10-19-2018 07:43 AM
Hi,
i try to establish a vpn connection between ASR 1001-x an a partners Watchguard firewall.
First our environment (ASR 1001-x):
- "public" facing interface with vlan (behind another firewall, ports opened for IPSec): just a vlan with ip address and default route, no vrf
- private interface with vlan in separate vrf with ip address configured
- using IPSec static VTI with configuration (copied relevant information):
ip vrf v2 crypto ikev2 proposal v2-proposal encryption 3des integrity sha1 group 14 crypto ikev2 policy 401 proposal v2-proposal crypto ikev2 keyring v2-keyring peer v2 address "peers public ip" pre-shared-key xxx crypto ikev2 profile ikev2-profile match identity remote address "peers public ip" 255.255.255.255 authentication local pre-share authentication remote pre-share keyring local v2-keyring crypto ipsec transform-set v2-set exp-3des esp-sha-hmac mode tunnel crypto ipsec profile v2-ipsec-profile set security-association lifetime seconds 28800 set transform-set v2-set set ikev2-profile ikev2-profile tunnel2 ip vrf forwarding v2 ip unnumbered "private vlan interface" tunnel source "public vlan interface" tunnel mode ipsec ipv4 tunnel destination "peers public ip" tunnel protection ipsec profile v2-ipsec-profile ip route vrf v2 "peers private network with subnetmask" tunnel2
Here is the output of debug log (debug crypto ipsec and debug crypto ikev2):
Oct 19 14:33:26.289: IPSEC: still in use sa: 0x7F725EA79FB0 Oct 19 14:33:26.290: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:27.319: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet Oct 19 14:33:27.319: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:27.445: %LINK-3-UPDOWN: Interface Tunnel401, changed state to up Oct 19 14:33:29.448: IPSEC:(SESSION ID = 2333125) (RESP_ONLY mode) connection initiation rejected Oct 19 14:33:29.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:30.280: IPSEC: still in use sa: 0x7F725EA7A868 Oct 19 14:33:30.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:31.111: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet Oct 19 14:33:31.111: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:33.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:34.280: IPSEC: still in use sa: 0x7F725F24A1D0 Oct 19 14:33:34.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:37.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:38.279: IPSEC: still in use sa: 0x7F725EA7A960 Oct 19 14:33:38.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:38.990: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet Oct 19 14:33:38.990: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:39.176: IPSEC:(SESSION ID = 2415894) (RESP_ONLY mode) connection initiation rejected Oct 19 14:33:41.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:42.279: IPSEC: still in use sa: 0x7F725EA79EB8 Oct 19 14:33:42.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:45.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:46.280: IPSEC: still in use sa: 0x7F725F9DBEB8 Oct 19 14:33:46.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:49.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:50.279: IPSEC: still in use sa: 0x7F725EA7A868 Oct 19 14:33:50.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:53.417: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet Oct 19 14:33:53.417: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:53.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:54.280: IPSEC: still in use sa: 0x7F725F9DBFB0 Oct 19 14:33:54.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:33:55.446: IPSEC:(SESSION ID = 2412964) (key_engine) request timer fired: count = 1, (identity) local= 172.16.20.49:0, remote= xxx:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 Oct 19 14:33:55.447: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 172.16.20.49:500, remote= xxx:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Oct 19 14:33:55.447: KMI: (Session ID: 2412964) IPSEC key engine sending message KEY_ENG_REQUEST_SAS to Crypto IKEv2. Oct 19 14:33:55.447: KMI: (Session ID: 2412964) Crypto IKEv2 received message KEY_ENG_REQUEST_SAS from IPSEC key engine. Oct 19 14:33:55.447: IKEv2:(SESSION ID = 2412964,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 Oct 19 14:33:55.447: IKEv2:(SESSION ID = 2412964,SA ID = 2):Request queued for computation of DH key Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generating IKE_SA_INIT message Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 3DES SHA1 SHA96 DH_GROUP_2048_MODP/Group 14 Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:500/From 172.16.20.49:500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) Oct 19 14:33:55.450: IKEv2:(SESSION ID = 2412964,SA ID = 2):Insert SA Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Received Packet [From xxx:500/To 172.16.20.49:500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Processing IKE_SA_INIT message Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Verify SA init message Oct 19 14:33:55.506: IKEv2:(SESSION ID = 2412964,SA ID = 2):Processing IKE_SA_INIT message Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):Checking NAT discovery Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):NAT INSIDE found Oct 19 14:33:55.507: IKEv2:(SESSION ID = 2412964,SA ID = 2):NAT detected float to init port 4500, resp port 4500 Oct 19 14:33:55.508: IKEv2:(SESSION ID = 2412964,SA ID = 2):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 Oct 19 14:33:55.508: IKEv2:(SESSION ID = 2412964,SA ID = 2):Request queued for computation of DH secret Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Completed SA init exchange Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Config-type: Config-request Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-dns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-dns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-nbns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-nbns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv4-subnet, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv6-dns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: ipv6-subnet, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: app-version, length: 250, data: Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Mon 21-Nov-16 17:55 by mcpre Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: split-dns, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: banner, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: config-url, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: backup-gateway, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Attrib type: def-domain, length: 0 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Have config mode data to send Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Check for EAP exchange Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generate my authentication data Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Use preshared key for id 172.16.20.49, key len 32 Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):Get my authentication method Oct 19 14:33:55.511: IKEv2:(SESSION ID = 2412964,SA ID = 2):My authentication method is 'PSK' Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Check for EAP exchange Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Generating IKE_AUTH message Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Constructing IDi payload: '172.16.20.49' of type 'IPv4 address' Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 3DES SHA96 Don't use ESN Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Building packet for encryption. Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) Oct 19 14:33:55.512: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:57.400: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet Oct 19 14:33:57.400: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:33:57.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:33:58.280: IPSEC: still in use sa: 0x7F725EA7A960 Oct 19 14:33:58.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:01.278: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet Oct 19 14:34:01.278: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:01.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:02.280: IPSEC: still in use sa: 0x7F725EBF97A8 Oct 19 14:34:02.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:05.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:06.280: IPSEC: still in use sa: 0x7F725F9DBEB8 Oct 19 14:34:06.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:08.772: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet Oct 19 14:34:08.773: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:09.606: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:10.280: IPSEC: still in use sa: 0x7F725EEE3908 Oct 19 14:34:10.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:13.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:14.280: IPSEC: still in use sa: 0x7F725EBF96B0 Oct 19 14:34:14.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:17.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:18.279: IPSEC: still in use sa: 0x7F725F9DBFB0 Oct 19 14:34:18.279: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:19.261: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 149.221.199.15' to manually clear IPSec SA's covered by this IKE SA. Oct 19 14:34:21.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:22.280: IPSEC: still in use sa: 0x7F725EBF97A8 Oct 19 14:34:22.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:24.501: IKEv2:(SESSION ID = 2412964,SA ID = 2):Retransmitting packet Oct 19 14:34:24.501: IKEv2:(SESSION ID = 2412964,SA ID = 2):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : CBAF5FA18E9AC6B4 - Responder SPI : 587973C50CE72B09 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:25.329: IKEv2:(SESSION ID = 2412964,SA ID = 1):Retransmitting packet Oct 19 14:34:25.329: IKEv2:(SESSION ID = 2412964,SA ID = 1):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 51C6E4441A4299E3 - Responder SPI : 1417C372C05C0B2C Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:25.448: IPSEC:(SESSION ID = 2412964) (key_engine) request timer fired: count = 2, (identity) local= 172.16.20.49:0, remote= xxx:0, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0 Oct 19 14:34:25.448: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 172.16.20.49:500, remote= xxx:500, local_proxy= 0.0.0.0/0.0.0.0/256/0, remote_proxy= 0.0.0.0/0.0.0.0/256/0, protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel), lifedur= 28800s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0 Oct 19 14:34:25.448: KMI: (Session ID: 2412964) IPSEC key engine sending message KEY_ENG_REQUEST_SAS to Crypto IKEv2. Oct 19 14:34:25.448: KMI: (Session ID: 2412964) Crypto IKEv2 received message KEY_ENG_REQUEST_SAS from IPSEC key engine. Oct 19 14:34:25.448: IKEv2:(SESSION ID = 2412964,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 Oct 19 14:34:25.449: IKEv2:(SESSION ID = 2412964,SA ID = 3):Request queued for computation of DH key Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generating IKE_SA_INIT message Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 3DES SHA1 SHA96 DH_GROUP_2048_MODP/Group 14 Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:500/From 172.16.20.49:500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) Oct 19 14:34:25.451: IKEv2:(SESSION ID = 2412964,SA ID = 3):Insert SA Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Received Packet [From xxx:500/To 172.16.20.49:500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Processing IKE_SA_INIT message Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Verify SA init message Oct 19 14:34:25.507: IKEv2:(SESSION ID = 2412964,SA ID = 3):Processing IKE_SA_INIT message Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):Checking NAT discovery Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):NAT INSIDE found Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):NAT detected float to init port 4500, resp port 4500 Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 Oct 19 14:34:25.509: IKEv2:(SESSION ID = 2412964,SA ID = 3):Request queued for computation of DH secret Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Completed SA init exchange Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Config-type: Config-request Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-dns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-dns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-nbns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-nbns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv4-subnet, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv6-dns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: ipv6-subnet, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: app-version, length: 250, data: Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.6(1)S3, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2016 by Cisco Systems, Inc. Compiled Mon 21-Nov-16 17:55 by mcpre Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: split-dns, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: banner, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: config-url, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: backup-gateway, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Attrib type: def-domain, length: 0 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Have config mode data to send Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Check for EAP exchange Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generate my authentication data Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Use preshared key for id 172.16.20.49, key len 32 Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Get my authentication method Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):My authentication method is 'PSK' Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Check for EAP exchange Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Generating IKE_AUTH message Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Constructing IDi payload: '172.16.20.49' of type 'IPv4 address' Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 3DES SHA96 Don't use ESN Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Building packet for encryption. Payload contents: VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) Oct 19 14:34:25.512: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:25.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:26.280: IPSEC: still in use sa: 0x7F725F9DBEB8 Oct 19 14:34:26.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:27.471: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet Oct 19 14:34:27.471: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:29.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:29.871: IPSEC:(SESSION ID = 2333125) (RESP_ONLY mode) connection initiation rejected Oct 19 14:34:30.280: IPSEC: still in use sa: 0x7F725EA7A868 Oct 19 14:34:30.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:31.114: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet Oct 19 14:34:31.114: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:31.496: Oct 19 14:34:33.604: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:34.279: IPSEC: still in use sa: 0x7F725EBF96B0 Oct 19 14:34:34.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:37.605: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP Oct 19 14:34:38.280: IPSEC: still in use sa: 0x7F725F9DBFB0 Oct 19 14:34:38.280: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS Oct 19 14:34:38.567: IKEv2:(SESSION ID = 2412964,SA ID = 3):Retransmitting packet Oct 19 14:34:38.567: IKEv2:(SESSION ID = 2412964,SA ID = 3):Sending Packet [To xxx:4500/From 172.16.20.49:4500/VRF i0:f0] Initiator SPI : 76DE30EC45285D69 - Responder SPI : 8357AA04D9BB0E11 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR Oct 19 14:34:39.601: IPSEC:(SESSION ID = 2415902) (RESP_ONLY mode) connection initiation rejected
What could be the problem? Thanks in advance.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide