This lab is an IKEv2 setup with no keyring, where the PSK is configured under the IKEv2 Profile. The IPsec and IKEv2 encryption parameters are set to older and less CPU intensive algorithms, 3DES with no integrity check added. Future labs will add these features.
CSR1
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 108.0.0.8 255.255.255.255
authentication local pre-share key cisco
authentication remote pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
CSR8
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 101.0.0.10 255.255.255.255
authentication remote pre-share key cisco
authentication local pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 101.0.0.10
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
With the configuration in place, we'll do a test. We'll enable IKEv2 debugs on CSR1 and ping from SW1 to SW2.
SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/22/31 ms
IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 2
3DES Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 256
src port : 0
dst port : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 101.0.0.10, sa_proto= 50,
sa_spi= 0xC3CA60DA(3284820186),
sa_trans= esp-3des , sa_conn_id= 2008
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0x3D651D72(1030036850),
sa_trans= esp-3des , sa_conn_id= 2007
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
CSR1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 108.0.0.8/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/331 sec
CE id: 1008, Session-id: 8
Status Description: Negotiation done
Local spi: 362E7405F2C70660 Remote spi: FC15AB42FC99D83C
Local id: 101.0.0.10
Remote id: 108.0.0.8
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
CSR1#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x3D651D72(1030036850)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC3CA60DA(3284820186)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3247)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D651D72(1030036850)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3247)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR8#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 108.0.0.8/500 101.0.0.10/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/405 sec
CE id: 1008, Session-id: 8
Status Description: Negotiation done
Local spi: FC15AB42FC99D83C Remote spi: 362E7405F2C70660
Local id: 108.0.0.8
Remote id: 101.0.0.10
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
CSR8# show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 108.0.0.8
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 101.0.0.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC3CA60DA(3284820186)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3D651D72(1030036850)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3176)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3CA60DA(3284820186)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3176)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR1
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 108.0.0.8 255.255.255.255
authentication local pre-share key cisco
authentication remote pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
CSR8
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 101.0.0.10 255.255.255.255
authentication remote pre-share key cisco
authentication local pre-share key cisco
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 101.0.0.10
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
With the configuration in place, we'll do a test. We'll enable IKEv2 debugs on CSR1 and ping from SW1 to SW2.
SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 16/22/31 ms
IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 2
3DES Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 362E7405F2C70660 - Responder SPI : FC15AB42FC99D83C Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 256
src port : 0
dst port : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 101.0.0.10, sa_proto= 50,
sa_spi= 0xC3CA60DA(3284820186),
sa_trans= esp-3des , sa_conn_id= 2008
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0x3D651D72(1030036850),
sa_trans= esp-3des , sa_conn_id= 2007
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
CSR1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 108.0.0.8/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/331 sec
CE id: 1008, Session-id: 8
Status Description: Negotiation done
Local spi: 362E7405F2C70660 Remote spi: FC15AB42FC99D83C
Local id: 101.0.0.10
Remote id: 108.0.0.8
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
CSR1#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x3D651D72(1030036850)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xC3CA60DA(3284820186)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3247)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D651D72(1030036850)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3247)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR8#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 108.0.0.8/500 101.0.0.10/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/405 sec
CE id: 1008, Session-id: 8
Status Description: Negotiation done
Local spi: FC15AB42FC99D83C Remote spi: 362E7405F2C70660
Local id: 108.0.0.8
Remote id: 101.0.0.10
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
CSR8# show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 108.0.0.8
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 101.0.0.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC3CA60DA(3284820186)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3D651D72(1030036850)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2007, flow_id: CSR:7, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3176)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3CA60DA(3284820186)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2008, flow_id: CSR:8, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3176)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
