cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8994
Views
0
Helpful
2
Replies

IKEv2 with NAT-T Auth exchange failed

lvpin Lv
Level 1
Level 1

Topology

【R1】12.1.1.1——12.1.1.2【R2】23.1.1.2——23.1.1.3【R3】34.1.1.3——34.1.1.4【R4】45.1.1.4——45.1.1.5【R5】

R1 and R5 : PC client

R2 and R4 VPN-Gateway

R3              :NAT device

Trouble

R2 can not create crypto ikev2 sa

debug 

————————————————————————————————————————————————————————

debug crypto ikev2
IKEv2 default debugging is on

*May 3 14:24:35.443: IKEv2:% Getting preshared key from profile keyring ikev2-keyring
*May 3 14:24:35.447: IKEv2:% Matched peer block 'ccie43413'
*May 3 14:24:35.447: IKEv2:Searching Policy with fvrf 0, local address 23.1.1.2
*May 3 14:24:35.451: IKEv2:Found Policy 'ikev2-policy'
*May 3 14:24:35.471: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 16
*May 3 14:24:35.475: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:35.479: IKEv2:(SA ID = 1):Request queued for computation of DH key
*May 3 14:24:35.483: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 3 14:24:35.487: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*May 3 14:24:35.491: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_4096_MODP/Group 16
*May 3 14:24:35.503: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*May 3 14:24:35.519: IKEv2:(SA ID = 1):Insert SA
*May 3 14:24:36.511: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:500/To 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKU
P_SUPPORTED)
*May 3 14:24:36.535: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.539: IKEv2:(SA ID = 1):Verify SA init message
*May 3 14:24:36.543: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.571: IKEv2:(SA ID = 1):Checking NAT discovery
*May 3 14:24:36.575: IKEv2:(SA ID = 1):NAT OUTSIDE found
*May 3 14:24:36.579: IKEv2:(SA ID = 1):NAT detected float to init port 4500, resp port 4500
*May 3 14:24:36.583: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 16
*May 3 14:24:37.871: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:37.875: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*May 3 14:24:37.879: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 3 14:24:37.887: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 3 14:24:37.891: IKEv2:(SA ID = 1):Completed SA init exchange
*May 3 14:24:37.895: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.899: IKEv2:(SA ID = 1):Generate my authentication data
*May 3 14:24:37.903: IKEv2:(SA ID = 1):Use preshared key for id 23.1.1.2, key len 9
*May 3 14:24:37.903: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 3 14:24:37.907: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 3 14:24:37.911: IKEv2:(SA ID = 1):Get my authentication method
*May 3 14:24:37.911: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*May 3 14:24:37.915: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.919: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*May 3 14:24:37.923: IKEv2:(SA ID = 1):Constructing IDi payload: '23.1.1.2' of type 'IPv4 address'
*May 3 14:24:37.923: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 3 14:24:37.931: IKEv2:(SA
ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:37.951: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:4500/From 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
*May 3 14:24:38.115: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:4500/To 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:38.139: IKEv2:(SA ID = 1):Process auth response notify
*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database
*May 3 14:24:38.203: IKEv2:(SA ID = 1):
*May 3 14:24:38.207: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.215: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.219: IKEv2:(SA ID = 1):Abort exchange
*May 3 14:24:38.247: IKEv2:(SA ID = 1):Deleting SA
un all
All possible debugging has been turned off

————————————————————————————————————————————————————————

configuration:

see attached

I do not know where something goes wrong, please tell me

At this point
Thank you

Lv Pin

2 Replies 2

a.alekseev
Level 7
Level 7

*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database

You can try this on R2

crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!

hi,a.alekseev

Thank you for your answer

The problem is still

——————————————————————————————————————
*May 4 07:05:46.655: IKEv2:(SA ID = 1):Process auth response notify
*May 4 07:05:46.659: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 4 07:05:46.719: IKEv2:(SA ID = 1):Failed to locate an item in the database

*May 4 07:05:46.719: IKEv2:(SA ID = 1):
*May 4 07:05:46.723: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed

*May 4 07:05:46.731: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.735: IKEv2:(SA ID = 1):Abort exchange
*May 4 07:05:46.763: IKEv2:(SA ID = 1):Deleting SA
R2#
R2#un all
All possible debugging has been turned off
R2#
R2#show run | s ikev2-keyring
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
keyring local ikev2-keyring
R2#

——————————————————————————————————————————

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: