Community.cisco.com



BUILDING FLEX VPN USING SMART DEFAULT CONFIGURATIONInternet Key Exchange Version (IKEv2) is the next-generation key management protocol. Cisco provides the implementation of IKEV2 on IOS with the use of FLEX VPN. Cisco FLEX VPN on IOS router includes smart default features which can help administrators to minimize configuration length and time. This document illustrates the cisco FLEX VPN smart default and also how to build a basic site-to-site VPN using the smart default. For a Full-blown IKEv2 configuration, CISCO IOS 15.2(3) T or above is required and recommended.PREVIEWING FLEX VPN SMART DEFAULT CONFIGURATIONUsing the show commands below, administrators can preview the FLEX VPN smart default valuesR1#sh crypto ikev2 proposal default IKEv2 proposal: default Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128 Integrity : SHA512 SHA384 SHA256 SHA96 MD596 PRF : SHA512 SHA384 SHA256 SHA1 MD5 DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2R1#sh crypto ikev2 policy default IKEv2 policy : default Match fvrf : any Match address local : any Proposal : defaultR1#sh crypto ikev2 authorization policy default IKEv2 Authorization Policy : default route set interface route accept any tag : 1 distance : 1R1#sh crypto ipsec transform-set default{ esp-aes esp-sha-hmac } will negotiate = { Transport, },R1#sh crypto ipsec profile defaultIPSEC profile default Security association lifetime: 4608000 kilobytes/3600 seconds Responder-Only (Y/N): N PFS (Y/N): N Transform sets={ default: { esp-aes esp-sha-hmac } ,R1#sh run all | s cryptocrypto ikev2 authorization policy default route set interface route accept anycrypto ikev2 proposal default encryption aes-cbc-256 aes-cbc-192 aes-cbc-128 integrity sha512 sha384 sha256 sha1 md5 group 5 2crypto ikev2 policy default match fvrf any proposal defaultcrypto ipsec transform-set default esp-aes esp-sha-hmac mode transportcrypto ipsec profile default set security-association lifetime kilobytes 4608000 set security-association lifetime seconds 3600 no set security-association idle-time no set security-association replay window-sizeMODIFYING FLEX VPN SMART DEFAULT CONFIGURATIONIKEv2 smart defaults can be modified for specific environment, though this is not suggested. Using the commands below from the global configuration mode on cisco IOS, the default value can be modified.NGVPNROUTER(config)#crypto ikev2 proposal defaultNGVPNROUTER(config)#crypto ikev2 policy defaultNGVPNROUTER(config)#crypto ikev2 authorization policy defaultNGVPNROUTER(config)#crypto ipsec transform-set defaultNGVPNROUTER(config)#crypto ipsec profile defaultExample:NGVPNROUTER(config)#crypto ikev2 proposal default%Warning: This will Modify Default IKEv2 Proposal. Exit if you don't want NGVPNROUTER(config-ikev2-proposal)#integrity md5NGVPNROUTER(config-ikev2-proposal)#group 16Verifying the modification:NGVPNROUTER#sh crypto ikev2 proposal default IKEv2 proposal: default Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128 Integrity : MD5 PRF : MD5 DH Group : DH_GROUP_4096_MODP/Group 16RESTORING FLEX VPN SMART DEFAULT CONFIGURATIONUsing the commands below, any modified smart default configuration can be restored to the initial smart default value. NGVPNROUTER(config)# default crypto ikev2 proposal NGVPNROUTER(config)# default crypto ikev2 policy NGVPNROUTER(config)# default crypto ikev2 authorization policy NGVPNROUTER(config)# default crypto ipsec transform-set NGVPNROUTER(config)# default crypto ipsec profile Example:NGVPNROUTER(config)#default crypto ikev2 proposalVerifying restoration:NGVPNROUTER#sh crypto ikev2 proposal default IKEv2 proposal: default Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128 Integrity : SHA512 SHA384 SHA256 SHA96 MD596 PRF : SHA512 SHA384 SHA256 SHA1 MD5 DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2DISABLING FLEX VPN SMART DEFAULT CONFIGURATIONIKEv2 smart defaults configuration can also be disabled for specific environment, though this is not suggested. Using the commands below from the global configuration mode on cisco IOS, the default value can be disabled.NGVPNROUTER(config)# no crypto ikev2 proposal defaultNGVPNROUTER(config)# no crypto ikev2 policy defaultNGVPNROUTER(config)# no default crypto ikev2 authorization policy defaultNGVPNROUTER(config)# no default crypto ipsec transform-set defaultNGVPNROUTER(config)# no default crypto ipsec profile defaultEXAMPLE:NGVPNROUTER(config)#no crypto ikev2 proposal defaultSITE-TO-SITE VPN USING FLEX VPN SMART DEFAULT CONFIGURATION (PKI AUTH)The configuration below shows a configured Site-to-Site VPN using flex VPN smart default configuration with the use of PKI authentication. We assume a valid route to remote public IP exit on both R1 and R2. Also valid trust point called “GoryealCA” exists on the both R1 and R2. Please note, for an Ikev2 profile, you MUST either specify a “match identity remote address” or “match certificate “statement. To use a “match certificate” statement, you must configure a certificate map. Also unlike IKEv1, IKEv2 does not fall back to the default trust point configured globally; you must explicitly specify the trust point under the crypto ikev2 profile.For the creation of site -to-site VPN using smart default configuration, ONLY the following steps are requiredCreate and configure a crypto ikev2 profile called default Create and configure a tunnel interfaceCreate a static route to remote local subnet via the tunnelR1 CONFIGURATION!crypto ikev2 profile default match identity remote address 10.10.10.2 255.255.255.255 authentication remote rsa-sig authentication local rsa-sig pki trustpoint GoryealCA!interface Tunnel10 ip address 200.200.200.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 10.10.10.2 tunnel protection ipsec profile default!ip route 2.2.2.2 255.255.255.255 Tunnel10!interface Ethernet0/0 ip address 100.100.100.2 255.255.255.0!interface Loopback1 ip address 1.1.1.1 255.255.255.0R2 CONFIGURATION!crypto ikev2 profile default match identity remote address 100.100.100.2 255.255.255.255 authentication remote rsa-sig authentication local rsa-sig pki trustpoint GoryealCA !interface Tunnel10 ip address 200.200.200.2 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 100.100.100.2 tunnel protection ipsec profile default!ip route 1.1.1.1 255.255.255.255 Tunnel10!interface Ethernet0/0 ip address 10.10.10.2 255.255.255.0 !interface Loopback1 ip address 2.2.2.2 255.255.255.0!TUNNEL ESTABLISHMENT VERIFICATION R2#ping 1.1.1.1 repeat 200 source loopback1Type escape sequence to abort.Sending 200, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Success rate is 100 percent (200/200), round-trip min/avg/max = 1/4/20 msR2#sh cry session detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, T - cTCP encapsulationX - IKE Extended Authentication, F - IKE FragmentationInterface: Tunnel10Uptime: 00:10:26Session status: UP-ACTIVEPeer: 100.100.100.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 100.100.100.2 Desc: (none) IKEv2 SA: local 10.10.10.2/500 remote 100.100.100.2/500 Active Capabilities:(none) connid:1 lifetime:23:49:34 IPSEC FLOW: permit 47 host 10.10.10.2 host 100.100.100.2 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 200 drop 0 life (KB/Sec) 4248818/2973 Outbound: #pkts enc'ed 200 drop 0 life (KB/Sec) 4248818/2973R1# sh cry session detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, T - cTCP encapsulationX - IKE Extended Authentication, F - IKE FragmentationInterface: Tunnel10Uptime: 00:10:43Session status: UP-ACTIVEPeer: 10.10.10.2 port 500 fvrf: (none) ivrf: (none) Phase1_id: 10.10.10.2 Desc: (none) IKEv2 SA: local 100.100.100.2/500 remote 10.10.10.2/500 Active Capabilities:(none) connid:1 lifetime:23:49:17 IPSEC FLOW: permit 47 host 100.100.100.2 host 10.10.10.2 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 200 drop 0 life (KB/Sec) 4227505/2956 Outbound: #pkts enc'ed 200 drop 0 life (KB/Sec) 4227505/2956R1 DEBUGR1#sh debugIKEV2: IKEv2 error debugging is on IKEv2 default debugging is on IKEv2 packet debugging is onCryptographic Subsystem: Crypto IPSEC debugging is onDec 15 20:16:02.914: IKEv2:Received Packet [From 10.10.10.2:500/To 100.100.100.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 0000000000000000 Message id: 0IKEv2 IKE_SA_INIT Exchange REQUESTDec 15 20:16:02.914: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 496Payload contents: SA Next payload: KE, reserved: 0x0, length: 144 last proposal: 0x0, reserved: 0x0, length: 140 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: MD5 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: MD596 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 KE Next payload: N, reserved: 0x0, length: 200 DH group: 5, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IPDec 15 20:16:02.914: IKEv2:(SA ID = 1):Verify SA init messageDec 15 20:16:02.914: IKEv2:(SA ID = 1):Insert SADec 15 20:16:02.914: IKEv2:Searching Policy with fvrf 0, local address 100.100.100.2Dec 15 20:16:02.914: IKEv2:Using the Default Policy for ProposalDec 15 20:16:02.914: IKEv2:Found Policy 'default'Dec 15 20:16:02.914: IKEv2:(SA ID = 1):Processing IKE_SA_INIT messageDec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool' 'GoryealCA'Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpointsDec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSEDDec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI SessionDec 15 20:16:02.914: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSEDDec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5Dec 15 20:16:02.914: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSEDDec 15 20:16:02.914: IKEv2:(SA ID = 1):Request queued for computation of DH keyDec 15 20:16:02.914: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSEDDec 15 20:16:02.924: IKEv2:(SA ID = 1):Request queued for computation of DH secretDec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SADec 15 20:16:02.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSEDDec 15 20:16:02.924: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exchDec 15 20:16:02.924: IKEv2:(SA ID = 1):Generating IKE_SA_INIT messageDec 15 20:16:02.924: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),Num. transforms: 4 AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool' 'GoryealCA'Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpointsDec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSEDDec 15 20:16:02.924: IKEv2:(SA ID = 1):Sending Packet [To 10.10.10.2:500/From 100.100.100.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 0IKEv2 IKE_SA_INIT Exchange RESPONSEDec 15 20:16:02.924: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 533Payload contents: SA Next payload: KE, reserved: 0x0, length: 48 last proposal: 0x0, reserved: 0x0, length: 44 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 KE Next payload: N, reserved: 0x0, length: 200 DH group: 5, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125 Cert encoding Hash and URL of PKIX NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTEDDec 15 20:16:02.924: IKEv2:(SA ID = 1):Completed SA init exchangeDec 15 20:16:02.924: IKEv2:(SA ID = 1):Starting timer (30 sec) to wait for auth messageDec 15 20:16:02.939: IKEv2:(SA ID = 1):Received Packet [From 10.10.10.2:500/To 100.100.100.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 1IKEv2 IKE_AUTH Exchange REQUESTDec 15 20:16:02.939: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1392Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDi Next payload: CERT, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 CERT Next payload: CERTREQ, reserved: 0x0, length: 525 Cert encoding X.509 Certificate - signature CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125 Cert encoding Hash and URL of PKIX NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: AUTH, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED AUTH Next payload: CFG, reserved: 0x0, length: 136 Auth method RSA, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 317 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0Dec 15 20:16:02.939: attrib type: internal IP4 DNS, length: 0Dec 15 20:16:02.939: attrib type: internal IP4 DNS, length: 0Dec 15 20:16:02.939: attrib type: internal IP4 NBNS, length: 0Dec 15 20:16:02.939: attrib type: internal IP4 NBNS, length: 0Dec 15 20:16:02.939: attrib type: internal IP4 subnet, length: 0Dec 15 20:16:02.939: attrib type: internal IP6 DNS, length: 0Dec 15 20:16:02.939: attrib type: internal IP6 subnet, length: 0Dec 15 20:16:02.939: attrib type: application version, length: 257 attrib type: Unknown - 28675, length: 0Dec 15 20:16:02.939: attrib type: Unknown - 28672, length: 0Dec 15 20:16:02.939: attrib type: Unknown - 28692, length: 0Dec 15 20:16:02.939: attrib type: Unknown - 28681, length: 0Dec 15 20:16:02.939: attrib type: Unknown - 28674, length: 0Dec 15 20:16:02.939: SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 40 Num of TSs: 2, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TSr Next payload: NOTIFY, reserved: 0x0, length: 40 Num of TSs: 2, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(USE_TRANSPORT_MODE) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: USE_TRANSPORT_MODE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGSDec 15 20:16:02.939: IKEv2:(SA ID = 1):Stopping timer to wait for auth messageDec 15 20:16:02.939: IKEv2:(SA ID = 1):Checking NAT discoveryDec 15 20:16:02.939: IKEv2:(SA ID = 1):NAT not foundDec 15 20:16:02.939: IKEv2:(SA ID = 1):Searching policy based on peer's identity '10.10.10.2' of type 'IPv4 address'Dec 15 20:16:02.939: IKEv2:found matching IKEv2 profile 'default'Dec 15 20:16:02.939: IKEv2:Searching Policy with fvrf 0, local address 100.100.100.2Dec 15 20:16:02.939: IKEv2:Using the Default Policy for ProposalDec 15 20:16:02.939: IKEv2:Found Policy 'default'Dec 15 20:16:02.939: IKEv2:(SA ID = 1):Verify peer's policyDec 15 20:16:02.939: IKEv2:(SA ID = 1):Peer's policy verifiedDec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'GoryealCA'Dec 15 20:16:02.939: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint GoryealCADec 15 20:16:02.939: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSEDDec 15 20:16:02.939: IKEv2:(SA ID = 1):Get peer's authentication methodDec 15 20:16:02.939: IKEv2:(SA ID = 1):Peer's authentication method is 'RSA'Dec 15 20:16:02.940: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chainDec 15 20:16:02.949: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSEDDec 15 20:16:02.949: IKEv2:(SA ID = 1):Save pubkeyDec 15 20:16:02.950: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 10.10.10.2 (type 1) and certificate addr withDec 15 20:16:02.950: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 10.10.10.2 (type 1) and certificate addr withDec 15 20:16:02.950: IKEv2:(SA ID = 1):Verify peer's authentication dataDec 15 20:16:02.950: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication dataDec 15 20:16:02.950: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSEDDec 15 20:16:02.950: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton dataDec 15 20:16:02.950: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSEDDec 15 20:16:02.950: IKEv2:(SA ID = 1):Processing INITIAL_CONTACTDec 15 20:16:02.950: IKEv2:(SA ID = 1):Received valid config mode dataDec 15 20:16:02.950: IKEv2:Config data recieved:Dec 15 20:16:02.950: Config-type: Config-requestDec 15 20:16:02.950: Attrib type: ipv4-dns, length: 0Dec 15 20:16:02.950: Attrib type: ipv4-dns, length: 0Dec 15 20:16:02.950: Attrib type: ipv4-nbns, length: 0Dec 15 20:16:02.950: Attrib type: ipv4-nbns, length: 0Dec 15 20:16:02.950: Attrib type: ipv4-subnet, length: 0Dec 15 20:16:02.950: Attrib type: ipv6-dns, length: 0Dec 15 20:16:02.950: Attrib type: ipv6-subnet, length: 0Dec 15 20:16:02.950: Attrib type: app-version, length: 257, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.2(4)M2, DEVELOPMENT TEST SOFTWARETechnical Support: (c) 1986-2012 by Cisco Systems, piled Thu 08-Nov-12 04:46 by prod_rel_teamDec 15 20:16:02.950: Attrib type: split-dns, length: 0Dec 15 20:16:02.950: Attrib type: banner, length: 0Dec 15 20:16:02.950: Attrib type: config-url, length: 0Dec 15 20:16:02.950: Attrib type: backup-gateway, length: 0Dec 15 20:16:02.950: Attrib type: def-domain, length: 0Dec 15 20:16:02.950: IKEv2:(SA ID = 1):Set received config mode dataDec 15 20:16:02.950: IKEv2:(SA ID = 1):Processing IKE_AUTH messageDec 15 20:16:02.950: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 2 flags 8178 keysize 128 IDB 0x0Dec 15 20:16:02.950: IPSEC(validate_proposal_request): proposal part #1Dec 15 20:16:02.950: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 100.100.100.2:0, remote= 10.10.10.2:0, local_proxy= 100.100.100.2/255.255.255.255/47/0, remote_proxy= 10.10.10.2/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0Dec 15 20:16:02.950: Crypto mapdb : proxy_match src addr : 100.100.100.2 dst addr : 10.10.10.2 protocol : 47 src port : 0 dst port : 0Dec 15 20:16:02.950: IKEv2:Error constructing config replyDec 15 20:16:02.950: IKEv2:(SA ID = 1):Get my authentication methodDec 15 20:16:02.950: IKEv2:(SA ID = 1):My authentication method is 'RSA'Dec 15 20:16:02.950: IKEv2:(SA ID = 1):Generate my authentication dataDec 15 20:16:02.950: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication dataDec 15 20:16:02.950: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSEDDec 15 20:16:02.950: IKEv2:(SA ID = 1):Get my authentication methodDec 15 20:16:02.950: IKEv2:(SA ID = 1):My authentication method is 'RSA'Dec 15 20:16:02.950: IKEv2:(SA ID = 1):Sign authentication dataDec 15 20:16:02.950: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private keyDec 15 20:16:02.950: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSEDDec 15 20:16:02.950: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication dataDec 15 20:16:02.954: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSEDDec 15 20:16:02.954: IKEv2:(SA ID = 1):Authentication material has been sucessfully signedDec 15 20:16:02.954: IKEv2:(SA ID = 1):Generating IKE_AUTH messageDec 15 20:16:02.954: IKEv2:(SA ID = 1):Constructing IDr payload: '100.100.100.2' of type 'IPv4 address'Dec 15 20:16:02.954: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),Num. transforms: 3 AES-CBC SHA96 Don't use ESNDec 15 20:16:02.954: IKEv2:(SA ID = 1):Building packet for encryption.Payload contents: VID Next payload: IDr, reserved: 0x0, length: 20 IDr Next payload: CERT, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 CERT Next payload: AUTH, reserved: 0x0, length: 525 Cert encoding X.509 Certificate - signature AUTH Next payload: SA, reserved: 0x0, length: 136 Auth method RSA, reserved: 0x0, reserved 0x0 SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 NOTIFY(USE_TRANSPORT_MODE) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: USE_TRANSPORT_MODE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGSDec 15 20:16:02.954: IKEv2:(SA ID = 1):Sending Packet [To 10.10.10.2:500/From 100.100.100.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 1IKEv2 IKE_AUTH Exchange RESPONSEDec 15 20:16:02.954: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 912Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 884Dec 15 20:16:02.954: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI SessionDec 15 20:16:02.954: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSEDDec 15 20:16:02.954: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) startedDec 15 20:16:02.954: IKEv2:(SA ID = 1):Session with IKE ID PAIR (10.10.10.2, 100.100.100.2) is UPDec 15 20:16:02.954: IKEv2:IKEv2 MIB tunnel started, tunnel index 1Dec 15 20:16:02.954: IKEv2:(SA ID = 1):Load IPSEC key materialDec 15 20:16:02.954: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec databaseDec 15 20:16:02.954: IKEv2:(SA ID = 1):Asynchronous request queuedDec 15 20:16:02.954: IKEv2:(SA ID = 1):Dec 15 20:16:02.954: IPSEC(key_engine): got a queue event with 1 KMI message(s)Dec 15 20:16:02.954: Crypto mapdb : proxy_match src addr : 100.100.100.2 dst addr : 10.10.10.2 protocol : 47 src port : 0 dst port : 0Dec 15 20:16:02.954: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel10-head-0Dec 15 20:16:02.954: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 10.10.10.2Dec 15 20:16:02.954: IPSEC(create_sa): sa created, (sa) sa_dest= 100.100.100.2, sa_proto= 50, sa_spi= 0x3489BCF1(881442033), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 39 sa_lifetime(k/sec)= (4608000/3600)Dec 15 20:16:02.954: IPSEC(create_sa): sa created, (sa) sa_dest= 10.10.10.2, sa_proto= 50, sa_spi= 0x981DDC21(2552093729), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 40 sa_lifetime(k/sec)= (4608000/3600)Dec 15 20:16:02.954: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSEDDec 15 20:16:02.954: IPSEC: Expand action denied, notify RPDec 15 20:16:02.958: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SADec 15 20:16:02.958: IKEv2:(SA ID = 1):R1#No duplicate IKEv2 SA foundDec 15 20:16:02.958: IKEv2:(SA ID = 1):Starting timer (8 sec) to delete negotiation contextR2 DEBUGR2#sh debugIKEV2: IKEv2 error debugging is on IKEv2 default debugging is on IKEv2 packet debugging is onCryptographic Subsystem: Crypto IPSEC debugging is onDec 15 20:16:02.912: IPSEC(sa_request): , (key eng. msg.) OUTBOUND local= 10.10.10.2:500, remote= 100.100.100.2:500, local_proxy= 10.10.10.2/255.255.255.255/47/0, remote_proxy= 100.100.100.2/255.255.255.255/47/0, protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0Dec 15 20:16:02.913: IKEv2:Searching Policy with fvrf 0, local address 10.10.10.2Dec 15 20:16:02.913: IKEv2:Using the Default Policy for ProposalDec 15 20:16:02.913: IKEv2:Found Policy 'default'Dec 15 20:16:02.913: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI SessionDec 15 20:16:02.913: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSEDDec 15 20:16:02.913: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5Dec 15 20:16:02.913: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSEDDec 15 20:16:02.913: IKEv2:(SA ID = 1):Request queued for computation of DH keyDec 15 20:16:02.913: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exchDec 15 20:16:02.913: IKEv2:(SA ID = 1):Generating IKE_SA_INIT messageDec 15 20:16:02.913: IKEv2:(SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),Num. transforms: 15 AES-CBC AES-CBC AES-CBC SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2Dec 15 20:16:02.913: IKEv2:(SA ID = 1):Sending Packet [To 100.100.100.2:500/From 10.10.10.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 0000000000000000 Message id: 0IKEv2 IKE_SA_INIT Exchange REQUESTDec 15 20:16:02.913: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 496Payload contents: SA Next payload: KE, reserved: 0x0, length: 144 last proposal: 0x0, reserved: 0x0, length: 140 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 15 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: MD5 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA384 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA256 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: MD596 last transform: 0x3, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 KE Next payload: N, reserved: 0x0, length: 200 DH group: 5, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IPDec 15 20:16:02.913: IKEv2:(SA ID = 1):Insert SADec 15 20:16:02.924: IKEv2:(SA ID = 1):Received Packet [From 100.100.100.2:500/To 10.10.10.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 0IKEv2 IKE_SA_INIT Exchange RESPONSEDec 15 20:16:02.924: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 533Payload contents: SA Next payload: KE, reserved: 0x0, length: 48 last proposal: 0x0, reserved: 0x0, length: 44 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA512 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA512 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5 KE Next payload: N, reserved: 0x0, length: 200 DH group: 5, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: CERTREQ, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125 Cert encoding Hash and URL of PKIX NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTEDDec 15 20:16:02.924: IKEv2:(SA ID = 1):Processing IKE_SA_INIT messageDec 15 20:16:02.924: IKEv2:(SA ID = 1):Verify SA init messageDec 15 20:16:02.924: IKEv2:(SA ID = 1):Processing IKE_SA_INIT messageDec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.924: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.925: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.925: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s):Dec 15 20:16:02.925: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieving trustpoint(s) from received certificate hash(es)Dec 15 20:16:02.925: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'GoryealCA'Dec 15 20:16:02.925: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting cert chain for the trustpoint GoryealCADec 15 20:16:02.925: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of cert chain for the trustpoint PASSEDDec 15 20:16:02.925: IKEv2:(SA ID = 1):Checking NAT discoveryDec 15 20:16:02.925: IKEv2:(SA ID = 1):NAT not foundDec 15 20:16:02.925: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5Dec 15 20:16:02.935: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSEDDec 15 20:16:02.935: IKEv2:(SA ID = 1):Request queued for computation of DH secretDec 15 20:16:02.935: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SADec 15 20:16:02.935: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSEDDec 15 20:16:02.935: IKEv2:(SA ID = 1):Completed SA init exchangeDec 15 20:16:02.935: IKEv2:Config data to send:Dec 15 20:16:02.935: Config-type: Config-requestDec 15 20:16:02.935: Attrib type: ipv4-dns, length: 0Dec 15 20:16:02.935: Attrib type: ipv4-dns, length: 0Dec 15 20:16:02.935: Attrib type: ipv4-nbns, length: 0Dec 15 20:16:02.935: Attrib type: ipv4-nbns, length: 0Dec 15 20:16:02.935: Attrib type: ipv4-subnet, length: 0Dec 15 20:16:02.935: Attrib type: ipv6-dns, length: 0Dec 15 20:16:02.935: Attrib type: ipv6-subnet, length: 0Dec 15 20:16:02.935: Attrib type: app-version, length: 257, data: Cisco IOS Software, Linux Software (I86BI_LINUX-ADVENTERPRISEK9-M), Version 15.2(4)M2, DEVELOPMENT TEST SOFTWARETechnical Support: (c) 1986-2012 by Cisco Systems, piled Thu 08-Nov-12 04:46 by prod_rel_teamDec 15 20:16:02.935: Attrib type: split-dns, length: 0Dec 15 20:16:02.935: Attrib type: banner, length: 0Dec 15 20:16:02.935: Attrib type: config-url, length: 0Dec 15 20:16:02.935: Attrib type: backup-gateway, length: 0Dec 15 20:16:02.935: Attrib type: def-domain, length: 0Dec 15 20:16:02.935: IKEv2:(SA ID = 1):Have config mode data to sendDec 15 20:16:02.935: IKEv2:(SA ID = 1):Check for EAP exchangeDec 15 20:16:02.935: IKEv2:(SA ID = 1):Generate my authentication dataDec 15 20:16:02.935: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication dataDec 15 20:16:02.935: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSEDDec 15 20:16:02.935: IKEv2:(SA ID = 1):Get my authentication methodDec 15 20:16:02.935: IKEv2:(SA ID = 1):My authentication method is 'RSA'Dec 15 20:16:02.935: IKEv2:(SA ID = 1):Sign authentication dataDec 15 20:16:02.935: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Getting private keyDec 15 20:16:02.935: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of private key PASSEDDec 15 20:16:02.935: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Sign authentication dataDec 15 20:16:02.938: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Signing of authenticaiton data PASSEDDec 15 20:16:02.938: IKEv2:(SA ID = 1):Authentication material has been sucessfully signedDec 15 20:16:02.938: IKEv2:(SA ID = 1):Check for EAP exchangeDec 15 20:16:02.938: IKEv2:(SA ID = 1):Generating IKE_AUTH messageDec 15 20:16:02.938: IKEv2:(SA ID = 1):Constructing IDi payload: '10.10.10.2' of type 'IPv4 address'Dec 15 20:16:02.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)Dec 15 20:16:02.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'Trustpool4' 'Trustpool3' 'Trustpool2' 'Trustpool1' 'Trustpool' 'GoryealCA'Dec 15 20:16:02.938: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpointsDec 15 20:16:02.938: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSEDDec 15 20:16:02.938: IKEv2:(SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),Num. transforms: 3 AES-CBC SHA96 Don't use ESNDec 15 20:16:02.938: IKEv2:(SA ID = 1):Building packet for encryption.Payload contents: VID Next payload: IDi, reserved: 0x0, length: 20 IDi Next payload: CERT, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 CERT Next payload: CERTREQ, reserved: 0x0, length: 525 Cert encoding X.509 Certificate - signature CERTREQ Next payload: NOTIFY, reserved: 0x0, length: 125 Cert encoding Hash and URL of PKIX NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED) Next payload: AUTH, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: HTTP_CERT_LOOKUP_SUPPORTED AUTH Next payload: CFG, reserved: 0x0, length: 136 Auth method RSA, reserved: 0x0, reserved 0x0 CFG Next payload: SA, reserved: 0x0, length: 317 cfg type: CFG_REQUEST, reserved: 0x0, reserved: 0x0Dec 15 20:16:02.938: attrib type: internal IP4 DNS, length: 0Dec 15 20:16:02.938: attrib type: internal IP4 DNS, length: 0Dec 15 20:16:02.938: attrib type: internal IP4 NBNS, length: 0Dec 15 20:16:02.938: attrib type: internal IP4 NBNS, length: 0Dec 15 20:16:02.938: attrib type: internal IP4 subnet, length: 0Dec 15 20:16:02.938: attrib type: internal IP6 DNS, length: 0Dec 15 20:16:02.938: attrib type: internal IP6 subnet, length: 0Dec 15 20:16:02.938: attrib type: application version, length: 257 attrib type: Unknown - 28675, length: 0Dec 15 20:16:02.938: attrib type: Unknown - 28672, length: 0Dec 15 20:16:02.938: attrib type: Unknown - 28692, length: 0Dec 15 20:16:02.938: attrib type: Unknown - 28681, length: 0Dec 15 20:16:02.938: attrib type: Unknown - 28674, length: 0Dec 15 20:16:02.938: SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 40 Num of TSs: 2, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TSr Next payload: NOTIFY, reserved: 0x0, length: 40 Num of TSs: 2, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT NOTIFY(USE_TRANSPORT_MODE) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: USE_TRANSPORT_MODE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGSDec 15 20:16:02.938: IKEv2:(SA ID = 1):Sending Packet [To 100.100.100.2:500/From 10.10.10.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 1IKEv2 IKE_AUTH Exchange REQUESTDec 15 20:16:02.938: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1392Payload contents: ENCR Next payload: VID, reserved: 0x0, length: 1364Dec 15 20:16:02.954: IKEv2:(SA ID = 1):Received Packet [From 100.100.100.2:500/To 10.10.10.2:500/VRF i0:f0]Initiator SPI : 1D8625DFB9698916 - Responder SPI : 4C01BF4D81E8D29D Message id: 1IKEv2 IKE_AUTH Exchange RESPONSEDec 15 20:16:02.954: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 912Payload contents: VID Next payload: IDr, reserved: 0x0, length: 20 IDr Next payload: CERT, reserved: 0x0, length: 12 Id type: IPv4 address, Reserved: 0x0 0x0 CERT Next payload: AUTH, reserved: 0x0, length: 525 Cert encoding X.509 Certificate - signature AUTH Next payload: SA, reserved: 0x0, length: 136 Auth method RSA, reserved: 0x0, reserved 0x0 SA Next payload: TSi, reserved: 0x0, length: 44 last proposal: 0x0, reserved: 0x0, length: 40 Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 5, reserved: 0x0, id: Don't use ESN TSi Next payload: TSr, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 10.10.10.2, end addr: 10.10.10.2 TSr Next payload: NOTIFY, reserved: 0x0, length: 24 Num of TSs: 1, reserved 0x0, reserved 0x0 TS type: TS_IPV4_ADDR_RANGE, proto id: 47, length: 16 start port: 0, end port: 65535 start addr: 100.100.100.2, end addr: 100.100.100.2 NOTIFY(USE_TRANSPORT_MODE) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: USE_TRANSPORT_MODE NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12 Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8 Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGSDec 15 20:16:02.954: IKEv2:(SA ID = 1):Process auth response notifyDec 15 20:16:02.954: IKEv2:(SA ID = 1):Searching policy based on peer's identity '100.100.100.2' of type 'IPv4 address'Dec 15 20:16:02.954: IKEv2:Searching Policy with fvrf 0, local address 10.10.10.2Dec 15 20:16:02.954: IKEv2:Using the Default Policy for ProposalDec 15 20:16:02.954: IKEv2:Found Policy 'default'Dec 15 20:16:02.954: IKEv2:(SA ID = 1):Verify peer's policyDec 15 20:16:02.954: IKEv2:(SA ID = 1):Peer's policy verifiedDec 15 20:16:02.954: IKEv2:(SA ID = 1):Get peer's authentication methodDec 15 20:16:02.954: IKEv2:(SA ID = 1):Peer's authentication method is 'RSA'Dec 15 20:16:02.954: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Validating certificate chainDec 15 20:16:02.962: IKEv2:(SA ID = 1):[PKI -> IKEv2] Validation of certificate chain PASSEDDec 15 20:16:02.962: IKEv2:(SA ID = 1):Save pubkeyDec 15 20:16:02.962: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 100.100.100.2 (type 1) and certificate addr withDec 15 20:16:02.962: %CRYPTO-6-IKMP_NO_ID_CERT_ADDR_MATCH: ID of 100.100.100.2 (type 1) and certificate addr withDec 15 20:16:02.963: IKEv2:(SA ID = 1):Verify peer's authentication dataDec 15 20:16:02.963: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication dataDec 15 20:16:02.963: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSEDDec 15 20:16:02.963: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Verify signed authenticaiton dataDec 15 20:16:02.963: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] Verification of signed authentication data PASSEDDec 15 20:16:02.963: IKEv2:(SA ID = 1):Check for EAP exchangeDec 15 20:16:02.963: IKEv2:(SA ID = 1):Processing IKE_AUTH messageDec 15 20:16:02.963: IKEv2:KMI/verify policy/sending to IPSec: prot: 3 txfm: 12 hmac 2 flags 8178 keysize 128 IDB 0x0Dec 15 20:16:02.963: IPSEC(validate_proposal_request): proposal part #1Dec 15 20:16:02.963: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 10.10.10.2:0, remote= 100.100.100.2:0, local_proxy= 10.10.10.2/255.255.255.255/47/0, remote_proxy= 100.100.100.2/255.255.255.255/47/0, protocol= ESP, transform= NONE (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0Dec 15 20:16:02.963: Crypto mapdb : proxy_match src addr : 10.10.10.2 dst addr : 100.100.100.2 protocol : 47 src port : 0 dst port : 0Dec 15 20:16:02.963: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI SessionDec 15 20:16:02.963: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSEDDec 15 20:16:02.963: IKEv2:(SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) startedDec 15 20:16:02.963: IKEv2:(SA ID = 1):Session with IKE ID PAIR (100.100.100.2, 10.10.10.2) is UPDec 15 20:16:02.963: IKEv2:IKEv2 MIB tunnel started, tunnel index 1Dec 15 20:16:02.963: IKEv2:(SA ID = 1):Load IPSEC key materialDec 15 20:16:02.963: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec databaseDec 15 20:16:02.963: IKEv2:(SA ID = 1):Asynchronous request queuedDec 15 20:16:02.963: IKEv2:(SA ID = 1):Dec 15 20:16:02.963: IPSEC(key_engine): got a queue event with 1 KMI message(s)Dec 15 20:16:02.963: Crypto mapdb : proxy_match src addr : 10.10.10.2 dst addr : 100.100.100.2 protocol : 47 src port : 0 dst port : 0Dec 15 20:16:02.963: IPSEC(crypto_ipsec_create_ipsec_sas): Map found Tunnel10-head-0Dec 15 20:16:02.963: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 100.100.100.2Dec 15 20:16:02.963: IPSEC(create_sa): sa created, (sa) sa_dest= 10.10.10.2, sa_proto= 50, sa_spi= 0x981DDC21(2552093729), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 40 sa_lifetime(k/sec)= (4608000/3600)Dec 15 20:16:02.963: IPSEC(create_sa): sa created, (sa) sa_dest= 100.100.100.2, sa_proto= 50, sa_spi= 0x3489BCF1(881442033), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 39 sa_lifetime(k/sec)= (4608000/3600)Dec 15 20:16:02.963: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSEDDec 15 20:16:02.963: IKEv2:(SA ID = 1):Checking for duplicate IKEv2 SADec 15 20:16:02.963: IKEv2:(SA ID = 1):No duplicate IKEv2 SA foundDec 15 20:16:02.963: IPSEC: Expand action denied, notify RP.!!!!SITE-TO-SITE VPN USING FLEX VPN SMART DEFAULT CONFIGURATION (PSK AUTH)The configuration below shows a configured Site-to-Site VPN using flex VPN smart default configuration with the use of Pre-shared Key (PSK) authentication. We assume a valid route to remote public IP exit on both R1 and R2. For the creation of site -to-site VPN using smart default configuration, only the following steps are requiredCreate and configure a crypto ikev2 keyringCreate and configure a crypto ikev2 profile called default Create and configure a tunnel interfaceCreate a static route to remote local subnet via the tunnel R1 CONFIGURATION!crypto ikev2 keyring mykey peer R2 address 10.10.10.2 pre-shared-key cisco123 !crypto ikev2 profile default match identity remote address 10.10.10.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local mykey!interface Tunnel10 ip address 200.200.200.1 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 10.10.10.2 tunnel protection ipsec profile default!ip route 2.2.2.2 255.255.255.255 Tunnel10!interface Ethernet0/0 ip address 100.100.100.2 255.255.255.0interface Loopback1 ip address 1.1.1.1 255.255.255.0!R2 CONFIGURATION!crypto ikev2 keyring mykey peer R1 address 100.100.100.2 pre-shared-key cisco123 !crypto ikev2 profile default match identity remote address 100.100.100.2 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local mykey!interface Tunnel10 ip address 200.200.200.2 255.255.255.0 tunnel source Ethernet0/0 tunnel destination 100.100.100.2 tunnel protection ipsec profile default!ip route 1.1.1.1 255.255.255.255 Tunnel10!interface Ethernet0/0 ip address 10.10.10.2 255.255.255.0 !interface Loopback1 ip address 2.2.2.2 255.255.255.0GORI DAWODUgdawodu@CISCO TAC VPN, SAN JOSE ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download