L2L-VPN - ikev2 - troubleshooting

I would like to review the commons mistakes in the L2L VPN (ikev2) configuration on IOS routers ans Cisco ASAs.

1) ikev2 pre-share-key mismatch :

asa1# debug crypto ikev2 protocol 127

IKEv2-PROTO-4: Next payload: ENCR, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x1, length: 68

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

Decrypted packet:Data: 68 bytes
IKEv2-PROTO-5: (29): SM Trace-> SA: I_SPI=84F7CA31A3A18FA7 R_SPI=C6233B5952724D83 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (29): Action: Action_Null


R1#debug crypto ikev2 event 

May  4 17:45:46.382: IKEv2:(1): Stopping timer to wait for auth message
May  4 17:45:46.386: IKEv2:(1): Check NAT discovery
May  4 17:45:46.386: IKEv2:(1): Recieved valid parameteres in process id
May  4 17:45:46.386: IKEv2:(1): Getting configured policies
May  4 17:45:46.386: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
May  4 17:45:46.386: IKEv2:% Getting preshared key from profile keyring KEYRING
May  4 17:45:46.386: IKEv2:% Matched peer block '10.0.0.2'
May  4 17:45:46.386: IKEv2:Found Policy IKEV2-POLICY
May  4 17:45:46.386: IKEv2:(1): Setting configured policies
May  4 17:45:46.386: IKEv2:(1): Verify peer's policy
May  4 17:45:46.386: IKEv2:(1): Get peer authentication method
May  4 17:45:46.386: IKEv2:(1): Get peer's preshared key for 10.0.0.2
May  4 17:45:46.386: IKEv2:(1): Verify authentication data
May  4 17:45:46.386: IKEv2:(1): Use preshared key for id 10.0.0.2, key len 8
May  4 17:45:46.386: IKEv2:(1): Failed to authenticate the IKE SA

May  4 17:45:46.386: IKEv2:(1): 
May  4 17:45:46.386: IKEv2:(1): Verify auth failed
May  4 17:45:46.386: IKEv2:(1): Sending authentication failure notify
May  4 17:45:46.386: IKEv2:(1): Building packet for encryption; contents are:  NOTIFY(AUTHENTICATION_FAILED)
May  4 17:45:46.386: 
May  4 17:45:46.386: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x1

May  4 17:45:46.386: IKEv2:HDR[i:C99CBB7C0E0C37AF - r: 99E4D277C5A04B8D]
 ENCR
May  4 17:45:46.386: 
May  4 17:45:46.386: IKEv2:(1): Auth exchange failed
May  4 17:45:46.386: IKEv2:(1): Auth exchange failed

May  4 17:45:46.386: IKEv2:(1): Auth exchange failed
May  4 17:45:46.386: IKEv2:(1): Abort exchange
May  4 17:45:46.386: IKEv2:(1): Deleting SA

2) ikev2 policy mismatch:

asa1# debug crypto ikev2 protocol 127

IKEv2-PROTO-2: (34): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   MD5   MD596   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (34): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5622DD3D886657CC - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5622DD3D886657CC - rspi: 0000000000000000 
IKEv2-PROTO-4: Next payload: SA, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR 
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: MD5
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     e1 82 70 df fc d8 67 2a 24 bb e8 e3 9f c8 e5 54
     a9 be 00 ef e5 69 26 08 a8 8c 7f 5a 1d 1a dc c3
     d1 c8 45 5b fe 8b 69 6e 02 1f db 5a 8c 11 aa 0f
     f7 c4 63 8d d9 01 1e 07 55 62 79 f0 ab 9f 3e 2e
     57 04 9a 59 6d 5f b5 fc 4b a5 f3 e5 68 ed 04 4f
     ee 4e 8f 0c 84 b0 26 65 f6 bf fd 20 3e 51 8c 4e
     64 9d cf 14 27 fc e5 8f 7c c5 20 3e 1b 0f 75 0d
     f0 39 3b 37 67 63 22 b1 37 e2 36 60 ae 86 a7 70
     9d 37 6f e6 5c 52 bb ed a6 6f 20 78 8e a3 bf 1c
     c1 06 cc 8f 2b f4 b7 0c f2 f8 ed ba 73 0d 78 89
     b0 4d e1 07 19 6b 27 7f 05 11 7d 2d 3b 85 0c a5
     3a 3f a9 ab 5a b2 a0 20 54 f9 39 1f 94 88 de 05
 N  Next payload: VID, reserved: 0x0, length: 24

     6a b5 69 51 73 82 f6 76 1c 87 30 06 7a d2 19 49
     6c 09 2f 8c
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     b2 c8 10 b5 a9 76 bc 80 af dc 77 2c 0a b0 12 b1
     9b c8 3d 1b
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     30 62 12 8b 47 21 d8 10 8b cf bc 10 45 d6 7f bb
     ef 11 2a 9b
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=5622DD3D886657CC R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (34): Insert SA
IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=5622DD3D886657CC R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5622DD3D886657CC - r: 4EAF005D824114C8]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5622DD3D886657CC - rspi: 4EAF005D824114C8 
IKEv2-PROTO-4: Next payload: NOTIFY, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x0, length: 36

IKEv2-PROTO-5: Parse Notify Payload: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

Decrypted packet:Data: 36 bytes


R1#debug crypto ikev2 event 

May  4 18:02:56.434: IKEv2:(1): Verify SA init message
May  4 18:02:56.434: IKEv2:(1): Insert SA
May  4 18:02:56.434: IKEv2:(1): Getting configured policies
May  4 18:02:56.438: IKEv2:Found Policy IKEV2-POLICY
May  4 18:02:56.438: IKEv2:(1): Processing initial message
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): Received Policies: Proposal 1:  AES-CBC-192 MD5 MD596 DH_GROUP_1536_MODP/Group 5
May  4 18:02:56.438: 
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
May  4 18:02:56.438: 
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): 
May  4 18:02:56.438: IKEv2:(1): Sending no proposal chosen notify
May  4 18:02:56.438: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:02:56.438: IKEv2:HDR[i:CF756588713E6EC9 - r: 2CC24E375D5235B9]
 NOTIFY(NO_PROPOSAL_CHOSEN)
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed SA init exchange
May  4 18:02:56.438: IKEv2:(1): Initial exchange failed

May  4 18:02:56.438: IKEv2:(1): Initial exchange failed
May  4 18:02:56.438: IKEv2:(1): Abort exchange
May  4 18:02:56.438: IKEv2:(1): Deleting SA

3) No ikev2 enabled on one of the peer:

R1#ping 20.0.0.1 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 

May  4 18:13:13.858: IKEv2:% Getting preshared key from profile keyring KEYRING
May  4 18:13:13.858: IKEv2:% Matched peer block '10.0.0.2'
May  4 18:13:13.858: IKEv2:Found Policy IKEV2-POLICY
May  4 18:13:13.858: IKEv2:(1): Getting configured policies
May  4 18:13:13.858: IKEv2:(1): Setting configured policies
May  4 18:13:13.858: IKEv2:(1): Computing DH public key
May  4 18:13:13.858: IKEv2:(1): 
May  4 18:13:13.858: IKEv2:(1): Sending initial message
May  4 18:13:13.858: IKEv2:  IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   3DES   MD5   MD596   DH_GROUP_1536_MODP/Group 5
May  4 18:13:13.858: 
May  4 18:13:13.858: IKEv2:(1): Checking if request will fit in peer window
May  4 18:13:13.858: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:13.858: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:13.858: 
May  4 18:13:13.858: IKEv2:(1):. Insert SA
May  4 18:13:15.770: IKEv2:(1): Retransmitting packet
May  4 18:13:15.770: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:15.770: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:15.770: ..
May  4 18:13:19.470: IKEv2:(1): Retransmitting packet
May  4 18:13:19.470: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:19.470: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:19.470: ..
Success rate is 0 percent (0/5)
May  4 18:13:27.218: IKEv2:(1): Retransmitting packet
May  4 18:13:27.218: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:27.218: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:27.218:     

R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

 IPv6 Crypto IKEv2  SA 

R1#

4) mismatch ipsec proposal

R1#debug crypto ikev2 event 

May  4 18:53:01.802: IKEv2:(1): Received Policies: ESP: Proposal 1:  AES-CBC-192 MD596 Don't use ESN
May  4 18:53:01.802: 
May  4 18:53:01.802: 
May  4 18:53:01.802: IKEv2:(1): Failed to find a matching policy

May  4 18:53:01.802: IKEv2:(1): Expected Policies: 
May  4 18:53:01.802: IKEv2:(1): Failed to find a matching policy

May  4 18:53:01.802: IKEv2:(1): 
May  4 18:53:01.802: IKEv2:(1): Sending no proposal chosen notify
 
161
Kudos
 
161
Kudos

Now read this

VPN - GRE over IPsec SSO

As I promised in my last post I will add the stateful switchover to the following scenario: The first step is to remove tunnel1 from r5 and r4 and then add tunnel0 on r4. Next implementation of HSRP and changing ‘tunnel source’ on r3 and... Continue →