cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
567
Views
2
Helpful
10
Replies

Unwanted IKEv2 requests every minutes

stephane35
Level 1
Level 1

Hello,

I have a hub and spoke topology with IPSEC tunnels (FlexVPN) and the tunnels are working good.

The problem is that I have unwanted ikev2 requests every minutes, while the IPSEC tunnel is already established to the hub.

When the tunnel is administratively shutdown, the unwanted ikev2 requests continues.

Only the tunnel is using the ipsec/ikev2 profile and the smart profiles are disabled on the router.

So I don't understand which process can send this ike requests.

Here is the debug on the hub from this requests :

Jan 30 16:38:09.643 UTC: IKEv2:Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f0]
Initiator SPI : AA1A43B492F7B7E7 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Jan 30 16:38:09.644 UTC: IKEv2-PAK:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 354
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
 KE  Next payload: N, reserved: 0x0, length: 72
    DH group: 19, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
 NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)  Next payload: VID, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
 VID  Next payload: NONE, reserved: 0x0, length: 20

Jan 30 16:38:09.651 UTC: IKEv2:(SESSION ID = 907513,SA ID = 49):Sending Packet [To x.x.x.x:500/From x.x.x.x:500/VRF i0:f0]
Initiator SPI : AA1A43B492F7B7E7 - Responder SPI : AD7760A99C62A431 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Jan 30 16:38:09.651 UTC: IKEv2-PAK:(SESSION ID = 907513,SA ID = 49):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 399
Payload contents:
 SA  Next payload: KE, reserved: 0x0, length: 48
  last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4    last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
    last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA512
    last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA512
    last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
 KE  Next payload: N, reserved: 0x0, length: 72
    DH group: 19, Reserved: 0x0
 N  Next payload: VID, reserved: 0x0, length: 36
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: VID, reserved: 0x0, length: 19
 VID  Next payload: VID, reserved: 0x0, length: 23
 VID  Next payload: NOTIFY, reserved: 0x0, length: 21
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_SOURCE_IP
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: Unknown - 0, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 45
    Cert encoding X.509 Certificate - signature
 NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)  Next payload: VID, reserved: 0x0, length: 8
    Security protocol id: Unknown - 0, spi size: 0, type: IKEV2_FRAGMENTATION_SUPPORTED
 VID  Next payload: NONE, reserved: 0x0, length: 20

From the spoke, the ike request is not catch by the debug, but the response from the hub generate an error :

Jan 30 17:09:38.220 UTC: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From x.x.x.x:500/To x.x.x.x:500/VRF i0:f0]
Initiator SPI : D25C5A1E83AF2C48 - Responder SPI : 733C7D9C5E83D58F Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Jan 30 17:09:38.220 UTC: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: SA, version: 2.0
Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 399
Jan 30 17:09:38.220 UTC: IKEv2-ERROR:: A supplied parameter is incorrect
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Got a packet from dispatcher
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Processing an item off the pak queue
Jan 30 17:09:53.035 UTC: IKEv2-INTERNAL:Couldn't find matching SA
Jan 30 17:09:53.035 UTC: IKEv2-ERROR:Couldn't find matching SA: Detected an invalid IKE SPI

If you have any idea, please let me know

10 Replies 10

sadks
Cisco Employee
Cisco Employee

Hi,

Hmm... that is strange. were these debugs taken simultaneously? Because the SPI values don't match.

Also, can you take captures on spoke? I would like to know if any packet is leaving the device.

 

 

 

 

 

Hello @sadks 

You are right, it's not the same logs I made a copy.

I will try a capture with "debug ip packet" and see if the first ike packet is catch.

can I see the config of IKEv2 in hub and spoke 
MHM

Hello @MHM Cisco World ,

Here is my config :

For hub :

 

crypto ikev2 authorization policy auth-FlexVPN
 route set interface
!
crypto ikev2 proposal IkeV2Proposal
 encryption aes-cbc-256
 integrity sha512
 group 19
no crypto ikev2 proposal default
!
crypto ikev2 policy IkeV2Policy
 proposal IkeV2Proposal
no crypto ikev2 policy default
!
crypto ikev2 profile IkeV2Profile
 match identity remote fqdn domain xxx.com
 identity local fqdn hub.xxx.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-PROD
 lifetime 14600
 aaa authorization group cert list aaa-auth auth-FlexVPN
 virtual-template 20
!
crypto ikev2 dpd 25 15 on-demand
no crypto ikev2 http-url cert
crypto ikev2 fragmentation
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto ipsec profile IpsecProfile
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 14100
 set transform-set ESP-AES-256-SHA-512
 set pfs group19
 set ikev2-profile IkeV2Profile
 responder-only
!
interface Virtual-Template20 type tunnel
 bandwidth 30000
 ip unnumbered Loopback240
 ip mtu 1700
 logging event subif-link-status
 delay 10
 tunnel source Loopback10
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile IpsecProfile
!

 

 For the spoke :

 

crypto ikev2 authorization policy auth-FlexVPN
 route set interface
!
crypto ikev2 proposal IkeV2Proposal
 encryption aes-cbc-256
 integrity sha512
 group 19
no crypto ikev2 proposal default
!
crypto ikev2 policy IkeV2Policy
 proposal IkeV2Proposal
no crypto ikev2 policy default
!
crypto ikev2 profile IkeV2Profile
 match identity remote fqdn domain xxx.com
 identity local fqdn spokex.xxx.com
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint PKI-PROD
 lifetime 14600
 aaa authorization group cert list aaa-auth auth-FlexVPN
!
crypto ikev2 dpd 25 15 on-demand
no crypto ikev2 http-url cert
crypto ikev2 fragmentation
!
crypto ipsec transform-set ESP-AES-256-SHA-512 esp-aes 256 esp-sha512-hmac
 mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
crypto ipsec profile IpsecProfile
 set security-association lifetime kilobytes disable
 set security-association lifetime seconds 14000
 set transform-set ESP-AES-256-SHA-512
 set pfs group19
 set ikev2-profile IkeV2Profile
!
no crypto ipsec profile default
!
interface Tunnel10
 bandwidth 1000
 ip unnumbered Loopback55
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1700
 load-interval 30
 delay 10
 tunnel source Vlan31
 tunnel mode ipsec ipv4
 tunnel destination x.x.x.x
 tunnel protection ipsec profile IpsecProfile
!

 

The identity for local and remote I think it wrong

I  hub you use local identity fqdn hub and remote domain 

In spoke local is fqdn and remote is fqdn of hub or it IP

Make double check again 

Thanks 

MHM

Yes, I made a mistake when I replaced the domain name, but it's ok now.

I'm using the domain name to catch the desired ike profile.

Stephane

The traffic is hub to spoke only 

No spoke to spoke?

MHM

Yes, only hub to spoke.

Stephane

Domain corrected

and I dont see anything wrong except lifetime mismatch one 14000 and other 14100.

MHM

 

Hi friend 

Did you match lifetime' ikev2 not like ikev1  each peer can use different lifetime. This make one peer ask to establish new tunnel and other peer reject since it already have one active tunnel.

Match it 

Thanks 

MHM