Thanks for the reply Mohammed - I have tried tunnel mode as i believed that to be correct also as all the ikev1 VTI VPN's I have setup in the past have been mode tunnel (the guide I followed was incorrect)  I have changed back to tunnel mode now but still the same?

Thanks,

Hi Mohammed,

Here is the output from the debug crypto ikev2

IKEV2_RTR#debug crypto ikev2
IKEv2 default debugging is on
IKEV2_RTR#clear cr
IKEV2_RTR#clear crypto ikev2 sa
IKEV2_RTR#
*Nov 9 17:21:24.055: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Nov 9 17:21:24.055: IKEv2:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Nov 9 17:21:24.055: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Nov 9 17:21:24.055: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
IKEV2_RTR#
*Nov 9 17:21:41.976: IKEv2:% Getting preshared key from profile keyring KEYRING
*Nov 9 17:21:41.976: IKEv2:% Matched peer block '212.0.0.1'
*Nov 9 17:21:41.976: IKEv2:Searching Policy with fvrf 0, local address 21.0.0.2
*Nov 9 17:21:41.976: IKEv2:Found Policy 'IKEV2_POLICY'
*Nov 9 17:21:41.976: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Nov 9 17:21:41.976: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Nov 9 17:21:41.976: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Nov 9 17:21:41.976: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Nov 9 17:21:41.976: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Nov 9 17:21:41.976: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA512 DH_GROUP_1536_MODP/Group 5

*Nov 9 17:21:41.977: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Nov 9 17:21:41.977: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 212.0.0.1:500/To 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(Unknown - 16430) VID

*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Nov 9 17:21:41.979: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Nov 9 17:21:41.988: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Nov 9 17:21:41.988: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Nov 9 17:21:41.988: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Nov 9 17:21:41.988: IKEv2:Config data to send:
*Nov 9 17:21:41.988: Config-type: Config-request
*Nov 9 17:21:41.988: Attrib type: ipv4-dns, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv4-dns, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv4-nbns, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv4-nbns, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv4-subnet, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv6-dns, length: 0
*Nov 9 17:21:41.988: Attrib type: ipv6-subnet, length: 0
*Nov 9 17:21:41.988: Attrib type: app-version, length: 256, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(2)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Thu 27-Mar-14 01:08 by prod_rel_team
*Nov 9 17:21:41.988: Attrib type: split-dns, length: 0
*Nov 9 17:21:41.988: Attrib type: banner, length: 0
*Nov 9 17:21:41.988: Attrib type: config-url, length: 0
*Nov 9 17:21:41.988: Attrib type: backup-gateway, length: 0
*Nov 9 17:21:41.988: Attrib type: def-domain, length: 0
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Have config mode data to send
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 21.0.0.2, key len 9
*Nov 9 17:21:41.988: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Nov 9 17:21:41.988: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Nov 9 17:21:41.988: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Nov 9 17:21:41.989: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '21.0.0.2' of type 'IPv4 address'
*Nov 9 17:21:41.989: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
*Nov 9 17:21:41.989: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

IKEV2_RTR#
*Nov 9 17:21:41.989: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:21:43.944: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:21:43.944: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:21:47.660: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:21:47.660: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:21:55.347: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:21:55.347: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:22:10.492: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:22:10.493: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:22:41.064: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:22:41.064: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:22:43.092: IKEv2:% Getting preshared key from profile keyring KEYRING
*Nov 9 17:22:43.092: IKEv2:% Matched peer block '212.0.0.1'
*Nov 9 17:22:43.092: IKEv2:Searching Policy with fvrf 0, local address 21.0.0.2
*Nov 9 17:22:43.092: IKEv2:Found Policy 'IKEV2_POLICY'
*Nov 9 17:22:43.092: IKEv2:SA is already in negotiation, hence not negotiating again
IKEV2_RTR#
*Nov 9 17:23:13.096: IKEv2:% Getting preshared key from profile keyring KEYRING
*Nov 9 17:23:13.096: IKEv2:% Matched peer block '212.0.0.1'
*Nov 9 17:23:13.096: IKEv2:Searching Policy with fvrf 0, local address 21.0.0.2
*Nov 9 17:23:13.096: IKEv2:Found Policy 'IKEV2_POLICY'
*Nov 9 17:23:13.096: IKEv2:SA is already in negotiation, hence not negotiating again
IKEV2_RTR#
*Nov 9 17:23:39.543: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Nov 9 17:23:39.543: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 212.0.0.1:500/From 21.0.0.2:500/VRF i0:f0]
Initiator SPI : C391152126E47D59 - Responder SPI : 383AE0BEEE090C51 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

IKEV2_RTR#
*Nov 9 17:23:43.101: IKEv2:% Getting preshared key from profile keyring KEYRING
*Nov 9 17:23:43.101: IKEv2:% Matched peer block '212.0.0.1'
*Nov 9 17:23:43.101: IKEv2:Searching Policy with fvrf 0, local address 21.0.0.2
*Nov 9 17:23:43.101: IKEv2:Found Policy 'IKEV2_POLICY'
*Nov 9 17:23:43.101: IKEv2:SA is already in negotiation, hence not negotiating again
IKEV2_RTR#
*Nov 9 17:23:44.147: IKEv2:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached
*Nov 9 17:23:44.147: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Nov 9 17:23:44.147: IKEv2:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Nov 9 17:23:44.147: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Nov 9 17:23:44.147: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

Thanks,

Hi Mohammed,

Nothing in the way to block udp 500 or 4500 and can ping the peer address from both sides.

IKEV2_RTR#ping 212.0.0.1 so e0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 212.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 21.0.0.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

HQASA# ping 21.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 21.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Thanks

Hi MHM,

Can you let me know what they should be please as I thought that they are correct?

local is the IOS router 21.0.0.2

remote 212.0.0.1 is the HQASA (Peer from IOS)

crypto ikev2 profile ASA_VTI_PROFILE
match identity remote address 212.0.0.1 255.255.255.255
identity local address 21.0.0.2
authentication remote pre-share
authentication local pre-share
keyring local KEYRING
dpd 10 2 on-demand

Thanks,

Hi Mohammed,

That's brought the tunnel up as a GRE tunnel on the router side, ASA tunnel still showing as down down as I believe the ASA is not capable of doing GRE tunnels.

IKEV2_RTR#sh crypto ipsec sa

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 21.0.0.2

protected vrf: (none)
local ident (addr/mask/prot/port): (21.0.0.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (212.0.0.1/255.255.255.255/47/0)
current_peer 212.0.0.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 14, #recv errors 0

local crypto endpt.: 21.0.0.2, remote crypto endpt.: 212.0.0.1
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

Thanks for your help with this so far Mohammed - much appreciated.

Hi MHM,

I have a continuous ping running between 2 PC's on either LAN and have tried a no shut on the tunnel interface on the ASA, I have even deleted the tunnel interface and recreated it with no joy.

I have spun up another router this afternoon and was able to create a route based IKEV2 VTI VPN with no problem so suspect the issue lies at the ASA end but for the life of me I can't see where?

Thanks

in ASA the tunnel is up/down now?

Hi MHM,

The tunnel still hows as down/down

Thanks