Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1276
Views
0
Helpful
4
Replies

Failing to form IKEv2 IPSec Tunnel between FTD and IOS VPN Router

Go to solution
CarsonDavis56998
Level 1
Level 1

‎05-19-2022 04:14 PM - edited ‎05-19-2022 04:22 PM

Hello,

I am currently having issues establishing a IPSec Tunnel between a FTD and a IOS Router. It looks as if they get past Phase 1 but then perhaps fail on establishing the IPSec Tunnel. I have posted the IOS Configurations as well as my debug messages when sending interesting traffic from the IOS Router to the FTD. Thanks.

 

IOS Router Configuration:

--------------------------

crypto ikev2 proposal QTS-IKEv2-PROPOSAL
encryption des
integrity sha1
group 14
!
crypto ikev2 policy QTS-IKEv2-POLICY
proposal QTS-IKEv2-PROPOSAL
!
crypto ikev2 keyring QTS-IKEv2-KEYRING
peer QTS-FTD
address 200.200.1.2
pre-shared-key 45ijPH0jCMy6Xhv3D/SoMHdPHTwGWvSI
!
!
!
crypto ikev2 profile QTS-IKEv2-PROFILE
match identity remote address 200.200.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local QTS-IKEv2-KEYRING
!
!
!
crypto ipsec transform-set QTS-TSET esp-des esp-sha-hmac
mode tunnel
!
!
!
crypto map QTS-IKEv2-CRYPTO-MAP 10 ipsec-isakmp
set peer 200.200.1.2
set transform-set QTS-TSET
set pfs group14
set ikev2-profile QTS-IKEv2-PROFILE
match address QTS-IKEv2-CRYPTO-ACL
reverse-route static
!

ip access-list extended QTS-IKEv2-CRYPTO-ACL
permit ip 172.16.1.0 0.0.0.15 10.0.0.0 0.0.0.255
permit ip 172.16.92.0 0.0.3.255 10.0.0.0 0.0.0.255
permit ip 172.16.97.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 172.16.98.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 172.16.99.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 172.16.128.0 0.0.3.255 10.0.0.0 0.0.0.255
permit ip 172.16.188.0 0.0.3.255 10.0.0.0 0.0.0.255
permit ip 172.16.192.0 0.0.3.255 10.0.0.0 0.0.0.255
permit ip 172.16.250.0 0.0.1.254 10.0.0.0 0.0.0.255
permit ip 172.30.197.32 0.0.0.31 10.0.0.0 0.0.0.255
permit ip 192.168.194.32 0.0.0.31 10.0.0.0 0.0.0.255
permit ip 172.16.90.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 172.16.1.0 0.0.0.15 172.16.0.0 0.15.255.255
permit ip 172.16.92.0 0.0.3.255 172.16.0.0 0.15.255.255
permit ip 172.16.97.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 172.16.98.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 172.16.99.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 172.16.128.0 0.0.3.255 172.16.0.0 0.15.255.255
permit ip 172.16.188.0 0.0.3.255 172.16.0.0 0.15.255.255
permit ip 172.16.192.0 0.0.3.255 172.16.0.0 0.15.255.255
permit ip 172.16.250.0 0.0.1.254 172.16.0.0 0.15.255.255
permit ip 172.30.197.32 0.0.0.31 172.16.0.0 0.15.255.255
permit ip 192.168.194.32 0.0.0.31 172.16.0.0 0.15.255.255
permit ip 172.16.90.0 0.0.0.255 172.16.0.0 0.15.255.255
permit ip 10.86.0.0 0.0.31.255 172.16.0.0 0.15.255.255
permit ip 172.16.92.0 0.0.3.255 192.168.0.0 0.0.255.255
permit ip 172.16.97.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.16.98.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.16.99.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 172.16.128.0 0.0.3.255 192.168.0.0 0.0.255.255
permit ip 172.16.188.0 0.0.3.255 192.168.0.0 0.0.255.255
permit ip 172.16.192.0 0.0.3.255 192.168.0.0 0.0.255.255
permit ip 172.16.250.0 0.0.1.254 192.168.0.0 0.0.255.255
permit ip 172.30.197.32 0.0.0.31 192.168.0.0 0.0.255.255
permit ip 192.168.194.32 0.0.0.31 192.168.0.0 0.0.255.255
permit ip 172.16.90.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip 10.86.0.0 0.0.31.255 192.168.0.0 0.0.255.255
permit ip 172.16.92.0 0.0.3.255 208.23.181.0 0.0.0.15
permit ip 172.16.97.0 0.0.0.255 208.23.181.0 0.0.0.15
permit ip 172.16.98.0 0.0.0.255 208.23.181.0 0.0.0.15
permit ip 172.16.99.0 0.0.0.255 208.23.181.0 0.0.0.15
permit ip 172.16.128.0 0.0.3.255 208.23.181.0 0.0.0.15
permit ip 172.16.188.0 0.0.3.255 208.23.181.0 0.0.0.15
permit ip 172.16.192.0 0.0.3.255 208.23.181.0 0.0.0.15
permit ip 172.16.250.0 0.0.1.254 208.23.181.0 0.0.0.15
permit ip 172.30.197.32 0.0.0.31 208.23.181.0 0.0.0.15
permit ip 192.168.194.32 0.0.0.31 208.23.181.0 0.0.0.15
permit ip 172.16.90.0 0.0.0.255 208.23.181.0 0.0.0.15
permit ip 10.86.0.0 0.0.31.255 208.23.181.0 0.0.0.15

 

 

DEBUG Messages captured from IOS Router:

 

Sending 5, 100-byte ICMP Echos to 172.16.100.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.92.1

*May 19 23:02:37.629: IKEv2:% Getting preshared key from profile keyring QTS-IKEv2-KEYRING
*May 19 23:02:37.630: IKEv2:% Matched peer block 'QTS-FTD'
*May 19 23:02:37.633: IKEv2:Searching Policy with fvrf 0, local address 100.100.1.2
*May 19 23:02:37.634: IKEv2:Found Policy 'QTS-IKEv2-POLICY'
*May 19 23:02:37.657: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*May 19 23:02:37.658: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 19 23:02:37.659: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*May 19 23:02:37.661: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 19 23:02:37.663: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*May 19 23:02:37.664: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
DES SHA1 SHA96 DH_GROUP_2048_MODP/Group 14

*May 19 23:02:37.671: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 200.200.1.2:500/From 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 19 23:02:37.679: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*May 19 23:02:37.693: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 200.200.1.2:500/To 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED) VID

*May 19 23:02:37.706: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*May 19 23:02:37.706: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*May 19 23:02:37.707: IKEv2:(SESSIO.N ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*May 19 23:02:37.712: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*May 19 23:02:37.712: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*May 19 23:02:37.713: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*May 19 23:02:37.741: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 19 23:02:37.743: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*May 19 23:02:37.745: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 19 23:02:37.747: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 19 23:02:37.749: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*May 19 23:02:37.751: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*May 19 23:02:37.752: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*May 19 23:02:37.753: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 100.100.1.2, key len 32
*May 19 23:02:37.753: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 19 23:02:37.755: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 19 23:02:37.756: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*May 19 23:02:37.757: IKEv2:(SESSION ID = 1,S.A ID = 1):My authentication method is 'PSK'
*May 19 23:02:37.757: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*May 19 23:02:37.758: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*May 19 23:02:37.760: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '100.100.1.2' of type 'IPv4 address'
*May 19 23:02:37.760: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
DES SHA96 Don't use ESN
*May 19 23:02:37.762: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(.NON_FIRST_FRAGS)

*May 19 23:02:37.770: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 200.200.1.2:500/From 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*May 19 23:02:37.784: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 200.200.1.2:500/To 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

*May 19 23:02:37.792: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*May 19 23:02:37.794: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*May 19 23:02:37.795: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '200.200.1.2' of type 'IPv4 address'
*May 19 23:02:37.796: IKEv2:Searching Policy with fvrf 0, local address 100.100.1.2
*May 19 23:02:37.797: IKEv2:Found Policy 'QTS-IKEv2-POLICY'
*May 19 23:02:37.801: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
*May 19 23:02:37.805: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
*May 19 23:02:37.808: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
*May 19 23:02:37.808: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
*May 19 23:02:37.809: IKEv2:(SESSION ID = 1,SA ID = .1):Get peer's preshared key for 200.200.1.2
*May 19 23:02:37.811: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
*May 19 23:02:37.811: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 200.200.1.2, key len 32
*May 19 23:02:37.812: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 19 23:02:37.813: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 19 23:02:37.814: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
*May 19 23:02:37.815: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*May 19 23:02:37.818: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*May 19 23:02:37.819: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (200.200.1.2, 100.100.1.2) is UP
*May 19 23:02:37.822: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*May 19 23:02:37.824: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*May 19 23:02:37.824: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
*May 19 23:02:37.825: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
*May 19 23:02:37.840: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x24D7FE94]
*May 19 23:02:37.840: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryp.
Success rate is 0 percent (0/5)
Router#tion.
Payload contents:
DELETE
*May 19 23:02:37.842: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window

*May 19 23:02:37.845: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 200.200.1.2:500/From 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*May 19 23:02:37.849: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*May 19 23:02:37.850: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*May 19 23:02:37.851: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x63C6ABCB7156EAEC RSPI: 0xDE9FBA14F5A4384E]
*May 19 23:02:37.852: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*May 19 23:02:37.854: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*May 19 23:02:37.855: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA

*May 19 23:02:37.870: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 200.200.1.2:500/To 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*May 19 23:02:37.874: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*May 19 23:02:37.875: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*May 19 23:02:37.876: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*May 19 23:02:37.880: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 200.200.1.2:500/From 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*May 19 23:02:37.894: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 200.200.1.2:500/To 100.100.1.2:500/VRF i0:f0]
Initiator SPI : 63C6ABCB7156EAEC - Responder SPI : DE9FBA14F5A4384E Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to MHM Cisco World

‎05-19-2022 06:07 PM

UPDATE:

After Deep Investigation it was found that I had a subnet mask mismatch in my crypto ACL on the FTD side, however, thank you for your effort and response, sir.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎05-19-2022 04:34 PM

Config pfs and pfs dh group.

0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to MHM Cisco World

‎05-19-2022 05:02 PM

I have DH Group 14 and PFS Group 14 on the other end (FTD)

0 Helpful

Go to solution
CarsonDavis56998
Level 1
Level 1
In response to MHM Cisco World

‎05-19-2022 06:07 PM

UPDATE:

After Deep Investigation it was found that I had a subnet mask mismatch in my crypto ACL on the FTD side, however, thank you for your effort and response, sir.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CarsonDavis56998

‎05-20-2022 03:43 AM

Good job friend. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents