Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: ch3 ch10
cisco:books:ccnp_300-730:ch3:001

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cisco:books:ccnp_300-730:ch3:001 [2025/08/31 14:52] Namecisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) Name
Line 16: Line 16:
 <code>en <code>en
 conf t conf t
 +no ip domain lookup
 hostname r1-hub hostname r1-hub
 line con 0 line con 0
 +history size 256
 logg syn logg syn
 exec-timeout 0 0 exec-timeout 0 0
Line 26: Line 28:
  ip address 1.1.1.1 255.255.255.255  ip address 1.1.1.1 255.255.255.255
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  shutdown  shutdown
  ip address 12.1.1.1 255.255.255.0  ip address 12.1.1.1 255.255.255.0
Line 63: Line 65:
  match address castle-acl  match address castle-acl
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  crypto map svpn-map  crypto map svpn-map
  no shutdown  no shutdown
Line 73: Line 75:
 <code>en <code>en
 conf t conf t
 +no ip domain lookup
 hostname r2-spoke hostname r2-spoke
 line con 0 line con 0
 +history size 256
 logg syn logg syn
 exec-timeout 0 0 exec-timeout 0 0
Line 83: Line 87:
  ip address 2.2.2.2 255.255.255.255  ip address 2.2.2.2 255.255.255.255
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  shutdown  shutdown
  ip address 12.1.1.2 255.255.255.0  ip address 12.1.1.2 255.255.255.0
Line 120: Line 124:
  match address castle-acl  match address castle-acl
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  crypto map svpn-map  crypto map svpn-map
  no shutdown  no shutdown
Line 131: Line 135:
 Type escape sequence to abort. Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
-.!!!! +..... 
-Success rate is 80 percent (4/5), round-trip min/avg/max = 5/5/ms</code> +Success rate is 0 percent (0/5)</code> 
-  * Packet Capture on r1-hub e0/0 interface+  * The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause. 
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?900 |Lab-001-Overview}}\\ + 
 +<code>r1-hub#show crypto ikev2 sa 
 +r1-hub#</code> 
 +  * Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub. 
 +<code>r1-hub#show ip cef 12.1.1.2 
 +12.1.1.2/32 
 +  attached to GigabitEthernet1</code> 
 +  * The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm. 
 +<code>r1-hub#show ip arp 12.1.1.2 
 +Protocol  Address          Age (min)  Hardware Addr   Type   Interface 
 +Internet  12.1.1.2                9   5000.0004.0000  ARPA   GigabitEthernet1</code> 
 +  * A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged. 
 +  * The following packet capture is taken when trying to ping the spoke from the hub. 
 +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture.png?900 |Lab-001-IKEv2-Capture}} 
 +  * Notice the absent of the ESP packets from [[:cisco:books:ccnp_300-730:ch3:000|Lab 000]]. 
 +  * Turn on debugging to examine the packet flows. 
 +<code>r1-hub#debug crypto ikev2 
 +IKEv2 default debugging is on</code> 
 +  * Now ping the spoke again. 
 +<code>r1-hub#ping 12.1.1.2 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: 
 + 
 +*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key 
 +*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote' 
 +*Aug 31 15:17:56.833: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 
 +*Aug 31 15:17:56.833: IKEv2:Found Policy 'svpn-policy' 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 
 +*Aug 31 15:17:56.833: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key 
 +*Aug 31 15:17:56.833: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),  
 +Num. transforms: 4 
 +   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14  
 + 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 0000000000000000 Message id: 0 
 +IKEv2 IKE_SA_INIT Exchange REQUEST  
 +Payload contents:  
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)  
 + 
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA  
 + 
 +*Aug 31 15:17:56.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 0 
 +IKEv2 IKE_SA_INIT Exchange RESPONSE  
 +Payload contents:  
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)  
 + 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found 
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret 
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA 
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED 
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange 
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data 
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5 
 +*Aug 31 15:17:56.884: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data 
 +*Aug 31 15:17:56.884: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address' 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),  
 +Num. transforms: 3 
 +   AES-CBC   SHA512   Don't use ESN 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)  
 + 
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1 
 +IKEv2 IKE_AUTH Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 +  
 + 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1 
 +IKEv2 IKE_AUTH Exchange RESPONSE  
 +Payload contents:  
 + VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)  
 + 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify 
 +*Aug 31 15:17:56.891: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address' 
 +*Aug 31 15:17:56.891: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 
 +*Aug 31 15:17:56.891: IKEv2:Found Policy 'svpn-policy' 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK' 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5 
 +*Aug 31 15:17:56.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data 
 +*Aug 31 15:17:56.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP 
 +*Aug 31 15:17:56.891: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x45BE1F9C] 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + DELETE 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window  
 + 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2 
 +IKEv2 INFORMATIONAL Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 + 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6DE15BF054EB9486 RSPI: 0x281E8E3CD1936670] 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + DELETE 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA 
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs  
 + 
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2 
 +IKEv2 INFORMATIONAL Exchange RESPONSE  
 +Payload contents:  
 +  
 + 
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange 
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA 
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs  
 + 
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3 
 +IKEv2 INFORMATIONAL Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 +  
 + 
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3 
 +IKEv2 INFORMATIONAL Exchange RESPONSE  
 +Payload contents:  
 +  
 + 
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange 
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA..... 
 +Success rate is 0 percent (0/5) 
 +r1-hub# 
 +*Aug 31 15:18:26.837: IKEv2:% Getting preshared key from profile keyring lion-key 
 +*Aug 31 15:18:26.838: IKEv2:% Matched peer block 'peer-remote' 
 +*Aug 31 15:18:26.838: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 
 +*Aug 31 15:18:26.838: IKEv2:Found Policy 'svpn-policy' 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 
 +*Aug 31 15:18:26.838: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key 
 +*Aug 31 15:18:26.838: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),  
 +Num. transforms: 4 
 +   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14  
 + 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 0000000000000000 Message id: 0 
 +IKEv2 IKE_SA_INIT Exchange REQUEST  
 +Payload contents:  
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)  
 + 
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA  
 + 
 +*Aug 31 15:18:26.865: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 0 
 +IKEv2 IKE_SA_INIT Exchange RESPONSE  
 +Payload contents:  
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)  
 + 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found 
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret 
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA 
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5 
 +*Aug 31 15:18:26.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data 
 +*Aug 31 15:18:26.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address' 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),  
 +Num. transforms: 3 
 +   AES-CBC   SHA512   Don't use ESN 
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)  
 + 
 +*Aug 31 15:18:26.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1 
 +IKEv2 IKE_AUTH Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 +  
 + 
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1 
 +IKEv2 IKE_AUTH Exchange RESPONSE  
 +Payload contents:  
 + VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)  
 + 
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify 
 +*Aug 31 15:18:26.898: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): 
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address' 
 +*Aug 31 15:18:26.899: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 
 +*Aug 31 15:18:26.899: IKEv2:Found Policy 'svpn-policy' 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK' 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5 
 +*Aug 31 15:18:26.899: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data 
 +*Aug 31 15:18:26.899: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP 
 +*Aug 31 15:18:26.899: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x99324D76] 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + DELETE 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window  
 + 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2 
 +IKEv2 INFORMATIONAL Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 + 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xC93696F08692939D RSPI: 0x417A337996780CD8] 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.   
 +Payload contents:  
 + DELETE 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA 
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs  
 + 
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2 
 +IKEv2 INFORMATIONAL Exchange RESPONSE  
 +Payload contents:  
 +  
 + 
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange 
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA 
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs  
 + 
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3 
 +IKEv2 INFORMATIONAL Exchange REQUEST  
 +Payload contents:  
 + ENCR  
 +  
 + 
 +r1-hub# 
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]  
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3 
 +IKEv2 INFORMATIONAL Exchange RESPONSE  
 +Payload contents:  
 +  
 + 
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange 
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA</code> 
 +  * Scroll the top where the IKEv2 is retrieving its configuration. 
 +<code>*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key 
 +*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote' 
 +{Output omitted.}</code> 
 +  * Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub. 
 +<code>r2-spoke#debug crypto ikev2    
 +IKEv2 default debugging is on 
 +r2-spoke#ping 12.1.1.1</code> 
 +  * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first. 
 +<code>r2-spoke#show run int g1 
 +Building configuration... 
 + 
 +Current configuration : 138 bytes 
 +
 +interface GigabitEthernet1 
 + ip address 12.1.1.2 255.255.255.0 
 + negotiation auto 
 + no mop enabled 
 + no mop sysid 
 + crypto map svpn-map 
 +end</code> 
 +  * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping. 
 +<code>r2-spoke#show run | s crypto 
 +! Ignore the PKI cert info at the top. 
 +crypto ikev2 proposal rook-proposal  
 + encryption aes-cbc-256 
 + integrity sha512 
 + group 14 
 +crypto ikev2 policy svpn-policy  
 + proposal rook-proposal 
 +crypto ikev2 keyring lion-key 
 + peer peer-remote 
 +  address 12.1.1.1 
 +  pre-shared-key cisco 
 + ! 
 +crypto ikev2 profile side-profile 
 + match identity remote address 12.1.1.1 255.255.255.255  
 + authentication remote pre-share 
 + authentication local pre-share 
 + keyring local lion-key 
 +crypto ipsec transform-set tset esp-aes esp-sha512-hmac  
 + mode tunnel 
 +crypto map svpn-map 10 ipsec-isakmp  
 + set peer 12.1.1.1 
 + set transform-set tset  
 + set pfs group14 
 + set ikev2-profile side-profile 
 + match address castle-acl</code> 
 +  * The **crypto map svpn-map** does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing. 
 +<code>r2-spoke#show run | s access-list extended castle-acl 
 +ip access-list extended castle-acl 
 + permit ip host 12.1.1.1 host 12.1.1.2<code> 
 +  * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again. 
 +  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited. 
 +<code>2-spoke#conf t 
 +Enter configuration commands, one per line.  End with CNTL/Z. 
 +r2-spoke(config)#ip access-list extended castle-acl 
 +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2 
 +%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map 
 +%Please first remove the ACL from crypto map or remove the crypto map from the interface</code> 
 +  * This is the correct procedure to migrate the ACL entry to the end. 
 +<code>r2-spoke#conf t 
 +Enter configuration commands, one per line.  End with CNTL/Z. 
 +r2-spoke(config)#int g1  
 +r2-spoke(config-if)#no crypto map 
 +r2-spoke(config-if)# 
 +*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55) 
 +r2-spoke(config-if)# 
 +*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF 
 +r2-spoke(config-if)#ip access-list extended castle-acl 
 +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2 
 +r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code> 
 +  * Verify the ACL is correct. 
 +<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl 
 +ip access-list extended castle-acl 
 + 10 permit ip host 12.1.1.2 host 12.1.1.1</code>  
 +  * The ACL is now correct. Next, add the crypto map back on the interface. 
 +<code>r2-spoke(config-ext-nacl)#int g1 
 +r2-spoke(config-if)# crypto map svpn-map</code> 
 +  * Turn debugging off on the hub and spoke. 
 +<code>r1-hub#u all 
 +All possible debugging has been turned off</code> 
 +<code>r2-spoke#u all 
 +All possible debugging has been turned off</code> 
 +  * Test with a ping again from either the hub or spoke. 
 +<code>r1-hub#ping 12.1.1.2 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code> 
 +<code>r2-spoke#ping 12.1.1.1 
 +Type escape sequence to abort. 
 +Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: 
 +!!!!! 
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code> 
 +  * Success. Verify the crypto sa. 
 +<code>r1-hub#show crypto ikev2 sa  
 + IPv4 Crypto IKEv2  SA  
 + 
 +Tunnel-id Local                 Remote                fvrf/ivrf            Status  
 +1         12.1.1.1/500          12.1.1.2/500          none/none            READY   
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK 
 +      Life/Active Time: 86400/276 sec</code> 
 +<code>r2-spoke#show crypto ikev2 sa 
 + IPv4 Crypto IKEv2  SA  
 + 
 +Tunnel-id Local                 Remote                fvrf/ivrf            Status  
 +1         12.1.1.2/500          12.1.1.1/500          none/none            READY   
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK 
 +      Life/Active Time: 86400/313 sec</code> 
 +  * One last check with Wireshark while pinging
 +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\ 
  
  
cisco/books/ccnp_300-730/ch3/001.1756651967.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki