Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IKEv2 with NAT-T Auth exchange failed

Topology

【R1】12.1.1.1——12.1.1.2【R2】23.1.1.2——23.1.1.3【R3】34.1.1.3——34.1.1.4【R4】45.1.1.4——45.1.1.5【R5】

R1 and R5 : PC client

R2 and R4 VPN-Gateway

R3              :NAT device

Trouble

R2 can not create crypto ikev2 sa

debug 

————————————————————————————————————————————————————————

debug crypto ikev2
IKEv2 default debugging is on

*May 3 14:24:35.443: IKEv2:% Getting preshared key from profile keyring ikev2-keyring
*May 3 14:24:35.447: IKEv2:% Matched peer block 'ccie43413'
*May 3 14:24:35.447: IKEv2:Searching Policy with fvrf 0, local address 23.1.1.2
*May 3 14:24:35.451: IKEv2:Found Policy 'ikev2-policy'
*May 3 14:24:35.471: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 16
*May 3 14:24:35.475: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:35.479: IKEv2:(SA ID = 1):Request queued for computation of DH key
*May 3 14:24:35.483: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 3 14:24:35.487: IKEv2:(SA ID = 1):Generating IKE_SA_INIT message
*May 3 14:24:35.491: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_4096_MODP/Group 16
*May 3 14:24:35.503: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:500/From 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*May 3 14:24:35.519: IKEv2:(SA ID = 1):Insert SA
*May 3 14:24:36.511: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:500/To 23.1.1.2:500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) CERTREQ NOTIFY(HTTP_CERT_LOOKU
P_SUPPORTED)
*May 3 14:24:36.535: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.539: IKEv2:(SA ID = 1):Verify SA init message
*May 3 14:24:36.543: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*May 3 14:24:36.571: IKEv2:(SA ID = 1):Checking NAT discovery
*May 3 14:24:36.575: IKEv2:(SA ID = 1):NAT OUTSIDE found
*May 3 14:24:36.579: IKEv2:(SA ID = 1):NAT detected float to init port 4500, resp port 4500
*May 3 14:24:36.583: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 16
*May 3 14:24:37.871: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 3 14:24:37.875: IKEv2:(SA ID = 1):Request queued for computation of DH secret
*May 3 14:24:37.879: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 3 14:24:37.887: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 3 14:24:37.891: IKEv2:(SA ID = 1):Completed SA init exchange
*May 3 14:24:37.895: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.899: IKEv2:(SA ID = 1):Generate my authentication data
*May 3 14:24:37.903: IKEv2:(SA ID = 1):Use preshared key for id 23.1.1.2, key len 9
*May 3 14:24:37.903: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 3 14:24:37.907: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 3 14:24:37.911: IKEv2:(SA ID = 1):Get my authentication method
*May 3 14:24:37.911: IKEv2:(SA ID = 1):My authentication method is 'PSK'
*May 3 14:24:37.915: IKEv2:(SA ID = 1):Check for EAP exchange
*May 3 14:24:37.919: IKEv2:(SA ID = 1):Generating IKE_AUTH message
*May 3 14:24:37.923: IKEv2:(SA ID = 1):Constructing IDi payload: '23.1.1.2' of type 'IPv4 address'
*May 3 14:24:37.923: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 3 14:24:37.931: IKEv2:(SA
ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:37.951: IKEv2:(SA ID = 1):Sending Packet [To 23.1.1.3:4500/From 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
*May 3 14:24:38.115: IKEv2:(SA ID = 1):Received Packet [From 23.1.1.3:4500/To 23.1.1.2:4500/VRF i0:f0]
Initiator SPI : 3D15D683BF8E7C4D - Responder SPI : 372F4B4B8420F745 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*May 3 14:24:38.139: IKEv2:(SA ID = 1):Process auth response notify
*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database
*May 3 14:24:38.203: IKEv2:(SA ID = 1):
*May 3 14:24:38.207: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.211: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.215: IKEv2:(SA ID = 1):Auth exchange failed
*May 3 14:24:38.219: IKEv2:(SA ID = 1):Abort exchange
*May 3 14:24:38.247: IKEv2:(SA ID = 1):Deleting SA
un all
All possible debugging has been turned off

————————————————————————————————————————————————————————

configuration:

see attached

I do not know where something goes wrong, please tell me

At this point
Thank you

Lv Pin

Everyone's tags (3)
2 REPLIES

*May 3 14:24:38.143: IKEv2:

*May 3 14:24:38.143: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 3 14:24:38.203: IKEv2:(SA ID = 1):Failed to locate an item in the database

You can try this on R2

crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
!

New Member

hi,a.alekseev

hi,a.alekseev

Thank you for your answer

The problem is still

——————————————————————————————————————
*May 4 07:05:46.655: IKEv2:(SA ID = 1):Process auth response notify
*May 4 07:05:46.659: IKEv2:(SA ID = 1):Searching policy based on peer's identity '34.1.1.4' of type 'IPv4 address'
*May 4 07:05:46.719: IKEv2:(SA ID = 1):Failed to locate an item in the database

*May 4 07:05:46.719: IKEv2:(SA ID = 1):
*May 4 07:05:46.723: IKEv2:(SA ID = 1):Verification of peer's authentication data FAILED
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.727: IKEv2:(SA ID = 1):Auth exchange failed

*May 4 07:05:46.731: IKEv2:(SA ID = 1):Auth exchange failed
*May 4 07:05:46.735: IKEv2:(SA ID = 1):Abort exchange
*May 4 07:05:46.763: IKEv2:(SA ID = 1):Deleting SA
R2#
R2#un all
All possible debugging has been turned off
R2#
R2#show run | s ikev2-keyring
crypto ikev2 keyring ikev2-keyring
peer ccie43413
address 0.0.0.0 0.0.0.0
pre-shared-key local ccie43413
pre-shared-key remote ccie43413
!
keyring local ikev2-keyring
R2#

——————————————————————————————————————————

417
Views
0
Helpful
2
Replies