2018 12:02 AM

Seems you have compatibility mismatch.

189068: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID =
1):Config-type: Config-request

189069: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported
attrib unknown in cfg-req

189070: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported
attrib unknown in cfg-req

189071: *Aug 8 14:01:22.433 Chicago: IKEv2:IKEv2 responder - unsupported
attrib unknown in cfg-req

189072: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID =
1):Error in settig received config mode data

189073: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID =
1):Auth exchange failed

189074: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID = 1)::
Auth exchange failed

189075: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID =
1):Abort exchange

189076: *Aug 8 14:01:22.433 Chicago: IKEv2:(SESSION ID = 8673,SA ID =
1):Deleting SA

189077: *Aug 8 14:01:25.429 Chicago: IKEv2:Couldn't find matching SA:
Detected an invalid IKE SPI

See if this helps you.


https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115907-config-flexvpn-wcca-00.html


0 Helpful
Customers Also Viewed These Support Documents