Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: 002
cisco:books:ccnp_300-730:ch3:002

Table of Contents

Lab 002 - Key Mismatch

References:
Rob Riker Teaching VPN Concepts on YouTube
CCNP Security Virtual Private Networks SVPN 300-730 Official Cert Guide

  • ISBN: 9780136660606
  • Chapter 3, Router Configuration with IKEv2, page 78.
  • This lab explains how to troubleshoot an incorrect pre-shared key on the spoke.
  • This lab has two directly connected routers that share IKEv2's ESP-encrypted messages.

Lab-002-Overview

r1-hub's initial configuration 

en
conf t
no ip domain lookup
hostname r1-hub
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 1.1.1.1 255.255.255.255
!
interface GigabitEthernet1
 shutdown
 ip address 12.1.1.1 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.1 host 12.1.1.2
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.2
  pre-shared-key cisco
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.2 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.2
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface GigabitEthernet1
 crypto map svpn-map
 no shutdown
!
end
wr

r2-spoke's initial configuration 

en
conf t
no ip domain lookup
hostname r2-spoke
line con 0
history size 256
logg syn
exec-timeout 0 0
width 512
exit
interface Loopback0
 no shutdown
 ip address 2.2.2.2 255.255.255.255
!
interface GigabitEthernet1
 shutdown
 ip address 12.1.1.2 255.255.255.0
!
ip access-list extended castle-acl
 remark Permit statements equal traffic that shall be encrypted.
 permit ip host 12.1.1.2 host 12.1.1.1
!
crypto ikev2 proposal rook-proposal 
 encryption aes-cbc-256
 integrity sha512
 group 14
!
crypto ikev2 policy svpn-policy 
 proposal rook-proposal
!
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisc0
!
crypto ikev2 profile side-profile
 match identity remote address 12.1.1.1 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local lion-key
!
crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 mode tunnel
!
crypto map svpn-map 10 ipsec-isakmp 
 set peer 12.1.1.1
 set transform-set tset 
 set pfs group14
 set ikev2-profile side-profile
 match address castle-acl
!
interface GigabitEthernet1
 crypto map svpn-map
 no shutdown
!
end
wr

Verification 

r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
  • The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.
r1-hub#show crypto ikev2 sa
r1-hub#
  • Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
r1-hub#show ip cef 12.1.1.2
12.1.1.2/32
  attached to GigabitEthernet1
  • The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
r1-hub#show ip arp 12.1.1.2
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  12.1.1.2                9   5000.0004.0000  ARPA   GigabitEthernet1
  • A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
  • The following packet capture is taken when trying to ping the spoke from the hub.

Lab-001-IKEv2-Capture

  • Notice the absent of the ESP packets from Lab 000.
  • Turn on debugging to examine the packet flows.
r1-hub#debug crypto ikev2
IKEv2 default debugging is on
  • Now ping the spoke again.
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
  • Scrolling through the IKEv2 debug output, there is this authentication failed message.
*Aug 31 22:58:49.851: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
Initiator SPI : 432A641B18EE740F - Responder SPI : F29097FD882FDC3D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 NOTIFY(AUTHENTICATION_FAILED)
  • Verify the authentication parameters on hub.
r1-hub#show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.2
  pre-shared-key cisco
  • Now compare that with the spoke's configuration.
r2-spoke#show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisc0
  • The pre-shared keys have different values. The value must match.
  • Note: If there was a space at the end of the key, there would be a warning message like this.
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisco 
  ! Trailing white space(s) in above preshared key
  • The next step is to overwrite the pre-shared key with the correct one and double-check the configuration.
r2-spoke#conf t                           
Enter configuration commands, one per line.  End with CNTL/Z.
r2-spoke(config)#crypto ikev2 keyring lion-key      
r2-spoke(config-ikev2-keyring)#peer peer-remote                    
r2-spoke(config-ikev2-keyring-peer)#pre-shared-key cisco
r2-spoke(config-ikev2-keyring-peer)#do show run | s crypto ikev2 keyring
crypto ikev2 keyring lion-key
 peer peer-remote
  address 12.1.1.1
  pre-shared-key cisco
  • Turn debugging off on the hub and spoke (if turned on).
r1-hub#u all
All possible debugging has been turned off
r2-spoke#u all
All possible debugging has been turned off
  • Test with a ping again from either the hub or spoke.
r1-hub#ping 12.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
r2-spoke#ping 12.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
  • Success. Verify the crypto sa.
r1-hub#show crypto ikev2 sa 
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         12.1.1.1/500          12.1.1.2/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/276 sec
r2-spoke#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         12.1.1.2/500          12.1.1.1/500          none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/313 sec
  • One last check with Wireshark while pinging.

Lab-001-IKEv2-Capture2

Cisco
Cisco Books
CCNP Security Virtual Private Networks SVPN 300-730
CCNP SVPN 300-730 - Chapter 3

cisco/books/ccnp_300-730/ch3/002.txt · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki