Differences

This shows you the differences between two versions of the page.

--- cisco:books:ccnp_300-730:ch3:002 [2025/08/31 22:45] – Name
+++ cisco:books:ccnp_300-730:ch3:002 [2025/08/31 23:36] (current) – Name
@@ Line 7: / Line 7: @@
   * Chapter 3, Router Configuration with IKEv2, page 78.
-  * This lab explains how to troubleshoot an incorrect access-list (ACL) entry on the spoke.
+  * This lab explains how to troubleshoot an incorrect pre-shared key on the spoke.
   * This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.
@@ Line 93: / Line 93: @@
 ip access-list extended castle-acl
  remark Permit statements equal traffic that shall be encrypted.
- permit ip host 12.1.1.1 host 12.1.1.2
+ permit ip host 12.1.1.2 host 12.1.1.1
 !
 crypto ikev2 proposal rook-proposal
@@ Line 106: / Line 106: @@
  peer peer-remote
   address 12.1.1.1
-  pre-shared-key cisco
+  pre-shared-key cisc0
 !
 crypto ikev2 profile side-profile
@@ Line 160: / Line 160: @@
 Type escape sequence to abort.
 Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
+</code>
-*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
+  * Scrolling through the IKEv2 debug output, there is this authentication failed message.
-*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
+<code>*Aug 31 22:58:49.851: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-*Aug 31 15:17:56.833: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
+Initiator SPI : 432A641B18EE740F - Responder SPI : F29097FD882FDC3D Message id: 1
-*Aug 31 15:17:56.833: IKEv2:Found Policy 'svpn-policy'
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
-*Aug 31 15:17:56.833: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
-*Aug 31 15:17:56.833: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
-Num. transforms: 4
-   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 0000000000000000 Message id: 0
-IKEv2 IKE_SA_INIT Exchange REQUEST
-Payload contents:
- SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
-*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
-*Aug 31 15:17:56.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 0
-IKEv2 IKE_SA_INIT Exchange RESPONSE
-Payload contents:
- SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
-*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
-*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
-*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
-*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
-*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
-*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
-*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
-*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
-*Aug 31 15:17:56.884: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
-*Aug 31 15:17:56.884: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
-Num. transforms: 3
-   AES-CBC   SHA512   Don't use ESN
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
-*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
-IKEv2 IKE_AUTH Exchange REQUEST
-Payload contents:
- ENCR
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
 IKEv2 IKE_AUTH Exchange RESPONSE
 Payload contents:
- VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)
+ NOTIFY(AUTHENTICATION_FAILED)</code>
+  * Verify the authentication parameters on hub.
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
+<code>r1-hub#show run | s crypto ikev2 keyring
-*Aug 31 15:17:56.891: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
+crypto ikev2 keyring lion-key
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
+ peer peer-remote
-*Aug 31 15:17:56.891: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
+  address 12.1.1.2
-*Aug 31 15:17:56.891: IKEv2:Found Policy 'svpn-policy'
+  pre-shared-key cisco</code>
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
+  * Now compare that with the spoke's configuration.
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
+<code>r2-spoke#show run | s crypto ikev2 keyring
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
-*Aug 31 15:17:56.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
-*Aug 31 15:17:56.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
-*Aug 31 15:17:56.891: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x45BE1F9C]
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- DELETE
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
-IKEv2 INFORMATIONAL Exchange REQUEST
-Payload contents:
- ENCR
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6DE15BF054EB9486 RSPI: 0x281E8E3CD1936670]
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- DELETE
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
-*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
-IKEv2 INFORMATIONAL Exchange RESPONSE
-Payload contents:
-*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
-*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
-*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
-IKEv2 INFORMATIONAL Exchange REQUEST
-Payload contents:
- ENCR
-*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
-IKEv2 INFORMATIONAL Exchange RESPONSE
-Payload contents:
-*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
-*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA.....
-Success rate is 0 percent (0/5)
-r1-hub#
-*Aug 31 15:18:26.837: IKEv2:% Getting preshared key from profile keyring lion-key
-*Aug 31 15:18:26.838: IKEv2:% Matched peer block 'peer-remote'
-*Aug 31 15:18:26.838: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
-*Aug 31 15:18:26.838: IKEv2:Found Policy 'svpn-policy'
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
-*Aug 31 15:18:26.838: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
-*Aug 31 15:18:26.838: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
-Num. transforms: 4
-   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 0000000000000000 Message id: 0
-IKEv2 IKE_SA_INIT Exchange REQUEST
-Payload contents:
- SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
-*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
-*Aug 31 15:18:26.865: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 0
-IKEv2 IKE_SA_INIT Exchange RESPONSE
-Payload contents:
- SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
-*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
-*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
-*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
-*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
-*Aug 31 15:18:26.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
-*Aug 31 15:18:26.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
-Num. transforms: 3
-   AES-CBC   SHA512   Don't use ESN
-*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
-*Aug 31 15:18:26.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
-IKEv2 IKE_AUTH Exchange REQUEST
-Payload contents:
- ENCR
-*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
-IKEv2 IKE_AUTH Exchange RESPONSE
-Payload contents:
- VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)
-*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
-*Aug 31 15:18:26.898: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
-*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
-*Aug 31 15:18:26.899: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
-*Aug 31 15:18:26.899: IKEv2:Found Policy 'svpn-policy'
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
-*Aug 31 15:18:26.899: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
-*Aug 31 15:18:26.899: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
-*Aug 31 15:18:26.899: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x99324D76]
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- DELETE
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
-IKEv2 INFORMATIONAL Exchange REQUEST
-Payload contents:
- ENCR
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xC93696F08692939D RSPI: 0x417A337996780CD8]
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
-Payload contents:
- DELETE
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
-*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
-IKEv2 INFORMATIONAL Exchange RESPONSE
-Payload contents:
-*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
-*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
-*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
-*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
-IKEv2 INFORMATIONAL Exchange REQUEST
-Payload contents:
- ENCR
-r1-hub#
-*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
-Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
-IKEv2 INFORMATIONAL Exchange RESPONSE
-Payload contents:
-*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
-*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA</code>
-  * Scroll the top where the IKEv2 is retrieving its configuration.
-<code>*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
-*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
-{Output omitted.}</code>
-  * Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub.
-<code>r2-spoke#debug crypto ikev2
-IKEv2 default debugging is on
-r2-spoke#ping 12.1.1.1</code>
-  * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
-<code>r2-spoke#show run int g1
-Building configuration...
-Current configuration : 138 bytes
-!
-interface GigabitEthernet1
- ip address 12.1.1.2 255.255.255.0
- negotiation auto
- no mop enabled
- no mop sysid
- crypto map svpn-map
-end</code>
-  * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
-<code>r2-spoke#show run | s crypto
-! Ignore the PKI cert info at the top.
-crypto ikev2 proposal rook-proposal
- encryption aes-cbc-256
- integrity sha512
- group 14
-crypto ikev2 policy svpn-policy
- proposal rook-proposal
 crypto ikev2 keyring lion-key
  peer peer-remote
   address 12.1.1.1
-  pre-shared-key cisco
+  pre-shared-key cisc0</code>
- !
+  * The pre-shared keys have different values. The value must match.
-crypto ikev2 profile side-profile
+  * Note: If there was a space at the end of the key, there would be a warning message like this.
- match identity remote address 12.1.1.1 255.255.255.255
+<code>crypto ikev2 keyring lion-key
- authentication remote pre-share
+ peer peer-remote
- authentication local pre-share
+  address 12.1.1.1
- keyring local lion-key
+  pre-shared-key cisco
-crypto ipsec transform-set tset esp-aes esp-sha512-hmac
+  ! Trailing white space(s) in above preshared key</code>
- mode tunnel
+  * The next step is to overwrite the pre-shared key with the correct one and double-check the configuration.
-crypto map svpn-map 10 ipsec-isakmp
+<code>r2-spoke#conf t
- set peer 12.1.1.1
- set transform-set tset
- set pfs group14
- set ikev2-profile side-profile
- match address castle-acl</code>
-  * The **crypto map svpn-map** does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing.
-<code>r2-spoke#show run | s access-list extended castle-acl
-ip access-list extended castle-acl
- permit ip host 12.1.1.1 host 12.1.1.2<code>
-  * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
-  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited.
-<code>2-spoke#conf t
 Enter configuration commands, one per line.  End with CNTL/Z.
-r2-spoke(config)#ip access-list extended castle-acl
+r2-spoke(config)#crypto ikev2 keyring lion-key
-r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
+r2-spoke(config-ikev2-keyring)#peer peer-remote
-%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map
+r2-spoke(config-ikev2-keyring-peer)#pre-shared-key cisco
-%Please first remove the ACL from crypto map or remove the crypto map from the interface</code>
+r2-spoke(config-ikev2-keyring-peer)#do show run | s crypto ikev2 keyring
-  * This is the correct procedure to migrate the ACL entry to the end.
+crypto ikev2 keyring lion-key
-<code>r2-spoke#conf t
+ peer peer-remote
-Enter configuration commands, one per line.  End with CNTL/Z.
+  address 12.1.1.1
-r2-spoke(config)#int g1
+  pre-shared-key cisco</code>
-r2-spoke(config-if)#no crypto map
+  * Turn debugging off on the hub and spoke (if turned on).
-r2-spoke(config-if)#
-*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55)
-r2-spoke(config-if)#
-*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
-r2-spoke(config-if)#ip access-list extended castle-acl
-r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
-r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code>
-  * Verify the ACL is correct.
-<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl
-ip access-list extended castle-acl
-permit ip host 12.1.1.2 host 12.1.1.1</code>
-  * The ACL is now correct. Next, add the crypto map back on the interface.
-<code>r2-spoke(config-ext-nacl)#int g1
-r2-spoke(config-if)# crypto map svpn-map</code>
-  * Turn debugging off on the hub and spoke.
 <code>r1-hub#u all
 All possible debugging has been turned off</code>

Tim's Technology Journey Wiki

User Tools

Site Tools

Differences

Page Tools