Solved: Ikev2 Tunnel status " Ready "

Yahya · ‎01-17-2024

Dear Experts!

I am beginner with vpn configs. I am trying to make tunnel up and ive done all configuration required from my side. After all, it showing many tunnels with status "ready". I dont know what is the issue!

My device is cisco ISR4321/K9 ,, peer side is none cisco device.

below resulte of # sh cry ikev2 sa

MHM Cisco World · ‎01-19-2024

detail friend add it to command and share result
MHM

View solution in original post

MHM Cisco World · ‎01-17-2024

Is this route based vpn?

Can you share crypto session details

MHM

Show

Yahya · ‎01-17-2024

1- Is this route based vpn?

DID not get your question.

2- Can you share crypto session details?

Sure

MHM Cisco World · ‎01-17-2024

dont see anything wrong except the lifetime one side use 300 other use more longest
can you match it
MHM

Yahya · ‎01-17-2024

I have changed it many times, but still same status!

Yahya · ‎01-17-2024

deb crypto ikev2 internal

deb crypto ikev2 packet

*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Process NAT discovery notify
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No NAT found
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_INIT Event: EV_CHK_CONFIG_MODE
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_SET_POLICY
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Setting configured policies
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jan 17 22:33:03.406: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_PKI_SESH_OPEN
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Opening a PKI session
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_KEY
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.407: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_DH_SECRET
*Jan 17 22:33:03.484: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_NO_EVENT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_RE_XMT
*Jan 17 22:33:03.485: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: unknown event
*Jan 17 22:33:03.485: IKEv2-PAK:(SESSION ID = 648,SA ID = 217):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 648,SA ID = 217):SM Trace-> SA: I_SPI=6CE6E3808F2D75AD R_SPI=4E54FC53C25AEFEF (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_OK_RECD_DH_SECRET_RESP
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Action: Action_Null
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GEN_SKEYID
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):Generate skeyid
*Jan 17 22:33:03.486: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):No config data to send to toolkit:
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(SESSION ID = 922,SA ID = 221):SM Trace-> SA: I_SPI=C3D15E494526DB9C R_SPI=22096482C48E801B (R) MsgID = 0 CurState: R_BLD_INIT Event: EV_BLD_MSG
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: DELETE-REASON
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: CISCOVPN-REV-02
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Sending DRU Handshake
*Jan 17 22:33:03.487: IKEv2-INTERNAL:(221): Sending custom vendor id : CISCO-DYNAMIC-ROUTE
*Jan 17 22:33:03.487: IKEv2-INTERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.487: IKEv2-IN
Gtel_test#TERNAL:Construct Vendor Specific Payload: (CUSTOM)
*Jan 17 22:33:03.968: IKEv2-PAK:(SESSION ID = 572,SA ID = 182):Next payload: ENCR, version: 2.0 Exchange type: INFORMATIONAL, flags: RESPONDER Message id: 1, length: 72
Payload contents:
ENCR Next payload: DELETE, reserved: 0x0, length: 44

*Jan 17 22:33:03.968: IKEv2-INTERNAL:(SESSION ID = 572,SA ID = 182):SM Trace-> SA: I_SPI=9FAAF7B9595D4F3E R_SPI=E0AFC2801BC02625 (I) MsgID = 1 CurState: INFO_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_CHK_IKE_REKEY
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: READY Event: EV_REKEY_IKESA
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.016: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_INIT Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_REKEY_IKESA
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GET_IKE_POLICY
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.017: IKEv2-INTERNAL:Adding Proposal PROP2 to toolkit policy
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SA ID = 184):Using IKEv2 profile 'IKEv2PROF2'
*Jan 17 22:33:04.017: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_SET_POLICY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Setting configured policies
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_GEN_DH_KEY
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_NO_EVENT
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.018: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):Action: Action_Null
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 1 CurState: CHILD_I_IKE Event: EV_BLD_MSG
*Jan 17 22:33:04.019: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.019: IKEv2-INTERNAL:Construct Notify Payload: SET_WINDOW_SIZE
Payload contents:
SA Next payload: N, reserved: 0x0, length: 52
last proposal: 0x0, reserved: 0x0, length: 48
Proposal: 1, Protocol id: IKE, SPI size: 8, #trans: 4 last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
N Next payload: KE, reserved: 0x0, length: 36
KE Next payload: NOTIFY, reserved: 0x0, length: 140
DH group: 21, Reserved: 0x0
NOTIFY(SET_WINDOW_SIZE) Next payload: NONE, reserved: 0x0, length: 12
Security protocol id: Unknown - 0, spi size: 0, type: SET_WINDOW_SIZE

*Jan 17 22:33:04.020: IKEv2-PAK:(SESSION ID = 689,SA ID = 184):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER Message id: 0, length: 304
Payload contents:
ENCR Next payload: SA, reserved: 0x0, length: 276

*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_IKE Event: EV_INSERT_SA
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 184):SM Trace-> SA: I_SPI=5A88EADE3E38EA79 R_SPI=4D6C7C5BC46F6C8D (I) MsgID = 0 CurState: CHILD_I_WAIT Event: EV_NO_EVENT
*Jan 17 22:33:04.021: IKEv2-INTERNAL:(SESSION ID = 689,SA ID = 232): Child SA: I_SPI=3707C011A2A2117C R_SPI=0000000000000000
Gtel_test#und
Gtel_test#undebug a
Gtel_test#undebug all

MHM Cisco World · ‎01-17-2024

device# debug ikev2 error

can you share this
thanks

Yahya · ‎01-17-2024

*Jan 17 23:14:14.712: IKEv2-ERROR:(SESSION ID = 2947,SA ID = 32):: Maximum number of retransmissions reached
*Jan 17 23:14:20.394: IKEv2-ERROR:(SESSION ID = 2952,SA ID = 37):: Maximum number of retransmissions reached

*Jan 17 23:14:25.845: IKEv2-ERROR:(SESSION ID = 2953,SA ID = 38):: Maximum number of retransmissions reached

*Jan 17 23:14:28.455: IKEv2-ERROR:(SESSION ID = 2958,SA ID = 44):: Maximum number of retransmissions reached

*Jan 17 23:14:32.425: IKEv2-ERROR:(SESSION ID = 2964,SA ID = 50):: Maximum number of retransmissions reached

MHM Cisco World · ‎01-17-2024

https://community.cisco.com/t5/vpn/crypto-ikev2-stuck-in-neg-state-maximum-number-of/td-p/4697594

check this

MHM

Yahya · ‎01-17-2024

#sh monitor event-trace crypto ikev2 error latest

*Jan 17 23:38:29.355: SA ID:120 SESSION ID:4080 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:36.896: SA ID:273 SESSION ID:4084 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

*Jan 17 23:38:40.300: SA ID:316 SESSION ID:4087 Remote: X.X.X.132/500 Local: X.X.X.219/500 Negotiation aborted due to ERROR: Create child exchange failed

MHM Cisco World · ‎01-17-2024

so we solve this first error message ?
if Yes
can you share the phaseII config and transform set, I think there is mismatch NOW
MHM

Yahya · ‎01-17-2024

#sh run | sec crypto

crypto ipsec transform-set XXX esp-3des esp-sha256-hmac
mode tunnel

# interested traffic #

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132

no crypto ipsec nat-transparency udp-encapsulation

crypto map CMAP 20 ipsec-isakmp
set peer X.X.1.132
set transform-set XXX
set pfs group21
set ikev2-profile IKEv2PROF2

interface g0/0/1
match address 102

MHM Cisco World · ‎01-17-2024

set pfs group21 <<- mustly PFS is issue here, can you change the group

1312 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
1313 permit ip host X.X.X.219 host { peer server ip ] > behind X.X.1.132
I will assume that peer server IP is different
MHM

Yahya · ‎01-17-2024

lets say we need my server in my company to reach at the two servers inside ISP company for some reason. However, peer ip is the gateway and I can ping it, but server ips are inside company that they are behind the peer X.X.1.132

MHM Cisco World · ‎01-17-2024

Sorry I dont get your last reply

Can you more elaborate

Thanks

MHM