=====Lab 001 - Incorrect ACL Entry on Spoke=====
References:\\
[[https://youtu.be/fPb8urnJ9PY?si=J8Bga_o61qWJ1vWf|Rob Riker Teaching VPN Concepts on YouTube]]\\
[[https://www.ciscopress.com/store/ccnp-security-virtual-private-networks-svpn-300-730-9780136660606|CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide]]\\
* ISBN: 9780136660606
* Chapter 3, Router Configuration with IKEv2, page 78.
* This lab explains how to troubleshoot an incorrect access-list (ACL) entry on the spoke.
* This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.
{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-Overview.png?300 |Lab-001-Overview }}
__r1-hub's initial configuration__
en
conf t
no ip domain lookup
hostname r1-hub
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
no shutdown
ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1
shutdown
ip address 12.1.1.1 255.255.255.0
!
ip access-list extended castle-acl
remark Permit statements equal traffic that shall be encrypted.
permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy svpn-policy
proposal rook-proposal
!
crypto ikev2 keyring lion-key
peer peer-remote
address 12.1.1.2
pre-shared-key cisco
!
crypto ikev2 profile side-profile
match identity remote address 12.1.1.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp
set peer 12.1.1.2
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
!
interface GigabitEthernet1
crypto map svpn-map
no shutdown
!
end
wr
__r2-spoke's initial configuration__
en
conf t
no ip domain lookup
hostname r2-spoke
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
no shutdown
ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1
shutdown
ip address 12.1.1.2 255.255.255.0
!
ip access-list extended castle-acl
remark Permit statements equal traffic that shall be encrypted.
permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
!
crypto ikev2 policy svpn-policy
proposal rook-proposal
!
crypto ikev2 keyring lion-key
peer peer-remote
address 12.1.1.1
pre-shared-key cisco
!
crypto ikev2 profile side-profile
match identity remote address 12.1.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
!
interface GigabitEthernet1
crypto map svpn-map
no shutdown
!
end
wr
__Verification__
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
* The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.
r1-hub#show crypto ikev2 sa
r1-hub#
* Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
r1-hub#show ip cef 12.1.1.2
12.1.1.2/32
attached to GigabitEthernet1
* The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
r1-hub#show ip arp 12.1.1.2
Protocol Address Age (min) Hardware Addr Type Interface
Internet 12.1.1.2 9 5000.0004.0000 ARPA GigabitEthernet1
* A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
* The following packet capture is taken when trying to ping the spoke from the hub.
{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture.png?900 |Lab-001-IKEv2-Capture}}
* Notice the absent of the ESP packets from [[:cisco:books:ccnp_300-730:ch3:000|Lab 000]].
* Turn on debugging to examine the packet flows.
r1-hub#debug crypto ikev2
IKEv2 default debugging is on
* Now ping the spoke again.
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
*Aug 31 15:17:56.833: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
*Aug 31 15:17:56.833: IKEv2:Found Policy 'svpn-policy'
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Aug 31 15:17:56.833: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Aug 31 15:17:56.833: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_2048_MODP/Group 14
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
*Aug 31 15:17:56.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
*Aug 31 15:17:56.884: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Aug 31 15:17:56.884: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Aug 31 15:17:56.891: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
*Aug 31 15:17:56.891: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
*Aug 31 15:17:56.891: IKEv2:Found Policy 'svpn-policy'
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
*Aug 31 15:17:56.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Aug 31 15:17:56.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
*Aug 31 15:17:56.891: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x45BE1F9C]
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6DE15BF054EB9486 RSPI: 0x281E8E3CD1936670]
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA.....
Success rate is 0 percent (0/5)
r1-hub#
*Aug 31 15:18:26.837: IKEv2:% Getting preshared key from profile keyring lion-key
*Aug 31 15:18:26.838: IKEv2:% Matched peer block 'peer-remote'
*Aug 31 15:18:26.838: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
*Aug 31 15:18:26.838: IKEv2:Found Policy 'svpn-policy'
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Aug 31 15:18:26.838: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Aug 31 15:18:26.838: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_2048_MODP/Group 14
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
*Aug 31 15:18:26.865: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
*Aug 31 15:18:26.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Aug 31 15:18:26.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Aug 31 15:18:26.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(TS_UNACCEPTABLE)
*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Aug 31 15:18:26.898: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
*Aug 31 15:18:26.899: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
*Aug 31 15:18:26.899: IKEv2:Found Policy 'svpn-policy'
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
*Aug 31 15:18:26.899: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Aug 31 15:18:26.899: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
*Aug 31 15:18:26.899: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x99324D76]
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xC93696F08692939D RSPI: 0x417A337996780CD8]
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR
r1-hub#
*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0]
Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
* Scroll the top where the IKEv2 is retrieving its configuration.
*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
{Output omitted.}
* Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub.
r2-spoke#debug crypto ikev2
IKEv2 default debugging is on
r2-spoke#ping 12.1.1.1
* The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
r2-spoke#show run int g1
Building configuration...
Current configuration : 138 bytes
!
interface GigabitEthernet1
ip address 12.1.1.2 255.255.255.0
negotiation auto
no mop enabled
no mop sysid
crypto map svpn-map
end
* The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
r2-spoke#show run | s crypto
! Ignore the PKI cert info at the top.
crypto ikev2 proposal rook-proposal
encryption aes-cbc-256
integrity sha512
group 14
crypto ikev2 policy svpn-policy
proposal rook-proposal
crypto ikev2 keyring lion-key
peer peer-remote
address 12.1.1.1
pre-shared-key cisco
!
crypto ikev2 profile side-profile
match identity remote address 12.1.1.1 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local lion-key
crypto ipsec transform-set tset esp-aes esp-sha512-hmac
mode tunnel
crypto map svpn-map 10 ipsec-isakmp
set peer 12.1.1.1
set transform-set tset
set pfs group14
set ikev2-profile side-profile
match address castle-acl
* The **crypto map svpn-map** does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing.
r2-spoke#show run | s access-list extended castle-acl
ip access-list extended castle-acl
permit ip host 12.1.1.1 host 12.1.1.2
* At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
* The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited.
2-spoke#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r2-spoke(config)#ip access-list extended castle-acl
r2-spoke(config-ext-nacl)#no 10 permit ip host 12.1.1.1 host 12.1.1.2
%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map
%Please first remove the ACL from crypto map or remove the crypto map from the interface
* This is the correct procedure to migrate the ACL entry to the end.
r2-spoke#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r2-spoke(config)#int g1
r2-spoke(config-if)#no crypto map
r2-spoke(config-if)#
*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55)
r2-spoke(config-if)#
*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
r2-spoke(config-if)#ip access-list extended castle-acl
r2-spoke(config-ext-nacl)#no 10 permit ip host 12.1.1.1 host 12.1.1.2
r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1
* Verify the ACL is correct.
r2-spoke(config-if)#do show run | s access-list extended castle-acl
ip access-list extended castle-acl
10 permit ip host 12.1.1.2 host 12.1.1.1
* The ACL is now correct. Next, add the crypto map back on the interface.
r2-spoke(config-ext-nacl)#int g1
r2-spoke(config-if)# crypto map svpn-map
* Turn debugging off on the hub and spoke.
r1-hub#u all
All possible debugging has been turned off
r2-spoke#u all
All possible debugging has been turned off
* Test with a ping again from either the hub or spoke.
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
r2-spoke#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
* Success. Verify the crypto sa.
r1-hub#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 12.1.1.1/500 12.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/276 sec
r2-spoke#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 12.1.1.2/500 12.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/313 sec
* One last check with Wireshark while pinging.
{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\
=====Backlinks=====
[[:cisco|Cisco]]\\
[[:cisco:books|Cisco Books]]\\
[[:cisco:books:ccnp_300-730|CCNP Security Virtual Private Networks SVPN 300-730]]\\
[[:cisco:books:ccnp_300-730:ch3|CCNP SVPN 300-730 - Chapter 3]]\\