Skip to main content

L2L-VPN - ikev2 - troubleshooting

I would like to review the commons mistakes in the L2L VPN (ikev2) configurations on IOS routers ans Cisco ASAs:

1) ikev2 pre-share-key mismatch :

asa1# debug crypto ikev2 protocol 127

IKEv2-PROTO-4: Next payload: ENCR, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x1, length: 68

REAL Decrypted packet:Data: 8 bytes
IKEv2-PROTO-5: Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED

Decrypted packet:Data: 68 bytes
IKEv2-PROTO-5: (29): SM Trace-> SA: I_SPI=84F7CA31A3A18FA7 R_SPI=C6233B5952724D83 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
IKEv2-PROTO-5: (29): Action: Action_Null
 
 
R1#debug crypto ikev2 event 

May  4 17:45:46.382: IKEv2:(1): Stopping timer to wait for auth message
May  4 17:45:46.386: IKEv2:(1): Check NAT discovery
May  4 17:45:46.386: IKEv2:(1): Recieved valid parameteres in process id
May  4 17:45:46.386: IKEv2:(1): Getting configured policies
May  4 17:45:46.386: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
May  4 17:45:46.386: IKEv2:% Getting preshared key from profile keyring KEYRING
May  4 17:45:46.386: IKEv2:% Matched peer block '10.0.0.2'
May  4 17:45:46.386: IKEv2:Found Policy IKEV2-POLICY
May  4 17:45:46.386: IKEv2:(1): Setting configured policies
May  4 17:45:46.386: IKEv2:(1): Verify peer's policy
May  4 17:45:46.386: IKEv2:(1): Get peer authentication method
May  4 17:45:46.386: IKEv2:(1): Get peer's preshared key for 10.0.0.2
May  4 17:45:46.386: IKEv2:(1): Verify authentication data
May  4 17:45:46.386: IKEv2:(1): Use preshared key for id 10.0.0.2, key len 8
May  4 17:45:46.386: IKEv2:(1): Failed to authenticate the IKE SA

May  4 17:45:46.386: IKEv2:(1): 
May  4 17:45:46.386: IKEv2:(1): Verify auth failed
May  4 17:45:46.386: IKEv2:(1): Sending authentication failure notify
May  4 17:45:46.386: IKEv2:(1): Building packet for encryption; contents are:  NOTIFY(AUTHENTICATION_FAILED)
May  4 17:45:46.386: 
May  4 17:45:46.386: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x1

May  4 17:45:46.386: IKEv2:HDR[i:C99CBB7C0E0C37AF - r: 99E4D277C5A04B8D]
 ENCR
May  4 17:45:46.386: 
May  4 17:45:46.386: IKEv2:(1): Auth exchange failed
May  4 17:45:46.386: IKEv2:(1): Auth exchange failed

May  4 17:45:46.386: IKEv2:(1): Auth exchange failed
May  4 17:45:46.386: IKEv2:(1): Abort exchange
May  4 17:45:46.386: IKEv2:(1): Deleting SA

2) ikev2 policy mismatch:

asa1# debug crypto ikev2 protocol 127

IKEv2-PROTO-2: (34): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   MD5   MD596   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (34): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5622DD3D886657CC - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5622DD3D886657CC - rspi: 0000000000000000 
IKEv2-PROTO-4: Next payload: SA, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR 
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: MD5
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: MD596
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     e1 82 70 df fc d8 67 2a 24 bb e8 e3 9f c8 e5 54
     a9 be 00 ef e5 69 26 08 a8 8c 7f 5a 1d 1a dc c3
     d1 c8 45 5b fe 8b 69 6e 02 1f db 5a 8c 11 aa 0f
     f7 c4 63 8d d9 01 1e 07 55 62 79 f0 ab 9f 3e 2e
     57 04 9a 59 6d 5f b5 fc 4b a5 f3 e5 68 ed 04 4f
     ee 4e 8f 0c 84 b0 26 65 f6 bf fd 20 3e 51 8c 4e
     64 9d cf 14 27 fc e5 8f 7c c5 20 3e 1b 0f 75 0d
     f0 39 3b 37 67 63 22 b1 37 e2 36 60 ae 86 a7 70
     9d 37 6f e6 5c 52 bb ed a6 6f 20 78 8e a3 bf 1c
     c1 06 cc 8f 2b f4 b7 0c f2 f8 ed ba 73 0d 78 89
     b0 4d e1 07 19 6b 27 7f 05 11 7d 2d 3b 85 0c a5
     3a 3f a9 ab 5a b2 a0 20 54 f9 39 1f 94 88 de 05
 N  Next payload: VID, reserved: 0x0, length: 24

     6a b5 69 51 73 82 f6 76 1c 87 30 06 7a d2 19 49
     6c 09 2f 8c
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     b2 c8 10 b5 a9 76 bc 80 af dc 77 2c 0a b0 12 b1
     9b c8 3d 1b
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     30 62 12 8b 47 21 d8 10 8b cf bc 10 45 d6 7f bb
     ef 11 2a 9b
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=5622DD3D886657CC R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (34): Insert SA
IKEv2-PROTO-5: (34): SM Trace-> SA: I_SPI=5622DD3D886657CC R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 10.0.0.2:500/R 10.0.0.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:5622DD3D886657CC - r: 4EAF005D824114C8]
IKEv2-PROTO-4: IKEV2 HDR ispi: 5622DD3D886657CC - rspi: 4EAF005D824114C8 
IKEv2-PROTO-4: Next payload: NOTIFY, version: 2.0 
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE 
IKEv2-PROTO-4: Message id: 0x0, length: 36

IKEv2-PROTO-5: Parse Notify Payload: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

Decrypted packet:Data: 36 bytes

 
 
R1#debug crypto ikev2 event 

May  4 18:02:56.434: IKEv2:(1): Verify SA init message
May  4 18:02:56.434: IKEv2:(1): Insert SA
May  4 18:02:56.434: IKEv2:(1): Getting configured policies
May  4 18:02:56.438: IKEv2:Found Policy IKEV2-POLICY
May  4 18:02:56.438: IKEv2:(1): Processing initial message
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): Received Policies: Proposal 1:  AES-CBC-192 MD5 MD596 DH_GROUP_1536_MODP/Group 5
May  4 18:02:56.438: 
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
May  4 18:02:56.438: 
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed to find a matching policy

May  4 18:02:56.438: IKEv2:(1): 
May  4 18:02:56.438: IKEv2:(1): Sending no proposal chosen notify
May  4 18:02:56.438: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:02:56.438: IKEv2:HDR[i:CF756588713E6EC9 - r: 2CC24E375D5235B9]
 NOTIFY(NO_PROPOSAL_CHOSEN)
May  4 18:02:56.438: 
May  4 18:02:56.438: IKEv2:(1): Failed SA init exchange
May  4 18:02:56.438: IKEv2:(1): Initial exchange failed

May  4 18:02:56.438: IKEv2:(1): Initial exchange failed
May  4 18:02:56.438: IKEv2:(1): Abort exchange
May  4 18:02:56.438: IKEv2:(1): Deleting SA

3) No ikev2 enabled on one of the peer:

R1#ping 20.0.0.1 source loo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.0.0.1, timeout is 2 seconds:
Packet sent with a source address of 11.11.11.11 

May  4 18:13:13.858: IKEv2:% Getting preshared key from profile keyring KEYRING
May  4 18:13:13.858: IKEv2:% Matched peer block '10.0.0.2'
May  4 18:13:13.858: IKEv2:Found Policy IKEV2-POLICY
May  4 18:13:13.858: IKEv2:(1): Getting configured policies
May  4 18:13:13.858: IKEv2:(1): Setting configured policies
May  4 18:13:13.858: IKEv2:(1): Computing DH public key
May  4 18:13:13.858: IKEv2:(1): 
May  4 18:13:13.858: IKEv2:(1): Sending initial message
May  4 18:13:13.858: IKEv2:  IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   3DES   MD5   MD596   DH_GROUP_1536_MODP/Group 5
May  4 18:13:13.858: 
May  4 18:13:13.858: IKEv2:(1): Checking if request will fit in peer window
May  4 18:13:13.858: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:13.858: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:13.858: 
May  4 18:13:13.858: IKEv2:(1):. Insert SA
May  4 18:13:15.770: IKEv2:(1): Retransmitting packet
May  4 18:13:15.770: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:15.770: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:15.770: ..
May  4 18:13:19.470: IKEv2:(1): Retransmitting packet
May  4 18:13:19.470: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:19.470: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:19.470: ..
Success rate is 0 percent (0/5)
May  4 18:13:27.218: IKEv2:(1): Retransmitting packet
May  4 18:13:27.218: IKEv2:Tx [L 10.0.0.1:500/R 10.0.0.2:500/VRF i0:f0] m_id: 0x0

May  4 18:13:27.218: IKEv2:HDR[i:3340E1ED6BAF09D6 - r: 0000000000000000]
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
May  4 18:13:27.218:     

 
 
R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         10.0.0.1/500          10.0.0.2/500          none/none            IN-NEG 
      Encr: Unknown - 0, Hash: None, DH Grp:0, Auth sign: Unknown - 0, Auth verify: Unknown - 0
      Life/Active Time: 86400/0 sec

 IPv6 Crypto IKEv2  SA 

R1#

4) mismatch ipsec proposal

R1#debug crypto ikev2 event 

May  4 18:53:01.802: IKEv2:(1): Received Policies: ESP: Proposal 1:  AES-CBC-192 MD596 Don't use ESN
May  4 18:53:01.802: 
May  4 18:53:01.802: 
May  4 18:53:01.802: IKEv2:(1): Failed to find a matching policy

May  4 18:53:01.802: IKEv2:(1): Expected Policies: 
May  4 18:53:01.802: IKEv2:(1): Failed to find a matching policy

May  4 18:53:01.802: IKEv2:(1): 
May  4 18:53:01.802: IKEv2:(1): Sending no proposal chosen notify

Comments

  1. Definitely believe that which you said. Your favorite justification appeared to be on the internet the simplest thing to be aware of. I say to you, I definitely get irked while people consider worries that they just don’t know about. You managed to hit the nail upon the top as well as defined out the whole thing without having side-effects , people could take a signal. Will probably be back to get more. Thanks
    CrazyAsk

    ReplyDelete
  2. Hi, I do believe this is a great web site. I stumbledupon it ;) I’m going to revisit yet again since i have bookmarked it. Money and freedom is the best way to change, may you be rich and continue to help other people.
    Harold Burton

    ReplyDelete

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo