User Tools
cisco:books:ccnp_300-730:ch3:001
Table of Contents
Lab 001 - Incorrect ACL Entry on Spoke
References:
Rob Riker Teaching VPN Concepts on YouTube
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide
- ISBN: 9780136660606
- Chapter 3, Router Configuration with IKEv2, page 78.
- This lab explains how to troubleshoot an incorrect access-list (ACL) entry on the spoke.
- This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.
r1-hub's initial configuration
en conf t no ip domain lookup hostname r1-hub line con 0 history size 256 logg syn exec-timeout 0 0 width 512 exit interface Loopback0 no shutdown ip address 1.1.1.1 255.255.255.255 ! interface GigabitEthernet1 shutdown ip address 12.1.1.1 255.255.255.0 ! ip access-list extended castle-acl remark Permit statements equal traffic that shall be encrypted. permit ip host 12.1.1.1 host 12.1.1.2 ! crypto ikev2 proposal rook-proposal encryption aes-cbc-256 integrity sha512 group 14 ! crypto ikev2 policy svpn-policy proposal rook-proposal ! crypto ikev2 keyring lion-key peer peer-remote address 12.1.1.2 pre-shared-key cisco ! crypto ikev2 profile side-profile match identity remote address 12.1.1.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local lion-key ! crypto ipsec transform-set tset esp-aes esp-sha512-hmac mode tunnel ! crypto map svpn-map 10 ipsec-isakmp set peer 12.1.1.2 set transform-set tset set pfs group14 set ikev2-profile side-profile match address castle-acl ! interface GigabitEthernet1 crypto map svpn-map no shutdown ! end wr
r2-spoke's initial configuration
en conf t no ip domain lookup hostname r2-spoke line con 0 history size 256 logg syn exec-timeout 0 0 width 512 exit interface Loopback0 no shutdown ip address 2.2.2.2 255.255.255.255 ! interface GigabitEthernet1 shutdown ip address 12.1.1.2 255.255.255.0 ! ip access-list extended castle-acl remark Permit statements equal traffic that shall be encrypted. permit ip host 12.1.1.1 host 12.1.1.2 ! crypto ikev2 proposal rook-proposal encryption aes-cbc-256 integrity sha512 group 14 ! crypto ikev2 policy svpn-policy proposal rook-proposal ! crypto ikev2 keyring lion-key peer peer-remote address 12.1.1.1 pre-shared-key cisco ! crypto ikev2 profile side-profile match identity remote address 12.1.1.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local lion-key ! crypto ipsec transform-set tset esp-aes esp-sha512-hmac mode tunnel ! crypto map svpn-map 10 ipsec-isakmp set peer 12.1.1.1 set transform-set tset set pfs group14 set ikev2-profile side-profile match address castle-acl ! interface GigabitEthernet1 crypto map svpn-map no shutdown ! end wr
Verification
r1-hub#ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
- The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.
r1-hub#show crypto ikev2 sa r1-hub#
- Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
r1-hub#show ip cef 12.1.1.2 12.1.1.2/32 attached to GigabitEthernet1
- The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
r1-hub#show ip arp 12.1.1.2 Protocol Address Age (min) Hardware Addr Type Interface Internet 12.1.1.2 9 5000.0004.0000 ARPA GigabitEthernet1
- A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
- The following packet capture is taken when trying to ping the spoke from the hub.
- Notice the absent of the ESP packets from Lab 000.
- Turn on debugging to examine the packet flows.
r1-hub#debug crypto ikev2 IKEv2 default debugging is on
- Now ping the spoke again.
r1-hub#ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: *Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key *Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote' *Aug 31 15:17:56.833: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 *Aug 31 15:17:56.833: IKEv2:Found Policy 'svpn-policy' *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Aug 31 15:17:56.833: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key *Aug 31 15:17:56.833: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_2048_MODP/Group 14 *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA *Aug 31 15:17:56.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found *Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret *Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange *Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data *Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5 *Aug 31 15:17:56.884: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Aug 31 15:17:56.884: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address' *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA512 Don't use ESN *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: VID IDr AUTH NOTIFY(TS_UNACCEPTABLE) *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify *Aug 31 15:17:56.891: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address' *Aug 31 15:17:56.891: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 *Aug 31 15:17:56.891: IKEv2:Found Policy 'svpn-policy' *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK' *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2 *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5 *Aug 31 15:17:56.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Aug 31 15:17:56.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP *Aug 31 15:17:56.891: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x45BE1F9C] *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6DE15BF054EB9486 RSPI: 0x281E8E3CD1936670] *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA *Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: *Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR *Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: *Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA..... Success rate is 0 percent (0/5) r1-hub# *Aug 31 15:18:26.837: IKEv2:% Getting preshared key from profile keyring lion-key *Aug 31 15:18:26.838: IKEv2:% Matched peer block 'peer-remote' *Aug 31 15:18:26.838: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 *Aug 31 15:18:26.838: IKEv2:Found Policy 'svpn-policy' *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14 *Aug 31 15:18:26.838: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key *Aug 31 15:18:26.838: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_2048_MODP/Group 14 *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 0000000000000000 Message id: 0 IKEv2 IKE_SA_INIT Exchange REQUEST Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA *Aug 31 15:18:26.865: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 0 IKEv2 IKE_SA_INIT Exchange RESPONSE Payload contents: SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found *Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14 *Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret *Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA *Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5 *Aug 31 15:18:26.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Aug 31 15:18:26.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK' *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address' *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA512 Don't use ESN *Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Aug 31 15:18:26.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1 IKEv2 IKE_AUTH Exchange REQUEST Payload contents: ENCR *Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: VID IDr AUTH NOTIFY(TS_UNACCEPTABLE) *Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify *Aug 31 15:18:26.898: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1): *Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address' *Aug 31 15:18:26.899: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1 *Aug 31 15:18:26.899: IKEv2:Found Policy 'svpn-policy' *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK' *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2 *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5 *Aug 31 15:18:26.899: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Aug 31 15:18:26.899: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP *Aug 31 15:18:26.899: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x99324D76] *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xC93696F08692939D RSPI: 0x417A337996780CD8] *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption. Payload contents: DELETE *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA *Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: *Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA *Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs *Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3 IKEv2 INFORMATIONAL Exchange REQUEST Payload contents: ENCR r1-hub# *Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3 IKEv2 INFORMATIONAL Exchange RESPONSE Payload contents: *Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange *Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
- Scroll the top where the IKEv2 is retrieving its configuration.
*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
{Output omitted.}
- Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub.
r2-spoke#debug crypto ikev2 IKEv2 default debugging is on r2-spoke#ping 12.1.1.1
- The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
r2-spoke#show run int g1 Building configuration... Current configuration : 138 bytes ! interface GigabitEthernet1 ip address 12.1.1.2 255.255.255.0 negotiation auto no mop enabled no mop sysid crypto map svpn-map end
- The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
r2-spoke#show run | s crypto ! Ignore the PKI cert info at the top. crypto ikev2 proposal rook-proposal encryption aes-cbc-256 integrity sha512 group 14 crypto ikev2 policy svpn-policy proposal rook-proposal crypto ikev2 keyring lion-key peer peer-remote address 12.1.1.1 pre-shared-key cisco ! crypto ikev2 profile side-profile match identity remote address 12.1.1.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local lion-key crypto ipsec transform-set tset esp-aes esp-sha512-hmac mode tunnel crypto map svpn-map 10 ipsec-isakmp set peer 12.1.1.1 set transform-set tset set pfs group14 set ikev2-profile side-profile match address castle-acl
- The crypto map svpn-map does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing.
r2-spoke#show run | s access-list extended castle-acl ip access-list extended castle-acl permit ip host 12.1.1.1 host 12.1.1.2<code> * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again. * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited. <code>2-spoke#conf t Enter configuration commands, one per line. End with CNTL/Z. r2-spoke(config)#ip access-list extended castle-acl r2-spoke(config-ext-nacl)#no 10 permit ip host 12.1.1.1 host 12.1.1.2 %ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map %Please first remove the ACL from crypto map or remove the crypto map from the interface
- This is the correct procedure to migrate the ACL entry to the end.
r2-spoke#conf t Enter configuration commands, one per line. End with CNTL/Z. r2-spoke(config)#int g1 r2-spoke(config-if)#no crypto map r2-spoke(config-if)# *Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55) r2-spoke(config-if)# *Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF r2-spoke(config-if)#ip access-list extended castle-acl r2-spoke(config-ext-nacl)#no 10 permit ip host 12.1.1.1 host 12.1.1.2 r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1
- Verify the ACL is correct.
r2-spoke(config-if)#do show run | s access-list extended castle-acl ip access-list extended castle-acl 10 permit ip host 12.1.1.2 host 12.1.1.1
- The ACL is now correct. Next, add the crypto map back on the interface.
r2-spoke(config-ext-nacl)#int g1 r2-spoke(config-if)# crypto map svpn-map
- Turn debugging off on the hub and spoke.
r1-hub#u all All possible debugging has been turned off
r2-spoke#u all All possible debugging has been turned off
- Test with a ping again from either the hub or spoke.
r1-hub#ping 12.1.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
r2-spoke#ping 12.1.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
- Success. Verify the crypto sa.
r1-hub#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 12.1.1.1/500 12.1.1.2/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/276 sec
r2-spoke#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 12.1.1.2/500 12.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/313 sec
- One last check with Wireshark while pinging.
Backlinks
cisco/books/ccnp_300-730/ch3/001.txt · Last modified: by Name
