Basic IKEv2 Site-to-Site VPN

Here is probably the most basic example of IKEv2 Site-to-Site (LAN-to-LAN) VPN between two routers called BRANCH-A and R5:

BRANCH-A R5

ip access-list extended VPN
permit ip host 1.1.1.1 host 2.2.2.2crypto ikev2 profile VPN-TO-R5
match identity remote address 172.16.198.35 255.255.255.255
identity local address 192.168.231.6
authentication remote pre-share key R5-PSK
authentication local pre-share key Branch-A-PSKcrypto map VPN-CM 10 ipsec-isakmp
set peer 172.16.198.35
set ikev2-profile VPN-TO-R5
match address VPN

interface Loopback0
ip address 1.1.1.1 255.255.255.255

interface Ethernet0/1
ip address 192.168.231.6 255.255.255.0
crypto map VPN-CM

interface Loopback0 ip address 1.1.1.1 255.255.255.255

ip access-list extended VPN
permit ip host 2.2.2.2 host 1.1.1.1crypto ikev2 profile VPN-TO-BRANCH-A
match identity remote address 192.168.231.6 255.255.255.255
identity local address 172.16.198.35
authentication remote pre-share key Branch-A-PSK
authentication local pre-share key R5-PSKcrypto map VPN-CM 10 ipsec-isakmp
set peer 192.168.231.6
set ikev2-profile VPN-TO-BRANCH-A
match address VPN

interface Loopback0
ip address 2.2.2.2 255.255.255.255

interface Ethernet0/0
ip address 172.16.198.35 255.255.255.248
crypto map VPN-CM

interface Loopback0 ip address 2.2.2.2 255.255.255.255

The routing part is omitted. 192.168.231.6 and 172.16.198.35 should be mutually reachable.

IKEv2 Profile

Here you have to specify three things:

The remote peer identity to match the profile, so that when you get message from the peer that presents this identity this particular IKEv2 profile gets applied. For this case I use the peer IP address as an identity:

crypto ikev2 profile VPN-TO-R5 match identity remote address 172.16.198.35 255.255.255.255

Your own identity (how you present yourself to remote peer):

identity local address 192.168.231.6

Authentication methods (in my case along with authentication data): these are methods that you are able to perform and methods you expect the remote peer to perform. Note that authentication in IKEv2 is asymmetric by default. You may authenticate your remote peer using one method while the remote peer authenticas you with another one. For this case I used pre-shared keys both ways and specified the keys:

authentication remote pre-share key R5-PSK authentication local pre-share key Branch-A-PSK

Crypto Map

Here you have to set up the remote peer IP Address:

crypto map VPN-CM 10 ipsec-isakmp set peer 172.16.198.35

The IKEv2 profile:
set ikev2-profile VPN-TO-R5

and an ACL to select interesting traffic:
match address VPN

Verifying

With the following debugs enabled on both routers:

debug crypto ikev2

debug crypto ipsec

Trying to generate interesting traffic:

BRANCH-A#ping 2.2.2.2 source 1.1.1.1

And here it goes:

BRANCH-A:

*May 5 19:00:36.318: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 192.168.231.6:500, remote= 172.16.198.35:500,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*May 5 19:00:36.318: IKEv2:Searching Policy with fvrf 0, local address 192.168.231.6
*May 5 19:00:36.318: IKEv2:Using the Default Policy for Proposal
*May 5 19:00:36.318: IKEv2:Found Policy 'default'
*May 5 19:00:36.318: IKEv2:(SESSION ID = 2,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*May 5 19:00:36.318: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 5 19:00:36.318: IKEv2:(SESSION ID = 2,SA ID = 1):Request queued for computation of DH key
*May 5 19:00:36.318: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*May 5 19:00:36.318: IKEv2:(SESSION ID = 2,SA ID = 1):Generating IKE_SA_INIT message
*May 5 19:00:36.318: IKEv2:(SESSION ID = 2,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 15
AES-CBC AES-CBC AES-CBC SHA512 SHA384 SHA256 SHA1 MD5 SHA512 SHA384 SHA256 SHA96 MD596 DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

*May 5 19:00:36.318: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 172.16.198.35:500/From 192.168.231.6:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 5 19:00:36.319: IKEv2:(SESSION ID = 2,SA ID = 1):Insert SA

An IKE_SA_INIT message is sent to R5:

R5:

*May 5 19:00:36.320: IKEv2:Received Packet [From 192.168.231.6:500/To 172.16.198.35:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):Verify SA init message
*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):Insert SA
*May 5 19:00:36.320: IKEv2:Searching Policy with fvrf 0, local address 172.16.198.35
*May 5 19:00:36.320: IKEv2:Using the Default Policy for Proposal
*May 5 19:00:36.320: IKEv2:Found Policy 'default'
*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):Processing IKE_SA_INIT message
*May 5 19:00:36.320: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*May 5 19:00:36.320: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*May 5 19:00:36.320: IKEv2:Failed to retrieve Certificate Issuer list
*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*May 5 19:00:36.320: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):Request queued for computation of DH key
*May 5 19:00:36.320: IKEv2:(SESSION ID = 16,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*May 5 19:00:36.331: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 5 19:00:36.331: IKEv2:(SESSION ID = 16,SA ID = 1):Request queued for computation of DH secret
*May 5 19:00:36.331: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 5 19:00:36.331: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 5 19:00:36.331: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*May 5 19:00:36.331: IKEv2:(SESSION ID = 16,SA ID = 1):Generating IKE_SA_INIT message
*May 5 19:00:36.331: IKEv2:(SESSION ID = 16,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
AES-CBC SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*May 5 19:00:36.331: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*May 5 19:00:36.331: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): NONE
*May 5 19:00:36.331: IKEv2:Failed to retrieve Certificate Issuer list

*May 5 19:00:36.331: IKEv2:(SESSION ID = 16,SA ID = 1):Sending Packet [To 192.168.231.6:500/From 172.16.198.35:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 5 19:00:36.332: IKEv2:(SESSION ID = 16,SA ID = 1):Completed SA init exchange
*May 5 19:00:36.332: IKEv2:(SESSION ID = 16,SA ID = 1):Starting timer (30 sec) to wait for auth message

R5 responds with IKE_SA_INIT RESPONSE:

BRANCH-A:

*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 172.16.198.35:500/To 192.168.231.6:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):Processing IKE_SA_INIT message
*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):Verify SA init message
*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):Processing IKE_SA_INIT message
*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):Checking NAT discovery
*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):NAT not found
*May 5 19:00:36.333: IKEv2:(SESSION ID = 2,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
*May 5 19:00:36.343: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*May 5 19:00:36.343: IKEv2:(SESSION ID = 2,SA ID = 1):Request queued for computation of DH secret
*May 5 19:00:36.344: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*May 5 19:00:36.344: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Completed SA init exchange
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Generate my authentication data
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Use preshared key for id 192.168.231.6, key len 12
*May 5 19:00:36.344: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 5 19:00:36.344: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Get my authentication method
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):My authentication method is 'PSK'
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Generating IKE_AUTH message
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Constructing IDi payload: '192.168.231.6' of type 'IPv4 address'
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*May 5 19:00:36.344: IKEv2:(SESSION ID = 2,SA ID = 1):Sending Packet [To 172.16.198.35:500/From 192.168.231.6:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR

BRANCH-A sends IKEv2 AUTH REQUEST:

R5:

*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Received Packet [From 192.168.231.6:500/To 172.16.198.35:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Stopping timer to wait for auth message
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Checking NAT discovery
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):NAT not found
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Searching policy based on peer's identity '192.168.231.6' of type 'IPv4 address'
*May 5 19:00:36.346: IKEv2:found matching IKEv2 profile 'VPN-TO-BRANCH-A'
*May 5 19:00:36.346: IKEv2:Searching Policy with fvrf 0, local address 172.16.198.35
*May 5 19:00:36.346: IKEv2:Using the Default Policy for Proposal
*May 5 19:00:36.346: IKEv2:Found Policy 'default'
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Verify peer's policy
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Peer's policy verified
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Get peer's authentication method
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Peer's authentication method is 'PSK'
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Get peer's preshared key for 192.168.231.6
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Verify peer's authentication data
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Use preshared key for id 192.168.231.6, key len 12
*May 5 19:00:36.346: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 5 19:00:36.346: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Verification of peer's authenctication data PASSED
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Processing INITIAL_CONTACT
*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):Processing IKE_AUTH message
*May 5 19:00:36.346: IKEv2:IPSec policy validate request sent for profile VPN-TO-BRANCH-A with psh index 1.

*May 5 19:00:36.346: IKEv2:(SESSION ID = 16,SA ID = 1):
*May 5 19:00:36.346: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 5 19:00:36.346: IPSEC(validate_proposal_request): proposal part #1
*May 5 19:00:36.346: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 172.16.198.35:0, remote= 192.168.231.6:0,
local_proxy= 2.2.2.2/255.255.255.255/256/0,
remote_proxy= 1.1.1.1/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*May 5 19:00:36.346: Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 0
src port : 0
dst port : 0
*May 5 19:00:36.347: (ipsec_process_proposal)Map Accepted: VPN-CM, 10
*May 5 19:00:36.347: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Get my authentication method
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):My authentication method is 'PSK'
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Get peer's preshared key for 192.168.231.6
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Generate my authentication data
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Use preshared key for id 172.16.198.35, key len 6
*May 5 19:00:36.351: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 5 19:00:36.351: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Get my authentication method
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):My authentication method is 'PSK'
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Generating IKE_AUTH message
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Constructing IDr payload: '172.16.198.35' of type 'IPv4 address'
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Sending Packet [To 192.168.231.6:500/From 172.16.198.35:500/VRF i0:f0]
Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

R5 responds:

And creates Security Association:

*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Session with IKE ID PAIR (192.168.231.6, 172.16.198.35) is UP
*May 5 19:00:36.351: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*May 5 19:00:36.351: IKEv2:(SESSION ID = 16,SA ID = 1):Load IPSEC key material
*May 5 19:00:36.351: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*May 5 19:00:36.351: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 5 19:00:36.351: Crypto mapdb : proxy_match
src addr : 2.2.2.2
dst addr : 1.1.1.1
protocol : 256
src port : 0
dst port : 0
*May 5 19:00:36.351: IPSEC:(SESSION ID = 16) (crypto_ipsec_create_ipsec_sas) Map found VPN-CM, 10
*May 5 19:00:36.352: IPSEC:(SESSION ID = 16) (create_sa) sa created,
(sa) sa_dest= 172.16.198.35, sa_proto= 50,
sa_spi= 0xB0DF64D5(2967430357),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.16.198.35:0, remote= 192.168.231.6:0,
local_proxy= 2.2.2.2/255.255.255.255/256/0,
remote_proxy= 1.1.1.1/255.255.255.255/256/0
*May 5 19:00:36.352: IPSEC:(SESSION ID = 16) (create_sa) sa created,
(sa) sa_dest= 192.168.231.6, sa_proto= 50,
sa_spi= 0x4EDBBD5D(1323023709),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 172.16.198.35:0, remote= 192.168.231.6:0,
local_proxy= 2.2.2.2/255.255.255.255/256/0,
remote_proxy= 1.1.1.1/255.255.255.255/256/0
*May 5 19:00:36.352: IPSEC: Expand action denied, notify RP
*May 5 19:00:36.352: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*May 5 19:00:36.352: IKEv2:(SESSION ID = 16,SA ID = 1):Checking for duplicate IKEv2 SA
R5#
*May 5 19:00:36.352: IKEv2:(SESSION ID = 16,SA ID = 1):No duplicate IKEv2 SA found
*May 5 19:00:36.352: IKEv2:(SESSION ID = 16,SA ID = 1):Starting timer (8 sec) to delete negotiation context

BRANCH-A processes IKEv2 AUTH RESPONSE from R5 and creates SA as well

`*May 5 19:00:36.352: IKEv2:(SESSION ID = 2,SA ID = 1):Received Packet [From 172.16.198.35:500/To 192.168.231.6:500/VRF i0:f0]`
`Initiator SPI : F178851A3C6C4300 - Responder SPI : 74741B9AAD85D582 Message id: 1`
`IKEv2 IKE_AUTH Exchange RESPONSE`
`Payload contents:`
`VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)`

*May 5 19:00:36.352: IKEv2:(SESSION ID = 2,SA ID = 1):Process auth response notify
*May 5 19:00:36.352: IKEv2:(SESSION ID = 2,SA ID = 1):Searching policy based on peer's identity '172.16.198.35' of type 'IPv4 address'
*May 5 19:00:36.352: IKEv2:Searching Policy with fvrf 0, local address 192.168.231.6
*May 5 19:00:36.352: IKEv2:Using the Default Policy for Proposal
*May 5 19:00:36.352: IKEv2:Found Policy 'default'
*May 5 19:00:36.352: IKEv2:(SESSION ID = 2,SA ID = 1):Verify peer's policy
*May 5 19:00:36.352: IKEv2:(SESSION ID = 2,SA ID = 1):Peer's policy verified
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Get peer's authentication method
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Peer's authentication method is 'PSK'
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Get peer's preshared key for 172.16.198.35
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Verify peer's authentication data
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Use preshared key for id 172.16.198.35, key len 6
*May 5 19:00:36.353: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*May 5 19:00:36.353: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Verification of peer's authenctication data PASSED
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Check for EAP exchange
*May 5 19:00:36.353: IKEv2:(SESSION ID = 2,SA ID = 1):Processing IKE_AUTH message
*May 5 19:00:36.353: IKEv2:IPSec policy validate request sent for profile VPN-TO-R5 with psh index 1.

*May 5 19:00:36.353: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 5 19:00:36.353: IPSEC(validate_proposal_request): proposal part #1
*May 5 19:00:36.353: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 192.168.231.6:0, remote= 172.16.198.35:0,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*May 5 19:00:36.353: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 0
src port : 0
dst port : 0
*May 5 19:00:36.353: (ipsec_process_proposal)Map Accepted: VPN-CM, 10
*May 5 19:00:36.353: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*May 5 19:00:36.357: IKEv2:(SESSION ID = 2,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*May 5 19:00:36.357: IKEv2:(SESSION ID = 2,SA ID = 1):Session with IKE ID PAIR (172.16.198.35, 192.168.231.6) is UP
*May 5 19:00:36.357: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*May 5 19:00:36.357: IKEv2:(SESSION ID = 2,SA ID = 1):Load IPSEC key material
*May 5 19:00:36.357: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*May 5 19:00:36.357: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*May 5 19:00:36.357: Crypto mapdb : proxy_match
src addr : 1.1.1.1
dst addr : 2.2.2.2
protocol : 256
src port : 0
dst port : 0
*May 5 19:00:36.357: IPSEC:(SESSION ID = 2) (crypto_ipsec_create_ipsec_sas) Map found VPN-CM, 10
*May 5 19:00:36.357: IPSEC:(SESSION ID = 2) (create_sa) sa created,
(sa) sa_dest= 192.168.231.6, sa_proto= 50,
sa_spi= 0x4EDBBD5D(1323023709),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.231.6:0, remote= 172.16.198.35:0,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0
*May 5 19:00:36.357: IPSEC:(SESSION ID = 2) (create_sa) sa created,
(sa) sa_dest= 172.16.198.35, sa_proto= 50,
sa_spi= 0xB0DF64D5(2967430357),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 192.168.231.6:0, remote= 172.16.198.35:0,
local_proxy= 1.1.1.1/255.255.255.255/256/0,
remote_proxy= 2.2.2.2/255.255.255.255/256/0
*May 5 19:00:36.358: IPSEC: Expand action denied, notify RP
*May 5 19:00:36.358: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*May 5 19:00:36.358: IKEv2:(SESSION ID = 2,SA ID = 1):Checking for duplicate IKEv2 SA
*May 5 19:00:36.358: IKEv2:(SESSION ID = 2,SA ID = 1):No duplicate IKEv2 SA found

The whole message exchange capture:

Security Associacions:

BRANCH-A#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.231.6/500 172.16.198.35/500 none/none READY ! Peers addresses
Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK ! SA Parameters
Life/Active Time: 86400/1141 sec

IPv6 Crypto IKEv2 SA

BRANCH-A#sh crypto ipsec sa

interface: Ethernet0/1
Crypto map tag: VPN-CM, local addr 192.168.231.6

protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0) ! Proxy ID
current_peer 172.16.198.35 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 192.168.231.6, remote crypto endpt.: 172.16.198.35 ! Peers addresses
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
current outbound spi: 0xB0DF64D5(2967430357)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x4EDBBD5D(1323023709)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 10, flow_id: SW:10, sibling_flags 80000040, crypto map: VPN-CM
sa timing: remaining key lifetime (k/sec): (4252494/2435)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB0DF64D5(2967430357)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9, flow_id: SW:9, sibling_flags 80000040, crypto map: VPN-CM
sa timing: remaining key lifetime (k/sec): (4252494/2435)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Summary

IKEv2 has much clearer message exchange (and thus debugs output) than IKEv1.

Also, notice that there is no need to carefully configure all the IKE and IPSec parameters as we used to do in IKEv1. This is due to Cisco implementation of IKEv2 that implies the use of some default parameters, for example debug says:

*May 5 19:00:36.346: IKEv2:Using the Default Policy for Proposal
*May 5 19:00:36.346: IKEv2:Found Policy 'default'

And you can actually see this “default” IKEv2 policy and its parameters:

BRANCH-A#show crypto ikev2 policy

IKEv2 policy : default
Match fvrf : any
Match address local : any
Proposal : default

BRANCH-A#show crypto ikev2 proposal
IKEv2 proposal: default
Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
Integrity : SHA512 SHA384 SHA256 SHA96 MD596
PRF : SHA512 SHA384 SHA256 SHA1 MD5
DH Group : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

Same thing with IPSec transform set:

BRANCH-A#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, }

This simplifies configuration significantly.

Don't Fragment

Network Engineer experience

Basic IKEv2 Site-to-Site VPN

IKEv2 Profile

Crypto Map

Verifying

BRANCH-A:

R5:

BRANCH-A:

R5:

BRANCH-A processes IKEv2 AUTH RESPONSE from R5 and creates SA as well

The whole message exchange capture:

Security Associacions:

Summary

Leave a Reply Cancel reply