- Cisco Community
- Technology and Support
- Security
- VPN
- Re: site to site IKEV2 FlexVPN failing to establish Authentication Failed
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
site to site IKEV2 FlexVPN failing to establish Authentication Failed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2020 08:49 AM
Hi,
I am establishing a FLEXVPN tunnel between 2x ISR routers and it's failing, i can see that Authentication failed, I can't see why.
Please find below part of the debugging output i'm getting.
Server Side: (RESPONDER)
Apr 2 16:50:58.573 Summer: IKEv2:Using mlist FLEXVPN and username BYBIV2 for group author request
Apr 2 16:50:58.574 Summer: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent
Apr 2 16:50:58.574 Summer: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Received valid config mode data
Apr 2 16:50:58.575 Summer: IKEv2:Config data recieved:
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Config-type: Config-request
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv4-dns, length: 0
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv4-dns, length: 0
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Apr 2 16:50:58.575 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv4-subnet, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv6-dns, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: ipv6-subnet, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: app-version, length: 253, data: Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:33 by mcpre
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: split-dns, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: banner, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: config-url, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: backup-gateway, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Attrib type: def-domain, length: 0
Apr 2 16:50:58.576 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Set received config mode data
Apr 2 16:50:58.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Processing IKE_AUTH message
Apr 2 16:50:58.577 Summer: IKEv2:
FlexVPN-Server#deb crypto ikev2 a% DVTI create request sent for profile BYBIV2 with PSH index 1.
Apr 2 16:50:58.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):
FlexVPN-Server#deb crypto ikev2 a
Apr 2 16:51:00.560 Summer: IKEv2-ERROR:: Negotiation context locked currently in use
FlexVPN-Server#deb crypto ikev2 a
Apr 2 16:51:04.304 Summer: IKEv2-ERROR:: Negotiation context locked currently in use
FlexVPN-Server#deb crypto ikev2 a
Apr 2 16:51:11.612 Summer: IKEv2-ERROR:: Negotiation context locked currently in use
FlexVPN-Server#deb crypto ikev2 a
Apr 2 16:51:23.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Verification of peer's authentication data FAILED
Apr 2 16:51:23.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Sending authentication failure notify
Apr 2 16:51:23.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)
Apr 2 16:51:23.577 Summer: IKEv2:(SESSION ID = 16653,SA ID = 1):Sending Packet [To 212.126.105.117:5120/From 172.16.2.81:4500/VRF i0:f0]
Initiator SPI : 999AEA6551D4A578 - Responder SPI : F0AA1B5993763926 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Client Side: (INITIATOR)
Apr 2 18:21:38.064 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Completed SA init exchange
Apr 2 18:21:38.064 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: INIT_DONE Event: EV_CHK4_ROLE
Apr 2 18:21:38.064 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
Apr 2 18:21:38.065 Summer: IKEv2-INTERNAL:Sending config data to toolkit
Apr 2 18:21:38.065 Summer: IKEv2:Config data to send:
Apr 2 18:21:38.065 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Config-type: Config-request
Apr 2 18:21:38.065 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv4-dns, length: 0
Apr 2 18:21:38.065 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv4-dns, length: 0
Apr 2 18:21:38.065 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv4-nbns, length: 0
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv4-subnet, length: 0
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv6-dns, length: 0
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: ipv6-subnet, length: 0
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: app-version, length: 253, data: Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.6.4, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2018 by Cisco Systems, Inc.
Compiled Sun 08-Jul-18 04:33 by mcpre
Apr 2 18:21:38.066 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: split-dns, length: 0
Apr 2 18:21:38.067 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: banner, length: 0
Apr 2 18:21:38.067 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: config-url, length: 0
Apr 2 18:21:38.067 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: backup-gateway, length: 0
Apr 2
hub-erbil#18:21:38.067 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Attrib type: def-domain, length: 0
Apr 2 18:21:38.067 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Have config mode data to send
Apr 2 18:21:38.069 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_EAP
Apr 2 18:21:38.069 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Check for EAP exchange
Apr 2 18:21:38.069 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
Apr 2 18:21:38.069 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Generate my authentication data
Apr 2 18:21:38.069 Summer: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
Apr 2 18:21:38.069 Summer: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
Apr 2 18:21:38.069 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
Apr 2 18:21:38.069 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Get my authentication method
Apr 2 18:21:38.069 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):My authentication method is 'RSA'
Apr 2 18:21:38.070 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_SIGN
Apr 2 18:21:38.070 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Sign authentication data
Apr 2 18:21:38.070 Summer: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private key
Apr 2 18:21:38.071 Summer: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSED
Apr 2 18:21:38.071 Summer: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication data
Apr 2 18:21:38.078 Summer: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSED
Apr 2 18:21:38.079 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_NO_EVENT
Apr 2 18:21:38.079 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_OK_RECD_SIG
Apr 2 18:21:38.079 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Authentication material has been sucessfully signed
Apr 2 18:21:38.080 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
Apr 2 18:21:38.080 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Check for EAP exchange
Apr 2 18:21:38.080 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 0 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
Apr 2 18:21:38.081 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Generating IKE_AUTH message
Apr 2 18:21:38.081 Summer: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCO-GRANITE
Apr 2 18:21:38.081 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Constructing IDi payload: 'hub-erbil.byblosbank.com.lb' of type 'FQDN'
Apr 2 18:21:38.082 Summer: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
Apr 2 18:21:38.082 Summer: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'CA-SERVER'
Apr 2 18:21:38.082 Summer: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
Apr 2 18:21:38.083 Summer: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
Apr 2 18:21:38.083 Summer: IKEv2-INTERNAL:Construct Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED
Apr 2 18:21:38.083 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
3DES MD596 Don't use ESN
Apr 2 18:21:38.084 Summer: IKEv2-INTERNAL:Construct Notify Payload: INITIAL_CONTACT
Apr 2 18:21:38.085 Summer: IKEv2-INTERNAL:Construct Notify Payload: SET_WINDOW_SIZE
Apr 2 18:21:38.085 Summer: IKEv2-INTERNAL:Construct Notify Payload: ESP_TFC_NO_SUPPORT
Apr 2 18:21:38.085 Summer: IKEv2-INTERNAL:Construct Notify Payload:
hub-erbil#NON_FIRST_FRAGS
Apr 2 18:21:38.085 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi CERT CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
Apr 2 18:21:38.088 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Sending Packet [To 80.79.153.81:4500/From 192.168.33.13:4500/VRF i0:f0]
Initiator SPI : EE5D2B8C1B683796 - Responder SPI : 01507C54DE1EA9BA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 2 18:21:38.090 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
Apr 2 18:21:39.980 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Apr 2 18:21:39.980 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Retransmitting packet
Apr 2 18:21:39.980 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Sending Packet [To 80.79.153.81:4500/From 192.168.33.13:4500/VRF i0:f0]
Initiator SPI : EE5D2B8C1B683796 - Responder SPI : 01507C54DE1EA9BA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 2 18:21:39.981 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
Apr 2 18:21:43.948 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Apr 2 18:21:43.948 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Retransmitting packet
Apr 2 18:21:43.949 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Sending Packet [To 80.79.153.81:4500/From 192.168.33.13:4500/VRF i0:f0]
Initiator SPI : EE5D2B8C1B683796 - Responder SPI : 01507C54DE1EA9BA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 2 18:21:43.949 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
hub-erbil#
Apr 2 18:21:51.613 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Apr 2 18:21:51.614 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Retransmitting packet
Apr 2 18:21:51.614 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Sending Packet [To 80.79.153.81:4500/From 192.168.33.13:4500/VRF i0:f0]
Initiator SPI : EE5D2B8C1B683796 - Responder SPI : 01507C54DE1EA9BA Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
Apr 2 18:21:51.614 Summer: IKEv2-INTERNAL:(SESSION ID = 3683,SA ID = 1):
hub-erbil#SM Trace-> SA: I_SPI=EE5D2B8C1B683796 R_SPI=01507C54DE1EA9BA (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
hub-erbil#
Apr 2 18:22:03.251 Summer: IKEv2-INTERNAL:Got a packet from dispatcher
Apr 2 18:22:03.251 Summer: IKEv2-INTERNAL:Processing an item off the pak queue
Apr 2 18:22:03.251 Summer: IKEv2:(SESSION ID = 3683,SA ID = 1):Received Packet [From 80.79.153.81:4500/To 192.168.33.13:4500/VRF i0:f0]
Initiator SPI : EE5D2B8C1B683796 - Responder SPI : 01507C54DE1EA9BA Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
Apr 2 18:22:03.252 Summer: IKEv2-INTERNAL:Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(
hub-erbil#AUTHENTICATION_FAILED)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2020 10:02 AM
Hi,
Can you post the config from both sides?
Regards,
Cristian Matei.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-02-2020 11:00 AM
Hi Christian,
Please note the below.
As i understood, the client is sending a config data to the server, containing all empty attributes except for app-version which is populated with the details like IOS version and platform ID, the server is authenticating this and sending failed, i don't know why or where do i set this option to send config, and i don't know what the server is authenticating it against, those are my findinds.
Please note that previously i tried to configured attribute maps and removed the configs later, is it possible that it's still there somehow? i reloaded the router where i configured them.
Also note the below status for show crypto ikev2 sa detailed on both sides.
(of course i changed the public IPs to 100.100.100.100 and 200.200.200.200, also, problem may be in NAT? as both devices are behind nat, one of them has a static nat to public on the firewall (the server side), the other one doesn't have a public IP and it's behind an ISP router.
FlexVPN-Server#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 172.16.2.81/4500 100.100.100.100/5120 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: RSA
Life/Active Time: 86400/0 sec
CE id: 1337, Session-id: 0
Status Description: Responder verifying AUTH payload
Local spi: 12CCBE0421B1A8CF Remote spi: 078B94E54180829C
Local id: FlexVpn-Server.byblosbank.com.lb
Remote id: hub-erbil.byblosbank.com.lb
Local req msg id: 0 Remote req msg id: 1
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 1
Local window: 1 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
hub-erbil#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.33.13/4500 200.200.200.200/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: RSA, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
CE id: 21580, Session-id: 0
Status Description: Initiator waiting for AUTH response
Local spi: 03BEBE6DD431A4D7 Remote spi: DC21E61E864639D3
Local id: hub-erbil.byblosbank.com.lb
Remote id:
Local req msg id: 1 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 1 Remote req queued: 0
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
Below is the configuration on both sides.
Thank you.
Server:
aaa authentication login default enable
aaa authentication login telnet group tacacs+ enable
aaa authentication login console line
aaa authorization exec telnet group tacacs+ none
aaa authorization commands 15 telnet group tacacs+ none
aaa authorization network FLEXVPN local
aaa accounting exec telnet
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
crypto pki trustpoint CA-SERVER-TP
enrollment url http://10.1.8.81:80
serial-number
subject-name cn=FelxVpn-Server.trustbank.com.sa,ou=server
revocation-check none
!
!
!
crypto pki certificate map CLIENT 5
subject-name co atm-01
subject-name co fdo3746ae74
!
crypto pki certificate map CLIENT 6
subject-name co hub-erbil
!
crypto ikev2 authorization policy BYBIV2
route set interface
route set access-list flex-routes
!
crypto ikev2 proposal BYBIV2
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy BYBIV2
proposal BYBIV2
!
!
crypto ikev2 profile BYBIV2
match certificate CLIENT
identity local fqdn FlexVpn-Server.trustbank.com.sa
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SERVER-TP
aaa authorization group cert list FLEXVPN BYBIV2
virtual-template 1 mode auto
!
crypto ipsec transform-set BYBTS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile BYBFLEX
set transform-set BYBTS
set ikev2-profile BYBIV2
!
!
!
crypto identity 10.1.8.81
!
interface Loopback20
ip address 10.242.1.1 255.255.0.0
!
interface GigabitEthernet0/0/0
ip address 10.1.8.81 255.255.255.0
negotiation auto
interface Virtual-Template1 type tunnel
ip unnumbered Loopback20
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile BYBFLEX
!
!
router eigrp 5
network 10.0.0.0
network 192.168.113.0
passive-interface GigabitEthernet0/0/0
passive-interface GigabitEthernet0/0/1
ip access-list standard flex-routes
permit 10.0.0.0
!
Client:
aaa authentication login default enable
aaa authentication login console line
aaa authentication login telnet group tacacs+ enable
aaa authentication login userlist local
aaa authorization exec telnet group tacacs+ none
aaa authorization commands 15 telnet group tacacs+ none
aaa authorization network groupauthor local
aaa authorization network FLEXVPN local
aaa accounting exec telnet
action-type start-stop
group tacacs+
!
aaa accounting commands 15 default
action-type start-stop
group tacacs+
crypto pki trustpoint CA-SERVER
enrollment url http://10.1.8.81:80
serial-number
subject-name OU=hub-erbil
revocation-check none
!
crypto pki certificate map server 6
subject-name co server
!
crypto ikev2 authorization policy BYBIV2
route set interface
route set access-list flex-routes
!
crypto ikev2 proposal BYBIV2
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy BYBIV2
proposal BYBIV2
!
!
crypto ikev2 profile BYBIV2
match certificate server
identity local fqdn hub-erbil.trustbank.com.sa
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint CA-SERVER
!
!
crypto ipsec transform-set BYBTS esp-3des esp-md5-hmac
mode tunnel
!
crypto ipsec profile BYBFLEX
set transform-set BYBTS
set ikev2-profile BYBIV2
!
interface Loopback33
ip address 10.242.150.33 255.255.0.0
interface Tunnel2933
description fLEX to Ho
ip unnumbered Loopback33
tunnel source GigabitEthernet0/0/0.11
tunnel mode ipsec ipv4
tunnel destination 80.79.153.81
tunnel protection ipsec profile BYBFLEX
!
interface GigabitEthernet0/0/0.11
description servers data
bandwidth 100000
encapsulation dot1Q 11
ip flow monitor accounting output
ip address 192.168.33.13 255.255.255.0
standby 2 ip 192.168.33.3
standby 2 timers 2 4
standby 2 priority 110
standby 2 preempt delay minimum 3
ip tcp adjust-mss 800
delay 10
h323-gateway voip interface
h323-gateway voip id ho-gatekeeper.trustbank.com.sa ipaddr 10.250.1.6 1719
h323-gateway voip id my-gatekeeper.trustbank.com.sa ipaddr 10.250.2.6 1719
h323-gateway voip h323-id erbil
h323-gateway voip tech-prefix 933
h323-gateway voip bind srcaddr 192.168.33.13
ip virtual-reassembly
router eigrp 10
network 10.9.9.0 0.0.0.255
network 192.168.0.0 0.0.255.255
network 192.168.0.0
redistribute eigrp 5
!
!
router eigrp 5
distribute-list 2 out Tunnel150
distribute-list 2 out Tunnel201
distribute-list 2 out Tunnel1933
network 10.0.0.0
network 192.168.33.0
network 192.168.113.0
redistribute connected
redistribute static
redistribute eigrp 10
distance eigrp 5 5
passive-interface default
no passive-interface Tunnel34
no passive-interface Tunnel35
no passive-interface Tunnel150
no passive-interface Tunnel201
no passive-interface Tunnel934
no passive-interface Tunnel1933
no passive-interface Tunnel2933
!
ip access-list standard flex-routes
permit 192.168.33.0
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide