=====Lab 002 - Key Mismatch=====

References:\\ 
[[https://youtu.be/fPb8urnJ9PY?si=J8Bga_o61qWJ1vWf|Rob Riker Teaching VPN Concepts on YouTube]]\\ 
[[https://www.ciscopress.com/store/ccnp-security-virtual-private-networks-svpn-300-730-9780136660606|CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide]]\\ 
  * ISBN: 9780136660606
  * Chapter 3, Router Configuration with IKEv2, page 78.

  * This lab explains how to troubleshoot an incorrect pre-shared key on the spoke.
  * This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.

{{ :cisco:books:ccnp_300-730:ch3:002:Lab-002-IKEv2-Overview.png?300 |Lab-002-Overview }}


__r1-hub's initial configuration__
<code>en
conf t
no ip domain lookup
hostname r1-hub
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1
 shutdown
 ip address 12.1.1.1 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.2
  pre-shared-key cisco
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.2
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface GigabitEthernet1
 crypto map svpn-map
 no shutdown
!
end
wr</code>

__r2-spoke's initial configuration__
<code>en
conf t
no ip domain lookup
hostname r2-spoke
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1
 shutdown
 ip address 12.1.1.2 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.2 host 12.1.1.1
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisc0
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.1 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface GigabitEthernet1
 crypto map svpn-map
 no shutdown
!
end
wr</code>

__Verification__
<code>r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)</code>
  * The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.

<code>r1-hub#show crypto ikev2 sa
r1-hub#</code>
  * Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
<code>r1-hub#show ip cef 12.1.1.2
12.1.1.2/32
  attached to GigabitEthernet1</code>
  * The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
<code>r1-hub#show ip arp 12.1.1.2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  12.1.1.2                9   5000.0004.0000  ARPA   GigabitEthernet1</code>
  * A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
  * The following packet capture is taken when trying to ping the spoke from the hub.
{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture.png?900 |Lab-001-IKEv2-Capture}}
  * Notice the absent of the ESP packets from [[:cisco:books:ccnp_300-730:ch3:000|Lab 000]].
  * Turn on debugging to examine the packet flows.
<code>r1-hub#debug crypto ikev2
IKEv2 default debugging is on</code>
  * Now ping the spoke again.
<code>r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
</code>
  * Scrolling through the IKEv2 debug output, there is this authentication failed message.
<code>*Aug 31 22:58:49.851: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
Initiator SPI : 432A641B18EE740F - Responder SPI : F29097FD882FDC3D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED)</code>
  * Verify the authentication parameters on hub.
<code>r1-hub#show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.2
  pre-shared-key cisco</code>
  * Now compare that with the spoke's configuration.
<code>r2-spoke#show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisc0</code>
  * The pre-shared keys have different values. The value must match.
  * Note: If there was a space at the end of the key, there would be a warning message like this.
<code>crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisco 
  ! Trailing white space(s) in above preshared key</code>
  * The next step is to overwrite the pre-shared key with the correct one and double-check the configuration.
<code>r2-spoke#conf t                           
Enter configuration commands, one per line.  End with CNTL/Z.
r2-spoke(config)#crypto ikev2 keyring lion-key      
r2-spoke(config-ikev2-keyring)#peer peer-remote                    
r2-spoke(config-ikev2-keyring-peer)#pre-shared-key cisco
r2-spoke(config-ikev2-keyring-peer)#do show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisco</code>
  * Turn debugging off on the hub and spoke (if turned on).
<code>r1-hub#u all
All possible debugging has been turned off</code>
<code>r2-spoke#u all
All possible debugging has been turned off</code>
  * Test with a ping again from either the hub or spoke.
<code>r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code>
<code>r2-spoke#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code>
  * Success. Verify the crypto sa.
<code>r1-hub#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         12.1.1.1/500          12.1.1.2/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/276 sec</code>
<code>r2-spoke#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         12.1.1.2/500          12.1.1.1/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/313 sec</code>
  * One last check with Wireshark while pinging.
{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\ 




=====Backlinks=====
[[:cisco|Cisco]]\\ 
[[:cisco:books|Cisco Books]]\\ 
[[:cisco:books:ccnp_300-730|CCNP Security Virtual Private Networks SVPN 300-730]]\\ 
[[:cisco:books:ccnp_300-730:ch3|CCNP SVPN 300-730 - Chapter 3]]\\