Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3558
Views
0
Helpful
3
Replies

Trouble with FlexVPN IKEV2 FVRF configuration

Wes Smith
Level 1
Level 1

‎09-10-2014 07:01 PM - edited ‎02-21-2020 07:49 PM

I'm having some problems getting a basic IKEV2  Hub/Spoke lab working with the WAN interfaces in a FVRF
The tunnel comes up but the quickly comes down. On the spoke there is an invalid_SPI message 

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=32.153.1.2, prot=50, spi=0x5BFAB28A(1543156362), srcaddr=32.65.1.2, input interface=Serial2/0

At this point, the hub drops the tunnel... The process cycles thru this every minute or so.

DPD is enabled on the spoke, not the hub.   

I've attached the configs and a diagram.   Very basic setup.

Would appreciate a 2nd set of eyes reviewing it. 

 

Hub Config

aaa new-model
!
ip vrf INET1
 rd 65011:3
!
ip vrf INET2
 rd 65011:4
!
ip vrf MPLS1
 rd 65011:1
!
ip vrf MPLS2
 rd 65011:2
!
 
crypto ikev2 authorization policy default
 route set interface
 route set remote ipv4 10.0.0.0 255.0.0.0
 route set remote ipv4 159.208.0.0 255.255.0.0
!
!
!
crypto ikev2 keyring KEY1
 peer PEER
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
 peer HK
  address 32.153.1.2
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!
crypto ikev2 profile default
 match fvrf MPLS1
 match identity remote any
 identity local fqdn wka00ar1.aa.com
 authentication remote pre-share
 authentication local pre-share
 keyring local KEY1
 virtual-template 2
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.255.65.20 255.255.255.255
 ip pim sparse-mode
!
interface Tunnel100
 ip unnumbered Loopback0
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel source Ethernet0/0
 tunnel destination 10.0.61.10
!
interface Ethernet0/0
 ip address 10.0.65.10 255.255.255.248
 no ip proxy-arp
 ip pim sparse-mode
 ip ospf dead-interval 8
 ip ospf hello-interval 1
 load-interval 30
!
!
interface Serial2/0
 ip vrf forwarding MPLS1
 ip address 32.65.1.2 255.255.255.0
 no ip proxy-arp
 ip ospf dead-interval 8
 ip ospf hello-interval 1
 load-interval 30
 serial restart-delay 0
!
!
interface Virtual-Template2 type tunnel
 ip unnumbered Loopback0
 ip pim nbma-mode
 ip pim sparse-mode
 ip nhrp network-id 1
 ip nhrp redirect
 tunnel vrf MPLS1
 tunnel protection ipsec profile default
!

 

SPOKE Config 


aaa new-model
!
!
!
!


!
ip vrf INET1
 rd 65011:3
!
ip vrf INET2
 rd 65011:4
!
ip vrf MPLS1
 rd 65011:1
!
ip vrf MPLS2
 rd 65011:2
!
!

crypto ikev2 authorization policy default
 route set interface Ethernet0/0
 route set interface Loopback0
 route set interface
!
!
!
crypto ikev2 keyring KEY1
 peer PEER
  address 0.0.0.0 0.0.0.0
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
 peer WK
  address 32.65.1.2
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
!
!
crypto ikev2 profile default
 match fvrf MPLS1
 match identity remote any
 identity local fqdn hkar1.aa.com
 authentication remote pre-share
 authentication local pre-share
 keyring local KEY1
 dpd 10 2 on-demand
 virtual-template 2
!
!
!
interface Loopback0
 ip address 10.255.153.20 255.255.255.255
 ip pim sparse-mode
!
interface Tunnel0
 ip unnumbered Loopback0
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 shutdown
 tunnel source Serial2/0
 tunnel destination 32.65.1.2
 tunnel vrf MPLS1
 tunnel protection ipsec profile default
!
interface Tunnel1
 no ip address
!
interface Ethernet0/0
 ip address 10.153.240.2 255.255.255.248
 no ip proxy-arp
 ip pim sparse-mode
 ip ospf dead-interval 8
 ip ospf hello-interval 1
 load-interval 30
!
interface Serial2/0
 ip vrf forwarding MPLS1
 ip address 32.153.1.2 255.255.255.0
 no ip proxy-arp
 ip ospf dead-interval 8
 ip ospf hello-interval 1
 load-interval 30
 serial restart-delay 0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip nhrp network-id 1
 ip nhrp shortcut virtual-template 1
 tunnel protection ipsec profile default

DEBUG from the HUB


*Sep 11 01:52:23.679: IKEv2:Received Packet [From 32.153.1.2:500/To 32.65.1.2:500/VRF i0:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):Verify SA init message
*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):Insert SA
*Sep 11 01:52:23.679: IKEv2:Searching Policy with fvrf 3, local address 32.65.1.2
*Sep 11 01:52:23.679: IKEv2:Using the Default Policy for Proposal
*Sep 11 01:52:23.679: IKEv2:Found Policy 'default'
*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):Processing IKE_SA_INIT message
*Sep 11 01:52:23.679: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Sep 11 01:52:23.679: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Sep 11 01:52:23.679: IKEv2:Failed to retrieve Certificate Issuer list
*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Sep 11 01:52:23.679: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):Request queued for computation of DH key
*Sep 11 01:52:23.679: IKEv2:(SESSION ID = 29,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Sep 11 01:52:23.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):Request queued for computation of DH secret
*Sep 11 01:52:23.687: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Sep 11 01:52:23.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Sep 11 01:52:23.687: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):Generating IKE_SA_INIT message
*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 4
   AES-CBC   SHA512   SHA512   DH_GROUP_1536_MODP/Group 5
*Sep 11 01:52:23.687: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Sep 11 01:52:23.687: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Sep 11 01:52:23.687: IKEv2:Failed to retrieve Certificate Issuer list 

*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):Sending Packet [To 32.153.1.2:500/From 32.65.1.2:500/VRF i0:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : F54F6345509E7401 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):Completed SA init exchange
*Sep 11 01:52:23.687: IKEv2:(SESSION ID = 29,SA ID = 1):Starting timer (30 sec) to wait for auth message 

*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Received Packet [From 32.153.1.2:500/To 32.65.1.2:500/VRF i0:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : F54F6345509E7401 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Stopping timer to wait for auth message
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Checking NAT discovery
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):NAT not found
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Searching policy based on peer's identity 'hkar1.aa.com' of type 'FQDN'
*Sep 11 01:52:23.713: IKEv2:found matching IKEv2 profile 'default'
*Sep 11 01:52:23.713: IKEv2:% Getting preshared key from profile keyring KEY1
*Sep 11 01:52:23.713: IKEv2:% Matched peer block 'HK'
*Sep 11 01:52:23.713: IKEv2:Searching Policy with fvrf 3, local address 32.65.1.2
*Sep 11 01:52:23.713: IKEv2:Using the Default Policy for Proposal
*Sep 11 01:52:23.713: IKEv2:Found Policy 'default'
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Verify peer's policy
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Peer's policy verified
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Get peer's authentication method
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Peer's authentication method is 'PSK'
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Get peer's preshared key for hkar1.aa.com
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Verify peer's authentication data
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Use preshared key for id hkar1.aa.com, key len 5
*Sep 11 01:52:23.713: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Sep 11 01:52:23.713: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Verification of peer's authenctication data PASSED
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Processing INITIAL_CONTACT
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Received valid config mode data
*Sep 11 01:52:23.713: IKEv2:Config data recieved:
*Sep 11 01:52:23.713: Config-type: Config-request
*Sep 11 01:52:23.713: Attrib type: ipv4-dns, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv4-dns, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv4-nbns, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv4-nbns, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv4-subnet, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv6-dns, length: 0
*Sep 11 01:52:23.713: Attrib type: ipv6-subnet, length: 0
*Sep 11 01:52:23.713: Attrib type: app-version, length: 256, data: Cisco IOS Software, 
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sat 23-Nov-13 03:28 by prod_rel_team
*Sep 11 01:52:23.713: Attrib type: split-dns, length: 0
*Sep 11 01:52:23.713: Attrib type: banner, length: 0
*Sep 11 01:52:23.713: Attrib type: config-url, length: 0
*Sep 11 01:52:23.713: Attrib type: backup-gateway, length: 0
*Sep 11 01:52:23.713: Attrib type: def-domain, length: 0
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Set received config mode data
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):Processing IKE_AUTH message
*Sep 11 01:52:23.713: IKEv2:% DVTI create request sent for profile default with PSH index 1.

*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 29,SA ID = 1):
*Sep 11 01:52:23.713: IKEv2:(SESSION ID = 28,SA ID = 2):Deleting SA
*Sep 11 01:52:23.713: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Sep 11 01:52:23.713: IPSEC: sa null
*Sep 11 01:52:23.714: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
*Sep 11 01:52:23.714: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down
*Sep 11 01:52:23.714: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

 

 

DEBUG from the SPOKE

hkar1(config)#int t0
hkar1(config-if)#no shut
hkar1(config-if)#
*Sep 11 01:52:23.670: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
*Sep 11 01:52:23.670: IKEv2:% Getting preshared key from profile keyring KEY1
*Sep 11 01:52:23.670: IKEv2:% Matched peer block 'WK'
*Sep 11 01:52:23.670: IKEv2:Searching Policy with fvrf 3, local address 32.153.1.2
*Sep 11 01:52:23.670: IKEv2:Using the Default Policy for Proposal
*Sep 11 01:52:23.670: IKEv2:Found Policy 'default'
*Sep 11 01:52:23.670: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Sep 11 01:52:23.670: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 11 01:52:23.670: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Sep 11 01:52:23.670: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Sep 11 01:52:23.670: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Sep 11 01:52:23.670: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
Num. transforms: 15
   AES-CBC   AES-CBC   AES-CBC   SHA512   SHA384   SHA256   SHA1   MD5   SHA512   SHA384   SHA256   SHA96   MD596   DH_GROUP_1536_MODP/Group 5   DH_GROUP_1024_MODP/Group 2 

*Sep 11 01:52:23.671: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 32.65.1.2:500/From 32.153.1.2:500/VRF i3:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

*Sep 11 01:52:23.671: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 

*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 32.65.1.2:500/To 32.153.1.2:500/VRF i3:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : F54F6345509E7401 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE 
Payload contents: 
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 

*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Sep 11 01:52:23.696: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*Sep 11 01:52:23.704: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Sep 11 01:52:23.704: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Sep 11 01:52:23.704: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Sep 11 01:52:23.704: IKEv2:Config data to send:
*Sep 11 01:52:23.704: Config-type: Config-request
*Sep 11 01:52:23.704: Attrib type: ipv4-dns, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv4-dns, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv4-nbns, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv4-nbns, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv4-subnet, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv6-dns, length: 0
*Sep 11 01:52:23.704: Attrib type: ipv6-subnet, length: 0
*Sep 11 01:52:23.704: Attrib type: app-version, length: 256, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2013 by Cisco Systems, Inc.
Compiled Sat 23-Nov-13 03:28 by prod_rel_team
*Sep 11 01:52:23.704: Attrib type: split-dns, length: 0
*Sep 11 01:52:23.704: Attrib type: banner, length: 0
*Sep 11 01:52:23.704: Attrib type: config-url, length: 0
*Sep 11 01:52:23.704: Attrib type: backup-gateway, length: 0
*Sep 11 01:52:23.704: Attrib type: def-domain, length: 0
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Have config mode data to send
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id hkar1.aa.com, key len 5
*Sep 11 01:52:23.704: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Sep 11 01:52:23.704: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: 'hkar1.aa.com' of type 'FQDN'
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
   AES-CBC   SHA96   Don't use ESN
*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

*Sep 11 01:52:23.704: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 32.65.1.2:500/From 32.153.1.2:500/VRF i3:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : F54F6345509E7401 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST 
Payload contents: 
 ENCR 
 

*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 32.65.1.2:500/To 32.153.1.2:500/VRF i3:f3] 
Initiator SPI : 7DA7A7092A773A3A - Responder SPI : F54F6345509E7401 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity 'wka00ar1.aa.com' of type 'FQDN'
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):: Failed to locate an item in the database
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):
hkar1(config-if)#Verification of peer's authentication data FAILED
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Sep 11 01:52:23.849: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
hkar1(config-if)#
*Sep 11 01:52:25.668: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
hkar1(config-if)#
*Sep 11 01:52:25.669: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
hkar1(config-if)#
*Sep 11 01:52:26.654: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=32.153.1.2, prot=50, spi=0x6C2951F6(1814647286), srcaddr=32.65.1.2, input interface=Serial2/0
hkar1(config-if)#
hkar1(config-if)#
hkar1(config-if)#
hkar1(config-if)#
hkar1(config-if)#end
hkar1#
*Sep 11 01:52:47.325: %SYS-5-CONFIG_I: Configured from console by console
hkar1#sh cry sess
Crypto session current status

Interface: Tunnel0
Session status: DOWN
Peer: 32.65.1.2 port 500 
  IPSEC FLOW: permit 47 host 32.153.1.2 host 32.65.1.2 
        Active SAs: 0, origin: crypto map

hkar1#
hkar1#

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

inam.ullah78
Level 1
Level 1

‎03-06-2017 07:27 AM

Hi,

Did you get solution to this issue?

Regards,

0 Helpful

visb
Cisco Employee
Cisco Employee
In response to inam.ullah78

‎09-21-2017 10:19 AM

Even Iam facing similar issue, tunnel status down...

Captures as below

 

Enter configuration commands, one per line. End with CNTL/Z.
19xx006(config)#int tun
19xx006(config)#int tunnel 0
19xx006(config-if)#no shu
19xx006(config-if)#no shutdown
19xx006(config-if)#
*Sep 21 16:22:57.829: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
*Sep 21 16:22:57.833: IKEv2:% Getting preshared key from profile keyring HVPN
*Sep 21 16:22:57.833: IKEv2:% Matched peer block 'SSNG1'
*Sep 21 16:22:57.833: IKEv2:Searching Policy with fvrf 1, local address 10.11.90.2
*Sep 21 16:22:57.833: IKEv2:Using the Default Policy for Proposal
*Sep 21 16:22:57.833: IKEv2:Found Policy 'default'
*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH
19xx006#Group 20
*Sep 21 16:22:57.837: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Sep 21 16:22:57.837: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 17
AES-CBC AES-CBC AES-CBC SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_384_ECP/Group 20 DH_GROUP_256_ECP/Group 19 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.10.12.66:500/From 10.11.90.2:500/VRF i1:f1]
Initiator SPI : 8043E2A8477F206B - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 21 16:22:57.837: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.10.12.66:500/To 10.11.90.2:500/VRF i1:f1]
Initiator SPI : 8043E2A8477F206B - Responder SPI : 1B1073A2B00CA757 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Sep 21 16:22:57.849: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 20
*Sep 21 16:22:57.913: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Sep 21 16:22:57.913: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Sep 21 16:22:57.913: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Sep 21 16:22:57.913: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Sep 21 16:22:57.913: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Sep 21 16:22:57.913: IKEv2:Config data to send:
*Sep 21 16:22:57.913: Config-type: Config-request
*Sep 21 16:22:57.913: Attrib type: ipv4-dns, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv4-dns, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv4-nbns, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv4-nbns, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv4-subnet, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv6-dns, length: 0
*Sep 21 16:22:57.913: Attrib type: ipv6-subnet, length: 0
*Sep 21 16:22:57.917: Attrib type: app-version, length: 244, data: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.3(3)M3, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Wed 28-May-14 05:26 by prod_rel_team
*Sep 21 16:22:57.917: Attrib type: split-dns, length: 0
*Sep 21 16:22:57.917: Attrib type: banner, length: 0
*Sep 21 16:22:57.917: Attrib type: config-url, length: 0
*Sep 21 16:22:57.917: Attrib type: backup-gateway, length: 0
*Sep 21 16:22:57.917: Attrib type: def-domain, length: 0
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Have config mode data to send
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id site2.cust1@ssng.bt.com, key len 5
*Sep 21 16:22:57.917: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Sep 21 16:22:57.917: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: 'site2.cust1@ssng.bt.com' of type 'RFC822 address'
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 2
AES-GCM Don't use ESN
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 2, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 3, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
3DES SHA96 Don't use ESN
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 4, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
DES SHA96 Don't use ESN
*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(USE_TRANSPORT_MODE) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Sep 21 16:22:57.917: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.10.12.66:500/From 10.11.90.2:500/VRF i1:f1]
Initiator SPI : 8043E2A8477F206B - Responder SPI : 1B1073A2B00CA757 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Sep 21 16:22:57.921: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.10.12.66:500/To 10.11.90.2:500/VRF i1:f1]
Initiator SPI : 8043E2A8477F206B - Responder SPI : 1B1073A2B00CA757 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Sep 21 16:22:57.921: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Sep 21 16:22:57.921: IKEv2:(SESSION ID = 1,SA ID = 1):
*Sep 21 16:22:57.921: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Sep 21 16:22:57.925: IKEv2:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Sep 21 16:22:57.925: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Sep 21 16:22:57.925: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
*Sep 21 16:22:59.101: %SYS-5-CONFIG_I: Configured from console by console
*Sep 21 16:22:59.829: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
*Sep 21 16:22:59.829: %LINK-3-UPDOWN: Interface Tunnel0, changed state to up
19xx006#
19xx006#
19xx006#undebug all
All possible debugging has been turned off
19xx006#sh cryp
19xx006#sh crypto sess
19xx006#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: DOWN
Peer: 10.10.12.66 port 500
IPSEC FLOW: permit 47 host 10.11.90.2 host 10.10.12.66
Active SAs: 0, origin: crypto map

19xx006#

0 Helpful

Mark Ruhland
Level 1
Level 1
In response to visb

‎11-16-2017 07:12 AM

Looks to me like your authentication has failed.

 

*Sep 21 16:22:57.921: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.10.12.66:500/To 10.11.90.2:500/VRF i1:f1]
Initiator SPI : 8043E2A8477F206B - Responder SPI : 1B1073A2B00CA757 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents