Skip to main content

ikev2 - ASA & IOS - part two

In this post I would like to analyze most common mistakes and check how we can troubleshoot them. Please check my previous post to learn more about scenario and the configuration.

http://myitmicroblog.blogspot.com/2014/12/ikev2-asa-ios-part-one.html

1. problem #1

The configuration has been changed and now I try to establish the secure connection.
 
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#

on the ASA and the router I enabled debug command:
 
asa2# debug crypto ikev2 protocol 127
asa2# IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-3: (6): Getting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-3: (6): Setting configured policies
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-3: (6): Computing DH public key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-2: (6): Sending initial message
IKEv2-PROTO-3:   IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
IKEv2-PROTO-5: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-5: Construct Vendor Specific Payload: (CUSTOM)IKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_SOURCE_IPIKEv2-PROTO-5: Construct Notify Payload: NAT_DETECTION_DESTINATION_IPIKEv2-PROTO-5: Construct Vendor Specific Payload: FRAGMENTATIONIKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 0000000000000000]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 0000000000000000
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x0, length: 458
 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     da 9a 09 1c 89 68 ed e3 93 49 3c 3f 61 52 2d 78
     cc 9f 94 6a 09 1b d5 06 e3 5f ce c8 e0 b9 24 aa
     b4 9c dd 5c 1f 11 38 67 e9 50 36 66 c9 9f 3b c3
     cf 1d 66 c8 81 7c db 09 18 23 a2 51 01 ed cf b7
     a0 99 22 63 9c ba cb 95 23 9e 90 8c e2 bd 54 7d
     46 fb cc 18 32 12 96 a1 20 08 b0 83 8a 51 cb b8
     b8 3d c0 ea 2d e1 4c 0e fe c2 ea 1a 43 96 2a 11
     82 27 c8 1a 4e 35 d4 ad b1 9e 5f de 78 bf 35 bc
     f5 9c b8 1c 7b 5e 6f bd de 92 98 d3 a4 1a c9 23
     51 c0 f7 dc df 4a 5b 04 d7 9f 9e 56 78 ee 17 1b
     6b ed ee f0 d6 22 68 64 1b 3d 05 ec 52 05 3d 71
     6e b4 f6 b0 44 3f 33 08 f1 d2 c1 b1 97 65 38 0f
 N  Next payload: VID, reserved: 0x0, length: 24

     aa 82 7f f6 7f 67 7c f4 90 4a af 59 26 7b 65 54
     2a e1 a6 77
 VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
 VID  Next payload: NOTIFY, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
 NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     89 f1 c8 72 bd 5b 57 1e f7 21 d0 81 16 8f 75 25
     5e f6 19 84
 NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: VID, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     98 9a 8e 2d 5d 13 97 79 4a ac 1d a2 91 f9 72 80
     11 5d a9 c4
 VID  Next payload: NONE, reserved: 0x0, length: 20

     40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
IKEv2-PROTO-3: (6): Insert SA
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x0
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: SA, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x0, length: 572

 SA  Next payload: KE, reserved: 0x0, length: 48
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 44
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA256
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5

 KE  Next payload: N, reserved: 0x0, length: 200
    DH group: 5, Reserved: 0x0

     30 25 63 99 a9 3d de b3 df 3a 7c 88 e8 b0 dd 23
     2c 14 fe 37 da a2 2e 00 c5 e3 bb 64 e4 82 47 6c
     b1 7c 33 cc 3b 8b 46 05 df 58 e3 6d a0 99 f3 29
     f5 6e ef ff 3a ec 2e eb e9 75 18 52 dd 79 51 ff
     9a ba 0c a4 47 a5 36 44 36 8f 70 8d 94 91 d2 eb
     dc a3 de 6f 5e df e1 a4 a0 48 ba d3 5d 90 85 db
     ab 88 ab 96 0a 2c 99 b9 43 a1 1d 66 a5 73 5b 3c
     7e 8c 74 4a cc f3 d4 59 83 25 41 e9 dd a0 48 ba
     55 32 1e 12 66 22 af 63 b2 3c f9 63 f2 cf c2 8a
     33 e3 71 e1 39 aa b1 1c b7 3b 06 27 52 87 00 34
     29 47 a0 19 49 4e 09 59 fa 51 ae 75 e3 15 b2 22
     94 b4 97 09 15 36 2c b2 00 85 6e 61 c1 30 5c fc
 N  Next payload: VID, reserved: 0x0, length: 24

     02 6b 5c bd c3 d3 04 4f d8 59 57 89 25 f5 3f b9
     33 b1 ce da
IKEv2-PROTO-5: Parse Vendor Specific Payload: CISCO-DELETE-REASON VID  Next payload: VID, reserved: 0x0, length: 23

     43 49 53 43 4f 2d 44 45 4c 45 54 45 2d 52 45 41
     53 4f 4e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: VID, reserved: 0x0, length: 59

     43 49 53 43 4f 28 43 4f 50 59 52 49 47 48 54 29
     26 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32
     30 30 39 20 43 69 73 63 6f 20 53 79 73 74 65 6d
     73 2c 20 49 6e 63 2e
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: NOTIFY, reserved: 0x0, length: 21

     46 4c 45 58 56 50 4e 2d 53 55 50 50 4f 52 54 45
     44
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP)  Next payload: NOTIFY, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP

     6d 8c ef c5 ff 11 6e fb 8b 5b da 12 5e 2f 51 e4
     ef 60 2d 18
IKEv2-PROTO-5: Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP)  Next payload: CERTREQ, reserved: 0x0, length: 28
    Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP

     dc 48 fd 54 b3 53 4a 78 91 32 0b e5 db c8 fb 22
     04 8b 1a 27
 CERTREQ  Next payload: NOTIFY, reserved: 0x0, length: 105
    Cert encoding Hash and URL of PKIX
CertReq data: 100 bytes
IKEv2-PROTO-5: Parse Notify Payload: HTTP_CERT_LOOKUP_SUPPORTED NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED

Decrypted packet:Data: 572 bytes
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
IKEv2-PROTO-5: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
IKEv2-PROTO-3: (6): Verify SA init message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
IKEv2-PROTO-2: (6): Processing initial message
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
IKEv2-PROTO-3: (6): Process NAT discovery notify
IKEv2-PROTO-5: (6): Processing nat detect src notify
IKEv2-PROTO-5: (6): Remote address matched
IKEv2-PROTO-5: (6): Processing nat detect dst notify
IKEv2-PROTO-5: (6): Local address matched
IKEv2-PROTO-5: (6): No NAT found
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
IKEv2-PROTO-3: (6): Check NAT discovery
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
IKEv2-PROTO-3: (6): Computing DH secret key
IKEv2-PROTO-3: (6):
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
IKEv2-PROTO-5: (6): Action: Action_Null
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
IKEv2-PROTO-3: (6): Generate skeyid
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
IKEv2-PROTO-3: (6): Cisco DeleteReason Notify is enabled
IKEv2-PROTO-3: (6): Complete SA init exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
IKEv2-PROTO-3: (6): Generate my authentication data
IKEv2-PROTO-3: (6): Use preshared key for id 8.8.8.2, key len 5
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
IKEv2-PROTO-3: (6): Get my authentication method
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
IKEv2-PROTO-3: (6): Check for EAP exchange
IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
IKEv2-PROTO-2: (6): Sending auth message
IKEv2-PROTO-5: Construct Vendor Specific Payload: CISCO-GRANITEIKEv2-PROTO-3:   ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
   AES-CBC   SHA96
IKEv2-PROTO-5: Construct Notify Payload: INITIAL_CONTACTIKEv2-PROTO-5: Construct Notify Payload: ESP_TFC_NO_SUPPORTIKEv2-PROTO-5: Construct Notify Payload: NON_FIRST_FRAGSIKEv2-PROTO-3: (6): Building packet for encryption; contents are:
 VID  Next payload: IDi, reserved: 0x0, length: 20

     71 a2 4c 9f 2d d2 d0 32 76 e7 08 35 2b 14 f2 8f
 IDi  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 02
 AUTH  Next payload: SA, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
 SA  Next payload: TSi, reserved: 0x0, length: 44
IKEv2-PROTO-4:   last proposal: 0x0, reserved: 0x0, length: 40
  Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-CBC
IKEv2-PROTO-4:     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
IKEv2-PROTO-4:     last transform: 0x0, reserved: 0x0: length: 8
    type: 5, reserved: 0x0, id:

 TSi  Next payload: TSr, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 7.7.7.1, end addr: 7.7.7.1
 TSr  Next payload: NOTIFY, reserved: 0x0, length: 24
    Num of TSs: 1, reserved 0x0, reserved 0x0
    TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
    start port: 0, end port: 65535
    start addr: 9.9.9.9, end addr: 9.9.9.9
 NOTIFY(INITIAL_CONTACT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
 NOTIFY(ESP_TFC_NO_SUPPORT)  Next payload: NOTIFY, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
 NOTIFY(NON_FIRST_FRAGS)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS

IKEv2-PROTO-3: (6): Checking if request will fit in peer window
IKEv2-PROTO-3: Tx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: INITIATOR
IKEv2-PROTO-4: Message id: 0x1, length: 256
 ENCR  Next payload: VID, reserved: 0x0, length: 228
Encrypted data: 224 bytes

IKEv2-PROTO-5: (6): SM Trace-> SA: I_SPI=73A24D9F3EE52375 R_SPI=02AD478BFCD634F5 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
IKEv2-PROTO-3: Rx [L 8.8.8.2:500/R 8.8.8.1:500/VRF i0:f0] m_id: 0x1
IKEv2-PROTO-3: HDR[i:73A24D9F3EE52375 - r: 02AD478BFCD634F5]
IKEv2-PROTO-4: IKEV2 HDR ispi: 73A24D9F3EE52375 - rspi: 02AD478BFCD634F5
IKEv2-PROTO-4: Next payload: ENCR, version: 2.0
IKEv2-PROTO-4: Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE
IKEv2-PROTO-4: Message id: 0x1, length: 160

REAL Decrypted packet:Data: 80 bytes
IKEv2-PROTO-5: Parse Vendor Specific Payload: (CUSTOM) VID  Next payload: IDr, reserved: 0x0, length: 20

     03 ad 46 8b ef e1 c7 b2 76 e7 08 35 2b 14 f2 8f
 IDr  Next payload: AUTH, reserved: 0x0, length: 12
    Id type: IPv4 address, Reserved: 0x0 0x0

     08 08 08 01
 AUTH  Next payload: NOTIFY, reserved: 0x0, length: 40
    Auth method PSK, reserved: 0x0, reserved 0x0
Auth data: 32 bytes
IKEv2-PROTO-5: Parse Notify Payload: NO_PROPOSAL_CHOSEN NOTIFY(NO_PROPOSAL_CHOSEN)  Next payload: NONE, reserved: 0x0, length: 8
    Security protocol id: IKE, spi size: 0, type: NO_PROPOSAL_CHOSEN

the above message (NO_PROPOSAL_CHOSEN) can lead us to the configuration error.

Now I check the syslog messages on the router:
 
R17#debug crypto ikev2
IKEv2 default debugging is on
R17#

*Dec 13 18:33:18.843: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 18:33:18.863: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 18:33:18.867: IKEv2:(SA ID = 1):Insert SA
*Dec 13 18:33:18.871: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:18.875: IKEv2:Found Policy '10'
*Dec 13 18:33:18.879: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 13 18:33:18.883: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:18.887: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:18.895: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:18.899: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 18:33:18.899: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 18:33:18.903: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 18:33:18.995: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:18.9
R17#95: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 18:33:18.999: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 18:33:19.003: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 18:33:19.003: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:19.0
R17#07: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 18:33:19.007: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 18:33:19.015: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 18:33:19.019: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 18:33:19.119: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 18:33:19.143: IK
R17#Ev2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 18:33:19.143: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 18:33:19.147: IKEv2:(SA ID = 1):NAT not found
*Dec 13 18:33:19.151: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 18:33:19.155: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 18:33:19.155: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 18:33:19.159: IKEv2:% Matched peer block 'ASA2'
*Dec 13 18:33:19.163: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:19.163: IKEv2:Found Policy '10'
*Dec 13 18:33:19.171: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 18:33:19.171: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK'
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 1
R17#8:33:19.175: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 18:33:19.175: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:19.175: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 18:33:19.175: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 18:33:19.179: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 18:33:19.191: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:19.191: IKEv2:(SA ID = 1):Received Policies: ESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
*Dec 13 18:33:19.195:
*Dec 13 18:33:19.195:
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Failed to find a matching policy

R17#
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Expected Policies:
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Sending no proposal chosen notify
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 18:33:19.195: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Generate my authentication data
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.1, key len 5
*Dec 13 18:33:19.199: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:19.199: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):Get my authentication method
*Dec 13 18:33:19.199: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*Dec 13 18:33:19.203: IKEv2:(S
R17#A ID = 1):Generating IKE_AUTH message
*Dec 13 18:33:19.203: IKEv2:(SA ID = 1):Constructing IDr payload: '8.8.8.1' of type 'IPv4 address'
*Dec 13 18:33:19.203: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

as you see above, there is the same message above.

*Dec 13 18:33:19.207: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 18:33:19.211: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
*Dec 13 18:33:19.211: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Dec 13 18:33:19.215: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Dec 13 18:33:19.219: IKEv2:(SA ID = 1):Session with IKE ID PAIR (8.8.8.2, 8.8.8.1) is UP
*Dec 13 18:33:19.223: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Dec 13 18:33:19.231: IKE
R17#v2:(SA ID = 1):Checking for duplicate IKEv2 SA
*Dec 13 18:33:19.231: IKEv2:(SA ID = 1):No duplicate IKEv2 SA found
*Dec 13 18:33:19.235: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation context

*Dec 13 18:33:19.255: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
 DELETE

*Dec 13 18:33:19.267: IKEv2:(SA ID = 1):Building packet for encryption.
Payload contents:
 DELETE

*Dec 13 18:33:19.275: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 73A24D9F3EE52375 - Responder SPI : 02AD478BFCD634F5 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
 ENCR

*Dec 13 18:33:19.283: IKEv2:(SA ID = 1):Process delete request from peer
*Dec 13 18:33:19.287: IKEv2:(SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x7
R17#3A24D9F3EE52375 RSPI: 0x02AD478BFCD634F5]
*Dec 13 18:33:19.291: IKEv2:(SA ID = 1):Check for existing active SA
*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):Accounting not started for this session

*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):
*Dec 13 18:33:19.311: IKEv2:(SA ID = 1):Delete all IKE SAs
*Dec 13 18:33:19.315: IKEv2:(SA ID = 1):Deleting SA

*Dec 13 18:33:20.823: IKEv2:Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) VID

*Dec 13 18:33:20.843: IKEv2:(SA ID = 1):Verify SA init message
*Dec 13 18:33:20.847: IKEv2:(SA ID = 1):Insert SA
*Dec 13 18:33:20.851: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:20.851: IKEv2:Found Policy '10'
*Dec 13 18:33:20.855: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Dec 1
R17#3 18:33:20.863: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:20.867: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:20.871: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:20.875: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Dec 13 18:33:20.879: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Dec 13 18:33:20.883: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Dec 13 18:33:20.887: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Dec 13 18:33:20.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:20.895: IKEv2:(SA ID = 1):Request queued for computation of DH key
*Dec 13 18:33:20.899: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Dec 13 18:33:21.019
R17#: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Dec 13 18:33:21.023: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*Dec 13 18:33:21.023: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Dec 13 18:33:21.027: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*Dec 13 18:33:21.027: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
   AES-CBC   SHA256   SHA256   DH_GROUP_1536_MODP/Group 5
*Dec 13 18:33:21.031: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Dec 13 18:33:21.035: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4'   'Trustpool3'   'Trustpool2'   'Trustpool1'   'Trustpool'
*Dec 13 18:33:21.035:
R17# IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Dec 13 18:33:21.035: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Dec 13 18:33:21.039: IKEv2:(SA ID = 1):Sending Packet [To 8.8.8.2:500/From 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : D87E933BD02ADFA0 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Dec 13 18:33:21.039: IKEv2:(SA ID = 1):Completed SA init exchange
*Dec 13 18:33:21.043: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth message

*Dec 13 18:33:21.143: IKEv2:(SA ID = 1):Received Packet [From 8.8.8.2:500/To 8.8.8.1:500/VRF i0:f0]
Initiator SPI : 6C2475277EC2B02B - Responder SPI : D87E933BD02ADFA0 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
 VID IDi AUTH SA TSi TSr NOTIFY(INITIA
R17#L_CONTACT) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Dec 13 18:33:21.163: IKEv2:(SA ID = 1):Stopping timer to wait for auth message
*Dec 13 18:33:21.167: IKEv2:(SA ID = 1):Checking NAT discovery
*Dec 13 18:33:21.171: IKEv2:(SA ID = 1):NAT not found
*Dec 13 18:33:21.171: IKEv2:(SA ID = 1):Searching policy based on peer's identity '8.8.8.2' of type 'IPv4 address'
*Dec 13 18:33:21.171: IKEv2:found matching IKEv2 profile 'IKEV2-PROFILE'
*Dec 13 18:33:21.171: IKEv2:% Getting preshared key from profile keyring KEYRING
*Dec 13 18:33:21.175: IKEv2:% Matched peer block 'ASA2'
*Dec 13 18:33:21.175: IKEv2:Searching Policy with fvrf 0, local address 8.8.8.1
*Dec 13 18:33:21.175: IKEv2:Found Policy '10'
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verify peer's policy
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Peer's policy verified
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Get peer's authentication method
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Peer's authentication method is 'PSK
R17#'
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Get peer's preshared key for 8.8.8.2
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verify peer's authentication data
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Use preshared key for id 8.8.8.2, key len 5
*Dec 13 18:33:21.175: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Dec 13 18:33:21.175: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Verification of peer's authenctication data PASSED
*Dec 13 18:33:21.175: IKEv2:(SA ID = 1):Processing INITIAL_CONTACT
*Dec 13 18:33:21.179: IKEv2:(SA ID = 1):Processing IKE_AUTH message
*Dec 13 18:33:21.179: IKEv2:KMI/verify policy/sending to IPSec:
         prot: 3 txfm: 12 hmac 2 flags 8177 keysize 256 IDB 0x0
*Dec 13 18:33:21.191: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Received Policies: ESP: Proposal 1:  AES-CBC-256 SHA96 Don't use ESN
*Dec 13 18:33:21.195:
*Dec 13
R17#18:33:21.195:
*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Failed to find a matching policy

*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Expected Policies:
*Dec 13 18:33:21.195: IKEv2:(SA ID = 1):Failed to find a matching policy

as we can see in the above messages, there are not the same ipsec policies on these devices.
 
R17#sh run | i crypto ipsec transform-set
crypto ipsec transform-set TS esp-aes esp-sha256-hmac
R17#

and on the ASA we have:
 
asa2# sh run crypto
crypto ipsec ikev2 ipsec-proposal IPSEC-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1

Let’s fix it on the router:
 
R17(config)#crypto ipsec transform-set TS esp-sha-hmac esp-aes 256

and test it once again:
 
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/86/112 ms
R18#

2.problem #2

In the second case there is another problem which I tried to identify from debug outputs.

R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R18#

As you see above the ping is unsuccessful. Let’s look on these outputs.

I ommited the output from the phase 1 as there wasn't any useful information. I start here from ipsec (phase 2):

asa2:

asa2# IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d6d0,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0xC3021D7D
    Session ID: 0x0001B000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d6d0,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0x725630C6
    Session ID: 0x0001C000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9BA1B8,
    Direction: inbound
    SPI      : 0xBB6B8641
    Session ID: 0x0001D000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9C0D18,
    Direction: inbound
    SPI      : 0xBE0D887B
    Session ID: 0x0001E000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC(crypto_map_check)-3: Looking for crypto map matching 5-tuple: Prot=1, saddr=7.7.7.1, sport=2304, daddr=9.9.9.9, dport=2304
IPSEC(crypto_map_check)-3: Checking crypto map MAPA 10: matched.
IPSEC: New embryonic SA created @ 0xbc40d708,
    SCB: 0xBB9C4370,
    Direction: inbound
    SPI      : 0x103D3833
    Session ID: 0x0001F000
    VPIF num  : 0x00000002
    Tunnel type: l2l
    Protocol   : esp
    Lifetime   : 240 seconds
no deb
asa2# no debug all

there is not too much information in the above output. Let’s check the output from the router:

R17#
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: map_db_find_best did not find matching map
*Dec 13 19:57:40.187: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.183: map_db_find_best did not find matching map
*Dec 13 19:57:42.183: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: map_db_find_best did not find matching map
*Dec 13 19:57:44.223: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.255: map_db_find_best did not find matching map
*Dec 13 19:57:46.255: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
R17#
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:48.211: map_db_find_best did not find matching map
*Dec 13 19:57:48.211: IPSEC(ipsec_process_proposal): R17#
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:40.187: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:40.187: map_db_find_best did not find matching map
*Dec 13 19:57:40.187: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:42.171: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.179: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:42.183: map_db_find_best did not find matching map
*Dec 13 19:57:42.183: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:44.219: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:44.223: map_db_find_best did not find matching map
*Dec 13 19:57:44.223: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:46.243: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.251: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:46.255: map_db_find_best did not find matching map
*Dec 13 19:57:46.255: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1
*Dec 13 19:57:48.207: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) INBOUND local= 8.8.8.1:0, remote= 8.8.8.2:0,
    local_proxy= 9.9.9.9/255.255.255.255/256/0,
    remote_proxy= 7.7.7.1/255.255.255.255/256/0,
    protocol= ESP, transform= NONE  (Tunnel),
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
R17#
*Dec 13 19:57:48.211: Crypto mapdb : proxy_match
        src addr     : 9.9.9.9
        dst addr     : 7.7.7.1
        protocol     : 0
        src port     : 0
        dst port     : 0
*Dec 13 19:57:48.211: map_db_find_best did not find matching map
*Dec 13 19:57:48.211: IPSEC(ipsec_process_proposal): proxy identities not supported
R17#
R17#no de
R17#no debug all
All possible debugging has been turned off
R17#
 
As you see above there is a problem with an access list: “proxy identities not supported”. Let’s check access lists on both peers:
 
asa2# sh run | i access-list
access-list VPN extended permit ip host 7.7.7.1 host 9.9.9.9

R17#sh run | i access
access-list 101 permit ip host 9.9.9.9 host 7.7.7.7
R17#

As you see there is a problem with the access list on R17. It should be:

access-list 101 permit ip host 9.9.9.9 host 7.7.7.7

Let’s fix it and test it once again:
 
R18#ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 68/75/84 ms
R18#

As you see to investigate the problem you need to check debug outputs from two peers becuase in most cases one side can’t help you in your troubleshooting.

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo