Category Archives: IPSEC

Ezvpn Troubleshooting

Troubleshooting EZVPN on Cisco router

Provides a sample configuration for IPsec between a Cisco 871 router and a Cisco 7200VXR router using Easy VPN (EzVPN). The 7200 acts as the Easy VPN Server and the 871 acts as the Easy VPN Remote. In this example, the loopback interfaces are used on both routers as private networks. These can be replaced by other interfaces such as FastEthernet or Serial interfaces as required.

— Check the ezvpn status and ipsec phase 1 – Displays the Cisco Easy VPN Remote configuration.
R3#sh crypto ipsec client ezvpn
Easy VPN Remote Phase: 6
Tunnel name : EZVPN
Inside interface list: Loopback9
Outside interface: FastEthernet0/0
Current State: READY
Last Event: CONNECT
Save Password: Allowed
Current EzVPN Peer: 1.1.1.2

Continue reading

Digital Certificates/PKI for IPSec VPNs

https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/DCertPKI.html
https://books.google.com/books?id=22tmCwAAQBAJ&pg=PA58&lpg=PA58&dq=SA+is+doing+RSA+signature+authentication+using+id+type+ID_FQDN&source=bl&ots=X2ToIGxC46&sig=ACfU3U1eRgRBwvdHFHoZpdDo3tfP1hLIrA&hl=en&sa=X&ved=2ahUKEwiIpM60gOPnAhWDhOAKHYVtAlUQ6AEwB3oECAgQAQ#v=onepage&q=SA%20is%20doing%20RSA%20signature%20authentication%20using%20id%20type%20ID_FQDN&f=false

Cisco EZVPN Configuration

Configuring EasyVPN Between Cisco Routers

Site2Site IPSec VPN Tunnel with Cisco EasyVPN

Configuring EZVPN

Server (7 Steps)
1. AAA –
2. Pool for the client –
3. Phase 1 – ISAKMP –
4. Phase 2 – IPsec transformset –
5. Crypto Dynamic map – For client that will be learn dnamically.. Transform set will be dynamically downloaded to the client.
6. Crypto Dynamic map
7. Apply to the interface

Client
1. Group name
2. Key
– Wil be use to talk to the server.
Continue reading

Dynamic VTI IPSEC

Dynamic VTI IPSEC

IPSec virtual tunnel interfaces (VTI) provide a routable interface type for terminating IPSec tunnels an
easy way to define protection between sites to form an overlay network. IPSec virtual tunnel interfacees
simplify configuration of IPSec for protection of remote links, supports multicast, and simplifies
network management and load balancing.

Information About IPSec Virtual Tunnel Interfaces:
The IPSec virtual tunnel interface greatly simplifies the configuration process when you need to provide
protection for remote access and provides an simpler alternative to using GRE or L2TP tunnels for
encapsulation and crypto maps with IPSec. A major benefit associated with IPSec virtual tunnel
interfaces is the reduction in overhead because the configuration does not require a static mapping of
IPSec sessions to a physical interface: The IPSec VTI allows for the flexibility of sending and receiving
both IP unicast and multicast encrypted traffic on any physical interface, such as in the case of multiple
paths (multicast routing).
Continue reading

IPsec with IKEv2

Topology:
IKEv2xxxxxx

Configuration:
I. IP ADDRESSING
#SA
int g1
ip address 1.1.1.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 1.1.1.2
hostname SITE-A

#R1
int g1/0
ip address 1.1.1.2 255.255.255.0
no shut
exit
int g2/0
ip address 2.2.2.2 255.255.255.0
no shut
exit

#SB
int g1
ip address 2.2.2.1 255.255.255.0
no shut
exit
ip route 0.0.0.0 0.0.0.0 2.2.2.2
hostname SITE-B

IKEv2 Default:
SITE-A#sh crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-256
Integrity : SHA512 SHA384
PRF : SHA512 SHA384
DH Group : DH_GROUP_256_ECP/Group 19 DH_GROUP_2048_MODP/Group 14 DH_GROUP_521_ECP/Group 21 DH_GROUP_1536_MODP/Group 5

SITE-A#sh crypto ikev2 policy
IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default

SITE-A#sh crypto ipsec transform-set
Transform set AES_GCM_256: { esp-gcm 256 }
will negotiate = { Transport, },

Transform set AES_CBC_256_HMAC_SHA1: { esp-256-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set AES_CBC_128_HMAC_SHA1: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },

II. IPSEC CONFIG – SITE A
crypto ikev2 keyring KR_SITEB
peer siteb
address 2.2.2.1
pre-shared-key cisco123
exit

crypto ikev2 proposal PR_SITEB
encryption aes-cbc-256
integrity sha256
group 19
exit

crypto ikev2 profile PROF_SITEB
match identity remote address 2.2.2.1
authentication local pre-share
authentication remote pre-share
keyring local KR_SITEB
or
match identity remote address 2.2.2.1
authentication local pre-share key cisco123
authentication remote pre-share key cisco123
exit

crypto ikev2 policy POL_SITEB
proposal PR_SITEB
exit

ip access-list extended VPNACL_SITEB
permit ip host 1.1.1.1 host 2.2.2.1
permit ip host 2.2.2.1 host 1.1.1.1

crypto ipsec transform-set TS-SITEB esp-aes 256 esp-sha256-hmac

!
crypto map CMAP_SITEB 10 ipsec-isakmp
set peer 2.2.2.1
set security-association lifetime seconds 3600
set transform-set TS-SITEB
set pfs group19
set ikev2-profile PROF_SITEB
match address VPNACL_SITEB

int g1
crypto map CMAP_SITEB

III. IPSEC CONFIG – SITE B
crypto ikev2 keyring KR_SITEA
peer siteb
address 1.1.1.1
pre-shared-key cisco123
exit

crypto ikev2 proposal PR_SITEA
encryption aes-cbc-256
integrity sha256
group 19
exit

crypto ikev2 profile PROF_SITEA
match identity remote address 1.1.1.1
authentication local pre-share
authentication remote pre-share
keyring local KR_SITEA
or
match identity remote address 1.1.1.1
authentication local pre-share key cisco123
authentication remote pre-share key cisco123
exit

crypto ikev2 policy POL_SITEA
proposal PR_SITEA
exit

ip access-list extended VPNACL_SITEA
permit ip host 2.2.2.1 host 1.1.1.1
permit ip host 1.1.1.1 host 2.2.2.1

crypto ipsec transform-set TS-SITEA esp-aes 256 esp-sha256-hmac

!
crypto map CMAP_SITEA 10 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 3600
set transform-set TS-SITEA
set pfs group19
set ikev2-profile PROF_SITEA
match address VPNACL_SITEA

int g1
crypto map CMAP_SITEA

Troubleshooting:
SITE-A#sh crypto session
Crypto session current status
Interface: GigabitEthernet1
Session status: DOWN
Peer: 2.2.2.1 port 500
IPSEC FLOW: permit ip host 2.2.2.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.1
Active SAs: 0, origin: crypto map

Apr 13 13:25:58.428: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:25:58.428: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:25:58.440: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Apr 13 13:25:58.441: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:25:58.443: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:25:58.443: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:25:58.443: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 1.1.1.1, key len 8
*Apr 13 13:25:58.443: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:25:58.443: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:25:58.443: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:25:58.444: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:25:58.444: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: ‘1.1.1.1’ of type ‘IPv4 address’
*Apr 13 13:25:58.444: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:25:58.444: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:25:58.444: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH NOTIFY(NO_PROPOSAL_CHOSEN)

*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Apr 13 13:25:58.461: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer’s identity ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:25:58.461: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:25:58.461: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer’s policy
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Peer’s policy verified
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer’s authentication method
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Peer’s authentication method is ‘PSK’
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer’s preshared key for 2.2.2.1
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer’s authentication data
*Apr 13 13:25:58.461: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:25:58.461: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:25:58.461: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer’s authenctication data PASSED
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (2.2.2.1, 1.1.1.1) is UP
*Apr 13 13:25:58.462: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x8EA4048A]
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Apr 13 13:25:58.462: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window

*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x2683D5E37A9B3F91 RSPI: 0x18C01D8F743EFD21]
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
*Apr 13 13:25:58.463: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Apr 13 13:25:58.481: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Apr 13 13:25:58.481: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Apr 13 13:25:58.481: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Apr 13 13:25:58.481: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs

*Apr 13 13:25:58.481: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:25:58.501: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 2683D5E37A9B3F91 – Responder SPI : 18C01D8F743EFD21 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Apr 13 13:25:58.501: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Apr 13 13:25:58.501: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

== R1
SITE-A#sh crypto session
Crypto session current status
Interface: GigabitEthernet1
Session status: DOWN
Peer: 2.2.2.1 port 500
IPSEC FLOW: permit ip host 2.2.2.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.1
Active SAs: 0, origin: crypto map

*Apr 13 13:34:03.210: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE

*Apr 13 13:34:03.211: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE

*Apr 13 13:34:03.211: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:34:03.211: IKEv2:(SESSION ID = 2,SA ID = 1):Process delete request from peer
*Apr 13 13:34:03.211: IKEv2:(SESSION ID = 2,SA ID = 1):Processing DELETE INFO message for IPsec SA [SPI: 0x636A3095]
*Apr 13 13:34:03.211: IKEv2:(SESSION ID = 2,SA ID = 1):Check for existing active SA.
Success rate is 0 percent (0/5)
SITE-A#

*Apr 13 13:34:05.090: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
DELETE NOTIFY(DELETE_REASON)

*Apr 13 13:34:05.090: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption.

*Apr 13 13:34:05.090: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:34:05.091: IKEv2:(SESSION ID = 2,SA ID = 1):Process delete request from peer
*Apr 13 13:34:05.091: IKEv2:(SESSION ID = 2,SA ID = 1):Processing DELETE INFO message for IKEv2 SA [ISPI: 0x4DAD841A6A8DA8AD RSPI: 0xAB0D4DEEA8E6DA41]
*Apr 13 13:34:05.091: IKEv2:(SESSION ID = 2,SA ID = 1):Check for existing active SA
*Apr 13 13:34:05.091: IKEv2:(SESSION ID = 2,SA ID = 1):Delete all IKE SAs
*Apr 13 13:34:05.091: IKEv2:(SESSION ID = 2,SA ID = 1):Deleting SA

== R2
Interface: GigabitEthernet1
Profile: PROF_SITEA
Session status: DOWN-NEGOTIATING
Peer: 2.2.2.1 port 500
Session ID: 1
IKEv2 SA: local 2.2.2.1/500 remote 2.2.2.1/500 Inactive
IPSEC FLOW: permit ip host 1.1.1.1 host 2.2.2.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 2.2.2.1 host 1.1.1.1
Active SAs: 0, origin: crypto map
SITE-B#
*Apr 13 13:33:55.102: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec’d IPSEC packet has invalid spi for destaddr=2.2.2.1, prot=50, spi=0x636A3095(1667903637), srcaddr=1.1.1.1, input interface=GigabitEthernet1
*Apr 13 13:33:56.480: %LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
*Apr 13 13:33:57.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
*Apr 13 13:34:03.202: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Apr 13 13:34:03.202: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 2
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:34:03.219: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 2
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:
DELETE

*Apr 13 13:34:03.220: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Apr 13 13:34:03.220: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
*Apr 13 13:34:03.220: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
*Apr 13 13:34:05.084: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Apr 13 13:34:05.084: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 3
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:34:05.099: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 4DAD841A6A8DA8AD – Responder SPI : AB0D4DEEA8E6DA41 Message id: 3
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Apr 13 13:34:05.099: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
*Apr 13 13:34:05.099: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
SITE-B#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Apr 13 13:34:52.730: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:34:52.730: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:34:52.730: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:34:52.730: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Apr 13 13:34:52.730: IKEv2:Failed to retrieve Certificate Issuer list
*Apr 13 13:34:52.730: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:34:52.731: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:34:52.731: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:34:52.731: IKEv2:IKEv2 initiator – no config data to send in IKE_SA_INIT exch
*Apr 13 13:34:52.731: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:34:52.731: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19

*Apr 13 13:34:52.733: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:34:52.734: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:34:52.734: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*Apr 13 13:34:52.735: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):Failed to validate the packet: The initiator bit is asserted in packet from original responder.
*Apr 13 13:34:54.537: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Apr 13 13:34:54.537: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:34:54.538: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*Apr 13 13:34:54.538: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):Failed to validate the packet: The initiator bit is asserted in packet from original responder..
*Apr 13 13:34:58.175: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Apr 13 13:34:58.175: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:34:58.176: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
*Apr 13 13:34:58.176: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):Failed to validate the packet: The initiator bit is asserted in packet from original responder..
Success rate is 0 percent (0/5)
SITE-B#
*Apr 13 13:35:05.983: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

*Apr 13 13:35:05.983: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:35:05.984: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 2.2.2.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : 2DF0E1DE4A08B21B – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUESTsh
*Apr 13 13:35:05.984: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):Failed to validate the packet: The initiator bit is asserted in packet from original respondercry

SOLUTION:
SITE-B#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SITE-B(config)#crypto map CMAP_SITEA 10 ipsec-isakmp
SITE-B(config-crypto-map)#no set peer 2.2.2.1
SITE-B(config-crypto-map)#set peer 1.1.1.1

== R1
*Apr 13 13:41:58.716: IKEv2:(SESSION ID = 4,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : AF7CB2EB554BC680 – Responder SPI : DF0D7D4ED8E9FD42 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:41:58.716: IKEv2:(SESSION ID = 4,SA ID = 1):Auth exchange failed
*Apr 13 13:41:58.716: IKEv2-ERROR:(SESSION ID = 4,SA ID = 1):: Auth exchange failed
*Apr 13 13:41:58.717: IKEv2:(SESSION ID = 4,SA ID = 1):Abort exchange
*Apr 13 13:41:58.717: IKEv2:(SESSION ID = 4,SA ID = 1):Deleting SA

*Apr 13 13:42:28.682: IKEv2:Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:28.682: IKEv2:(SESSION ID = 5,SA ID = 1):Verify SA init message
*Apr 13 13:42:28.682: IKEv2:(SESSION ID = 5,SA ID = 1):Insert SA
*Apr 13 13:42:28.682: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:42:28.682: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:42:28.682: IKEv2:(SESSION ID = 5,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:42:28.682: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:42:28.682: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:42:28.682: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:42:28.682: IKEv2:not a VPN-SIP session
*Apr 13 13:42:28.682: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:42:28.682: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Apr 13 13:42:28.683: IKEv2:(SESSION ID = 5,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:42:28.683: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:28.683: IKEv2:(SESSION ID = 5,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:42:28.684: IKEv2:(SESSION ID = 5,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:28.686: IKEv2:(SESSION ID = 5,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:42:28.686: IKEv2:IKEv2 responder – no config data to send in IKE_SA_INIT exch
*Apr 13 13:42:28.686: IKEv2:(SESSION ID = 5,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:42:28.686: IKEv2:(SESSION ID = 5,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:42:28.686: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:42:28.686: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Apr 13 13:42:28.687: IKEv2:(SESSION ID = 5,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:28.687: IKEv2:(SESSION ID = 5,SA ID = 1):Completed SA init exchange
*Apr 13 13:42:28.687: IKEv2:(SESSION ID = 5,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Apr 13 13:42:28.702: IKEv2:(SESSION ID = 5,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:42:28.702: IKEv2:(SESSION ID = 5,SA ID = 1):Stopping timer to wait for auth message
*Apr 13 13:42:28.702: IKEv2:(SESSION ID = 5,SA ID = 1):Checking NAT discovery
*Apr 13 13:42:28.702: IKEv2:(SESSION ID = 5,SA ID = 1):NAT not found
*Apr 13 13:42:28.702: IKEv2:(SESSION ID = 5,SA ID = 1):Searching policy based on peer’s identity ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:42:28.702: IKEv2:found matching IKEv2 profile ‘PROF_SITEB’
*Apr 13 13:42:28.702: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:42:28.702: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Verify peer’s policy
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Peer’s policy verified
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Get peer’s authentication method
*Apr 13 13:42:28.703: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):: Peer’s configured auth method mis-matches with proposed auth method
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Verification of peer’s authentication data FAILED
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Sending authentication failure notify
*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:42:28.703: IKEv2:(SESSION ID = 5,SA ID = 1):Auth exchange failed
*Apr 13 13:42:28.703: IKEv2-ERROR:(SESSION ID = 5,SA ID = 1):: Auth exchange failed
*Apr 13 13:42:28.704: IKEv2:(SESSION ID = 5,SA ID = 1):Abort exchange
*Apr 13 13:42:28.704: IKEv2:(SESSION ID = 5,SA ID = 1):Deleting SA

*Apr 13 13:42:58.678: IKEv2:Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : D2F5C04C3CB90118 – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:58.678: IKEv2:(SESSION ID = 6,SA ID = 1):Verify SA init message
*Apr 13 13:42:58.678: IKEv2:(SESSION ID = 6,SA ID = 1):Insert SA
*Apr 13 13:42:58.678: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:42:58.679: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:42:58.679: IKEv2:(SESSION ID = 6,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:42:58.679: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:42:58.679: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:42:58.679: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:42:58.679: IKEv2:not a VPN-SIP session
*Apr 13 13:42:58.679: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:42:58.679: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Apr 13 13:42:58.679: IKEv2:(SESSION ID = 6,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:42:58.680: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:58.680: IKEv2:(SESSION ID = 6,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:42:58.680: IKEv2:(SESSION ID = 6,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:58.682: IKEv2:(SESSION ID = 6,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:42:58.682: IKEv2:IKEv2 responder – no config data to send in IKE_SA_INIT exch
*Apr 13 13:42:58.682: IKEv2:(SESSION ID = 6,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:42:58.682: IKEv2:(SESSION ID = 6,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:42:58.682: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:42:58.682: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Apr 13 13:42:58.683: IKEv2:(SESSION ID = 6,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : D2F5C04C3CB90118 – Responder SPI : 442FCB3FB44ADE63 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:58.683: IKEv2:(SESSION ID = 6,SA ID = 1):Completed SA init exchange
*Apr 13 13:42:58.683: IKEv2:(SESSION ID = 6,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Apr 13 13:42:58.698: IKEv2:(SESSION ID = 6,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : D2F5C04C3CB90118 – Responder SPI : 442FCB3FB44ADE63 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Stopping timer to wait for auth message
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Checking NAT discovery
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):NAT not found
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Searching policy based on peer’s identity ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:42:58.699: IKEv2:found matching IKEv2 profile ‘PROF_SITEB’
*Apr 13 13:42:58.699: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:42:58.699: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Verify peer’s policy
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Peer’s policy verified
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Get peer’s authentication method
*Apr 13 13:42:58.699: IKEv2-ERROR:(SESSION ID = 6,SA ID = 1):: Peer’s configured auth method mis-matches with proposed auth method
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Verification of peer’s authentication data FAILED
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Sending authentication failure notify
*Apr 13 13:42:58.699: IKEv2:(SESSION ID = 6,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Apr 13 13:42:58.700: IKEv2:(SESSION ID = 6,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : D2F5C04C3CB90118 – Responder SPI : 442FCB3FB44ADE63 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:42:58.700: IKEv2:(SESSION ID = 6,SA ID = 1):Auth exchange failed
*Apr 13 13:42:58.700: IKEv2-ERROR:(SESSION ID = 6,SA ID = 1):: Auth exchange failed
*Apr 13 13:42:58.700: IKEv2:(SESSION ID = 6,SA ID = 1):Abort exchange
*Apr 13 13:42:58.700: IKEv2:(SESSION ID = 6,SA ID = 1):Deleting SA

== R2
SITE-B#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:

*Apr 13 13:41:28.670: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:41:28.670: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:41:28.670: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:41:28.670: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Apr 13 13:41:28.670: IKEv2:Failed to retrieve Certificate Issuer list
*Apr 13 13:41:28.671: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:41:28.671: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:41:28.671: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:41:28.671: IKEv2:IKEv2 initiator – no config data to send in IKE_SA_INIT exch
*Apr 13 13:41:28.671: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:41:28.671: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19

*Apr 13 13:41:28.671: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : F81BCD54F4AA4B4E – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:41:28.672: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:41:28.684: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : F81BCD54F4AA4B4E – Responder SPI : 86314FCEED3AB9F6 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Apr 13 13:41:28.685: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:41:28.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:41:28.687: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:41:28.687: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:41:28.687: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:41:28.687: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Apr 13 13:41:28.687: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:41:28.688: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : F81BCD54F4AA4B4E – Responder SPI : 86314FCEED3AB9F6 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:41:28.704: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : F81BCD54F4AA4B4E – Responder SPI : 86314FCEED3AB9F6 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Apr 13 13:41:28.705: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Apr 13 13:41:28.705: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Apr 13 13:41:28.705: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Apr 13 13:41:28.705: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Apr 13 13:41:28.705: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Apr 13 13:41:28.705: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA…..
Success rate is 0 percent (0/5)
SITE-B#
*Apr 13 13:41:58.671: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:41:58.671: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:41:58.671: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:41:58.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Apr 13 13:41:58.671: IKEv2:Failed to retrieve Certificate Issuer list
*Apr 13 13:41:58.672: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:41:58.673: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:41:58.673: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:41:58.673: IKEv2:IKEv2 initiator – no config data to send in IKE_SA_INIT exch
*Apr 13 13:41:58.673: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:41:58.673: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19

*Apr 13 13:41:58.673: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : AF7CB2EB554BC680 – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:41:58.679: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : AF7CB2EB554BC680 – Responder SPI : DF0D7D4ED8E9FD42 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Apr 13 13:41:58.704: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:41:58.706: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:41:58.706: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:41:58.706: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:41:58.706: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:41:58.706: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Apr 13 13:41:58.706: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:41:58.707: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:41:58.707: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:41:58.707: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : AF7CB2EB554BC680 – Responder SPI : DF0D7D4ED8E9FD42 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:41:58.724: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : AF7CB2EB554BC680 – Responder SPI : DF0D7D4ED8E9FD42 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Apr 13 13:41:58.724: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Apr 13 13:41:58.724: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Apr 13 13:41:58.725: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Apr 13 13:41:58.725: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Apr 13 13:41:58.725: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Apr 13 13:41:58.725: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
*Apr 13 13:42:28.671: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:42:28.671: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:42:28.671: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:42:28.671: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*Apr 13 13:42:28.671: IKEv2:Failed to retrieve Certificate Issuer list
*Apr 13 13:42:28.672: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:42:28.672: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:28.672: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:42:28.672: IKEv2:IKEv2 initiator – no config data to send in IKE_SA_INIT exch
*Apr 13 13:42:28.672: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:42:28.673: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19

*Apr 13 13:42:28.673: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:28.673: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:42:28.690: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Apr 13 13:42:28.691: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:42:28.693: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:42:28.693: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:42:28.693: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:42:28.693: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:42:28.693: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:42:28.693: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:42:28.694: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:42:28.694: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:42:28.694: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:42:28.694: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:42:28.711: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : EA6EABA0CA06AC79 – Responder SPI : 007200639B967CD1 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

*Apr 13 13:42:28.711: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Apr 13 13:42:28.711: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Apr 13 13:42:28.711: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
*Apr 13 13:42:28.711: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
*Apr 13 13:42:28.711: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
*Apr 13 13:42:28.712: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

Solution:

WORKING STATE – DEBUG OUTPUT
== R1
*Apr 13 13:45:46.467: IKEv2:Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:45:46.467: IKEv2:(SESSION ID = 8,SA ID = 1):Verify SA init message
*Apr 13 13:45:46.467: IKEv2:(SESSION ID = 8,SA ID = 1):Insert SA
*Apr 13 13:45:46.468: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:45:46.468: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:45:46.468: IKEv2:(SESSION ID = 8,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:45:46.468: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:45:46.468: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:45:46.468: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:45:46.468: IKEv2:not a VPN-SIP session
*Apr 13 13:45:46.468: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:45:46.468: IKEv2-ERROR:Failed to retrieve Certificate Issuer list
*Apr 13 13:45:46.468: IKEv2:(SESSION ID = 8,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:45:46.469: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:45:46.469: IKEv2:(SESSION ID = 8,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:45:46.469: IKEv2:(SESSION ID = 8,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:45:46.471: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:45:46.471: IKEv2:(SESSION ID = 8,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:45:46.471: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:45:46.472: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:45:46.472: IKEv2:IKEv2 responder – no config data to send in IKE_SA_INIT exch
*Apr 13 13:45:46.472: IKEv2:(SESSION ID = 8,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:45:46.472: IKEv2:(SESSION ID = 8,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19
*Apr 13 13:45:46.472: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Apr 13 13:45:46.472: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): ‘TP-self-signed-2021658871’
*Apr 13 13:45:46.472: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Apr 13 13:45:46.472: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints FAILED
*Apr 13 13:45:46.472: IKEv2-ERROR:Failed to retrieve Certificate Issuer list

*Apr 13 13:45:46.472: IKEv2:(SESSION ID = 8,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:45:46.473: IKEv2:(SESSION ID = 8,SA ID = 1):Completed SA init exchange
*Apr 13 13:45:46.473: IKEv2:(SESSION ID = 8,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Apr 13 13:45:46.487: IKEv2:(SESSION ID = 8,SA ID = 1):Received Packet [From 2.2.2.1:500/To 1.1.1.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:45:46.487: IKEv2:(SESSION ID = 8,SA ID = 1):Stopping timer to wait for auth message
*Apr 13 13:45:46.487: IKEv2:(SESSION ID = 8,SA ID = 1):Checking NAT discovery
*Apr 13 13:45:46.487: IKEv2:(SESSION ID = 8,SA ID = 1):NAT not found
*Apr 13 13:45:46.487: IKEv2:(SESSION ID = 8,SA ID = 1):Searching policy based on peer’s identity ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:45:46.487: IKEv2:found matching IKEv2 profile ‘PROF_SITEB’
*Apr 13 13:45:46.488: IKEv2:Searching Policy with fvrf 0, local address 1.1.1.1
*Apr 13 13:45:46.488: IKEv2:Found Policy ‘POL_SITEB’
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Verify peer’s policy
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Peer’s policy verified
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Get peer’s authentication method
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Peer’s authentication method is ‘PSK’
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Get peer’s preshared key for 2.2.2.1
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Verify peer’s authentication data
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:45:46.488: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:45:46.488: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Verification of peer’s authenctication data PASSED
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Processing INITIAL_CONTACT
*Apr 13 13:45:46.488: IKEv2:(SESSION ID = 8,SA ID = 1):Processing IKE_AUTH message
*Apr 13 13:45:46.489: IKEv2:IPSec policy validate request sent for profile PROF_SITEB with psh index 1.

*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):
*Apr 13 13:45:46.489: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal – PASSED.

*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Get my authentication method
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Get peer’s preshared key for 2.2.2.1
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Generate my authentication data
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Use preshared key for id 1.1.1.1, key len 8
*Apr 13 13:45:46.489: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:45:46.489: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Get my authentication method
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):Constructing IDr payload: ‘1.1.1.1’ of type ‘IPv4 address’
*Apr 13 13:45:46.489: IKEv2:(SESSION ID = 8,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:45:46.490: IKEv2:(SESSION ID = 8,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:45:46.490: IKEv2:(SESSION ID = 8,SA ID = 1):Sending Packet [To 2.2.2.1:500/From 1.1.1.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Apr 13 13:45:46.490: IKEv2:(SESSION ID = 8,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Apr 13 13:45:46.490: IKEv2:(SESSION ID = 8,SA ID = 1):Session with IKE ID PAIR (2.2.2.1, 1.1.1.1) is UP
*Apr 13 13:45:46.490: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Apr 13 13:45:46.490: IKEv2:(SESSION ID = 8,SA ID = 1):Load IPSEC key material
*Apr 13 13:45:46.490: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Apr 13 13:45:46.693: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Apr 13 13:45:46.693: IKEv2:(SESSION ID = 8,SA ID = 1):Checking for duplicate IKEv2 SA
*Apr 13 13:45:46.693: IKEv2:(SESSION ID = 8,SA ID = 1):No duplicate IKEv2 SA found
*Apr 13 13:45:46.693: IKEv2:(SESSION ID = 8,SA ID = 1):Starting timer (8 sec) to delete negotiation context
SITE-A#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 2.2.2.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/17 sec

IPv6 Crypto IKEv2 SA

== R2

*Apr 13 13:45:46.457: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:45:46.457: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:45:46.457: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
*Apr 13 13:45:46.458: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:45:46.458: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Apr 13 13:45:46.458: IKEv2:IKEv2 initiator – no config data to send in IKE_SA_INIT exch
*Apr 13 13:45:46.458: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Apr 13 13:45:46.458: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA256 SHA256 DH_GROUP_256_ECP/Group 19

*Apr 13 13:45:46.458: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:45:46.459: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
*Apr 13 13:45:46.476: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 19
*Apr 13 13:45:46.478: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Apr 13 13:45:46.478: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
*Apr 13 13:45:46.479: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Apr 13 13:45:46.479: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 2.2.2.1, key len 8
*Apr 13 13:45:46.479: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:45:46.479: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is ‘PSK’
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: ‘2.2.2.1’ of type ‘IPv4 address’
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA256 Don’t use ESN
*Apr 13 13:45:46.479: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:45:46.480: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 1.1.1.1:500/From 2.2.2.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

*Apr 13 13:45:46.496: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 1.1.1.1:500/To 2.2.2.1:500/VRF i0:f0]
Initiator SPI : E745AD638D480B9D – Responder SPI : E2A118E84388DA02 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Apr 13 13:45:46.496: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
*Apr 13 13:45:46.496: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer’s identity ‘1.1.1.1’ of type ‘IPv4 address’
*Apr 13 13:45:46.497: IKEv2:Searching Policy with fvrf 0, local address 2.2.2.1
*Apr 13 13:45:46.497: IKEv2:Found Policy ‘POL_SITEA’
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer’s policy
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Peer’s policy verified
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer’s authentication method
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Peer’s authentication method is ‘PSK’
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer’s preshared key for 1.1.1.1
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer’s authentication data
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 1.1.1.1, key len 8
*Apr 13 13:45:46.497: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Apr 13 13:45:46.497: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer’s authenctication data PASSED
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
*Apr 13 13:45:46.497: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
*Apr 13 13:45:46.498: IKEv2:IPSec policy validate request sent for profile PROF_SITEA with psh index 1.

*Apr 13 13:45:46.498: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal – PASSED.

*Apr 13 13:45:46.498: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Apr 13 13:45:46.498: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (1.1.1.1, 2.2.2.1) is UP
*Apr 13 13:45:46.498: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Apr 13 13:45:46.498: IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
*Apr 13 13:45:46.498: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Apr 13 13:45:46.616: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Apr 13 13:45:46.616: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
*Apr 13 13:45:46.616: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 19/20/22 ms
SITE-B#sh cry ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.1/500 1.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/23 sec

IPv6 Crypto IKEv2 SA

Final Verification:
SITE-A#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 2.2.2.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/111 sec

IPv6 Crypto IKEv2 SA

SITE-A#sh crypto ikev2 sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 1.1.1.1/500 2.2.2.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/115 sec
CE id: 1017, Session-id: 7
Status Description: Negotiation done
Local spi: E2A118E84388DA02 Remote spi: E745AD638D480B9D
Local id: 1.1.1.1
Remote id: 2.2.2.1
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

SITE-B#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.1/500 1.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/146 sec

IPv6 Crypto IKEv2 SA

SITE-B#sh crypto ikev2 sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.1/500 1.1.1.1/500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/151 sec
CE id: 1017, Session-id: 7
Status Description: Negotiation done
Local spi: E745AD638D480B9D Remote spi: E2A118E84388DA02
Local id: 2.2.2.1
Remote id: 1.1.1.1
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: enabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes

IPv6 Crypto IKEv2 SA

IPSEC VPN

IPSEC VPN

IPSEC Control Plane
– ISAKMP & IKE Negotiation

IPSEC Data Plance
– ESP & AH Encapsulation

Virtual Private Network(VPN)
– Extension of private network over a public network.
– VPN doesn’t necessarily imply encryption.

Example:
Layer 2 VPNs
– Ethernet VLANs, QinQ, Frame Relay PVCs, ATM PVCs, VPLS
Layer 3 VPNs
– GRE, MPLS layer 3 VPN, IPSEC

What is IPsec?
– IPsec is a standards based security framework.
– Lots of RFC…

IPsec Features
– Data Origin Authentication
– Who did the packet come from?
– Data Integrity
– Was the packet changed in the transit path?
– Data Confidentiality
– Can anyone read the packet in the transit path?
– Anti-replay
– Did I already receive this packet?

Why use IPsec VPNs?
– Does not need static SP provisioning like MPLS
– Independent of SP access method
– IPv4/IPv6 transport is the only requirement
– Allows both site-to-site and remote access
– Always on vs. dial-on-demand (Cisco Anyconnect)
– Offers data protection
– Main motivation.
Note: The requirement is just IP Transport.

When we our talking about other VPN technologies like MPLS, MPLS doesn’t not have encryption. If someone has gained access to the transport in service provider network and they do packet capture they will be able to see our frames in clear text. The only thing MPLS doing is adding a additional header between layer 2 and the payload.

Design Consideration:
Many designs based on things like healthcare compliance and healthcare compliance, Even you have MPLS2/3 VPN service you maybe require to run IPSec on top of that to be able to add data confidentiality (encryption of traffic).

How IPsec Works
1. IPsec is a Network Layer Protocol (Layer)
– Different from SSL (Layer 7) or 802.1AE MACSEC
(Layer 2)

Note: Ipsec doen’t run directly over ATM or over ethernet it need IPv4/IPv6 transport in order to do the negotiation and actual data plane transport.

2. Main goal is to encrypt and authenticate IPv4 or IPv6 packets.
– Uses symmetric cipher for encryption (e.g. 3DES)
– Keyed hashing for authentication (e.g. MD5)

3. Used to create P2P tunnels between endpoints
– GETVPN is an exception, which can use P2MP

How IPsec Tunnels Work
1. Tunnels are dynamically negotiated through IKE
– Main goal is to NOT define crypto keys manually

2. IPsec use two data structures to build a tunnel
– Security Association (SA)
– An agreement of IPsec Parameters
– Maintancs encryption & authentication key on
peers.
– A logical structure that we maintain on the
control plane

– Security Parameter Index (SPI)
– Field in packet header to select SA on
receiver
– Analogous to VLAN header or MPLS label
– Inside the actual packet

3. Protocols that are used to form security association
– ISAKMP/IKE are the negotiation protocols used to
form SAs
– Internet Security Association and Key
Management Protool (ISAKMP)
– ISAKMP is the framework
– Says that authentication and keying should
occur

– Internet Key Exchange (IKE)
– IKE is the actual implementation
– Defines how authentication and keying occurs
– In general, ISAKMP/IKE terms are interchangeable.

IKEv1 vs IKEv2 Negotiation
IKEv1 was original implementation
IKEv2 add new improvement “Suite B” algorithm
– No change to IPsec data plane, only control plane.

IPsec Tunnel Negotiation with IKE
– Goal of IPsec exchange is to establish SAs
– Occurs through two main negotiation phases using IKE

Note: This is a negotiation of parameters when router say to the another router about what encryption or authentication will be used after they agree on the parameters they gonna form an encrypted tunnel that they can do further negotiation inside of it.

Difference of IPsec Phase:

1. IPsec Phase 1
– Authenticate endpoints and build a secure tunnel for
further negotiation.
– Result is called ISAKMP SA

Note: Goal is to build a temporary secure tunnel that we can do further negotiation inside of it.

2. IPsec Phase 2
– Establish the tunnel used to protect the actual data
traffic.
– Result is called the IPsec SA

Negotiating the ISAKMP SA
– During IKE Phase 1, peers negotiate four main parameters
1. Authentication method
2. Diffie-Hellman group
– 1/2/5/…
3. Encryption type
– DES / 3DES / AES
4. Hast algorithm
– MD5 / SHA1

Authentication in mainly two ways:
– Pre-shared key (PSK) – Password(limitation)
– X.509 Certificates (PKI) (Windows CA)

PSK is easy, but PKI is scalable
– PSKs are difficult to maintain and change.
– PKI allows easy revocation and also hierarchy

IKEv2 adds improved authentication
– EAP methods

Note: Flex VPN means IKEv2, adds more flexibility on the design.

IKE Diffie-hellman Group
– DH is the method to exchange crypto keys
– I.e. Alice and bob agree on a prime number.
– DH group number determines stregth of keys
– Higher group is better, but at expense of CPU
– Result of DH is what 3DES, AES, etc. uses as their symmetric keys.

Encryption algorithm used to protect the traffic -DES, 3DES, AES-128, AES-256, etc.
– Higher is better but at the expense of the CPU
– Some can be hardware accelerated
– I.e. AES crypto offload card

Hashing
– One way hash used to authenticate the packet
– If hashes match, the packet was not modified in
transit
– Higher is better, but again at the expense of CPU
– Hashes supported depends on IKE version
– IKEv1 MD5 & SHA-1
– IKEv2 SHA-256, SHA-384, etc.

The combination of these four parameters is called ISAKMP Policies.
– Combinations of IKE params are ISAKMP
– IKE initiator sends all its policies through a
proposal
– IKE responder checks received policies against its
own.
– First match is used, based on lowest local priority
value.
– Else, connection is rejected.

Common Issue: Parameter issue.

After Phase 1 completes, an encrypted tunnel exists between the peers. Phase 2 negotiation can now be hidden from devices in transit.

Negotiating the IPsec SA
– In Phase , peers agree on more parameters…
– Security protocol
– Encapsulation Security Payload (ESP) or
Authentication Header (AH)
– Encapsulation mode
– Tunnel mode or transport mode
– Encryption
– DES, 3DES, AES, ETC
– Authentication
– MD5, SHA, SHA-256, SHA-512, etc.
– Combination of these is called the IPsec Transform set

AH VS ESP
– Authentication Header (AH)
– IP protocol number 51
– Data origin authentication includes IP header
– Data Integrity
– Encapsulating Security Payload (ESP)
– IP protocol number 50
– Data origin authentication excludes IP header
– Data Integrity
– Data Encryption
– Anti-Replay

Tunnel vs Transport
– AH & ESP supports two modes of encapsulation
– Transport
– Original IP header retained
– Payload and layer 4 header
authenticated/encrypted with ESP
– Complete packet authenticated with AH
– Typically used in host to host IPsec
– Tunnel
– Adds new IP header
– Original header & payload authenticated/encrypted
with ESP.
– Complete packet authenticated with AH
– Typically used between IPsec gateways or host to
IPsec gateway

Security Association (SA) lifetimes
– How often should we re-key

Ipsec Proxy identities
– Define what traffic goes into the IPsec tunnel
– I.e. the “Interesting traffic” to trigger the tunnel
– Proxy ACLs should be mirror images
– Take a tunnel from peer A to peer B
– Peer A says traffic is from X to Y
– Peer B says traffic is from Y to X

IPsec Control Plane vs Data Plane
– All traffic is unicast IPv4/IPv6
– IPsec Control Plane (ISAKMP)
– UDP 500
– UDP 4500 if going through NAT
– Ipsec Data Plane
– ESP (50) or AH (51)
– ESP over UDP 4500 if going through NAT
– Some platforms allow custom ports
– E.g. ASA firewall

Q&A
1. Is there any SSL VPN for S-t-S VPN?
– Open ssl in linux (doing the encryption at application level)
2. Proxy acl should match
3.
——————————————————
IKE Phase 1 is ISAKMP (Internet Security Association and Key Management Protocol) – it is used to create a private tunnel between the peers (the routers) for a secure communication.

IKE Phase 2 is also known as IPsec – it creates the IPsec tunnel used for user traffic.

https://learningnetwork.cisco.com/thread/25765
https://supportforums.cisco.com/t5/security-documents/main-mode-vs-aggressive-mode/ta-p/3123382

IPSEC VPN

IKE Phase 1 is ISAKMP (Internet Security Association and Key Management Protocol) – it is used to create a private tunnel between the peers (the routers) for a secure communication.

IKE Phase 2 is also known as IPsec – it creates the IPsec tunnel used for user traffic.

https://learningnetwork.cisco.com/thread/25765

http://gigacon.blogspot.com/2016/12/best-interview-questions-how-vpn-works.html

Main Mode VS Aggressive:
https://supportforums.cisco.com/t5/security-documents/main-mode-vs-aggressive-mode/ta-p/3123382

Fortigate selecting Main and Agressive Mode:
http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Phase_1/Choosing_Main_Aggressive.htm

Basic Site-to-Site IPSec VPN (Aggressive Mode):
http://zahid-stanikzai.com/basic-site-to-site-ipsec-vpn-aggressive-mode/

IKE main mode, aggressive mode, & phase 2.
IKE main mode, aggressive mode, & phase 2.

IPsec VPN, Main mode Vs Aggressive mode
http://rayas-security.blogspot.com/2013/06/ipsec-vpn-main-mode-vs-aggressive-mode.html

Conclusions
-Aggressive mode is faster than main mode
-It is generally recommended to use main mode instead of aggressive mode.
-If aggressive mode must be used, for performance issue for example, prefer Public Key Encryption authentication.

Question and Answer:
1. When do we use main mode and aggrassive mode ? In which scenarios we choose them ?
A: Aggressive mode is typically used for remote access VPN’s (remote users). Also you would use aggressive mode if one or both peers have dynamic external IP addresses.
While Main mode is used fro Site-Site VPNs.

2. It will depend on the authentication type used
1. In PSK mode, you have to use Aggressive mode when one side is in dynamic
IP addressing.
2. In the other authentication modes, you can use either Main or Aggressive
modes.
One advantage of the Aggressive mode over the Main mode is it is more
faster

3. Which mode will be secured one ? Main mode or Aggressive?
A: Main mode is secure as it negotiates the SA parameters first before authenticating which aggressive mode does not do.