This example is a slightly different method of the symmetric PSK variation where no keyring was used. This time we use a keyring and call it from the profile. Everything else remains the same. Does using or not using a keyring make a difference? I say no, just testing out the different variations.
CSR1
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer CSR8
address 108.0.0.8
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 108.0.0.8 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
crypto map IKEV2
!
interface GigabitEthernet1
crypto map IKEV2
CSR8
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer CSR8
address 101.0.0.10
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 101.0.0.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 101.0.0.10
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
!
interface GigabitEthernet1
crypto map IKEV2
SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 11/29/50 ms
IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:% Getting preshared key from profile keyring IKEV2_KEYRING
IKEv2:% Matched peer block 'CSR8'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 2
3DES Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 256
src port : 0
dst port : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 101.0.0.10, sa_proto= 50,
sa_spi= 0x11761E4D(292953677),
sa_trans= esp-3des , sa_conn_id= 2012
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0xFD4A1755(4249491285),
sa_trans= esp-3des , sa_conn_id= 2011
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
CSR1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 108.0.0.8/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/333 sec
IPv6 Crypto IKEv2 SA
CSR1#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xFD4A1755(4249491285)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x11761E4D(292953677)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3262)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD4A1755(4249491285)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3262)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
CSR8#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 108.0.0.8/500 101.0.0.10/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/504 sec
IPv6 Crypto IKEv2 SA
CSR8#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 108.0.0.8
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 101.0.0.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x11761E4D(292953677)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD4A1755(4249491285)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3088)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x11761E4D(292953677)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3088)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
CSR1
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer CSR8
address 108.0.0.8
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 108.0.0.8 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 108.0.0.8
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
match address IKEV2_VPN
crypto map IKEV2
!
interface GigabitEthernet1
crypto map IKEV2
CSR8
crypto ikev2 proposal IKEV2_PROPOSAL
encryption 3des
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer CSR8
address 101.0.0.10
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2_PROFILE
match identity remote address 101.0.0.10 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEYRING
!
crypto ipsec transform-set IKEV2_TSET esp-3des
mode tunnel
!
ip access-list extended IKEV2_VPN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
crypto map IKEV2 10 ipsec-isakmp
set peer 101.0.0.10
set transform-set IKEV2_TSET
set ikev2-profile IKEV2_PROFILE
!
interface GigabitEthernet1
crypto map IKEV2
SW1#ping 10.2.8.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.8.2, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 11/29/50 ms
IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 101.0.0.10:500, remote= 108.0.0.8:500,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
IKEv2:% Getting preshared key from profile keyring IKEV2_KEYRING
IKEv2:% Matched peer block 'CSR8'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 4
3DES SHA1 SHA96 DH_GROUP_1536_MODP/Group 5
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 5
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 101.0.0.10, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '101.0.0.10' of type 'IPv4 address'
IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 2
3DES Don't use ESN
IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 108.0.0.8:500/From 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:
ENCR
IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 108.0.0.8:500/To 101.0.0.10:500/VRF i0:f0]
Initiator SPI : 2059B7DDCB02D53D - Responder SPI : C61095C4FE1F8B69 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '108.0.0.8' of type 'IPv4 address'
IKEv2:Searching Policy with fvrf 0, local address 101.0.0.10
IKEv2:Found Policy 'IKEV2_POLICY'
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 108.0.0.8
IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 108.0.0.8, key len 5
IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_AUTH message
IKEv2:IPSec policy validate request sent for profile IKEV2_PROFILE with psh index 1.
IPSEC(key_engine): got a queue event with 1 KMI message(s)
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0,
protocol= ESP, transform= esp-3des (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: IKEV2, 10
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (108.0.0.8, 101.0.0.10) is UP
IKEv2:IKEv2 MIB tunnel started, tunnel index 1
IKEv2:(SESSION ID = 1,SA ID = 1):Load IPSEC key material
IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 10.1.0.0
dst addr : 10.2.0.0
protocol : 256
src port : 0
dst port : 0
IPSEC:(SESSION ID = 1) (crypto_ipsec_create_ipsec_sas) Map found IKEV2, 10
IPSEC:(SESSION ID = 1) (crypto_ipsec_sa_find_ident_head) reconnecting with the same proxies and peer 108.0.0.8
IPSEC:(SESSION ID = 1) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7F75B7312118
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 101.0.0.10, sa_proto= 50,
sa_spi= 0x11761E4D(292953677),
sa_trans= esp-3des , sa_conn_id= 2012
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IPSEC:(SESSION ID = 1) (create_sa) sa created,
(sa) sa_dest= 108.0.0.8, sa_proto= 50,
sa_spi= 0xFD4A1755(4249491285),
sa_trans= esp-3des , sa_conn_id= 2011
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 101.0.0.10:0, remote= 108.0.0.8:0,
local_proxy= 10.1.0.0/255.255.0.0/256/0,
remote_proxy= 10.2.0.0/255.255.0.0/256/0
IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
CSR1#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 101.0.0.10/500 108.0.0.8/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/333 sec
IPv6 Crypto IKEv2 SA
CSR1#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 101.0.0.10
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
current_peer 108.0.0.8 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 101.0.0.10, remote crypto endpt.: 108.0.0.8
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xFD4A1755(4249491285)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x11761E4D(292953677)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3262)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFD4A1755(4249491285)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3262)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
CSR8#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 108.0.0.8/500 101.0.0.10/500 none/none READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/504 sec
IPv6 Crypto IKEv2 SA
CSR8#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: IKEV2, local addr 108.0.0.8
protected vrf: (none)
local ident (addr/mask/prot/port): (10.2.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer 101.0.0.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 108.0.0.8, remote crypto endpt.: 101.0.0.10
plaintext mtu 1462, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x11761E4D(292953677)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xFD4A1755(4249491285)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2011, flow_id: CSR:11, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3088)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x11761E4D(292953677)
transform: esp-3des ,
in use settings ={Tunnel, }
conn id: 2012, flow_id: CSR:12, sibling_flags FFFFFFFF80000048, crypto map: IKEV2
sa timing: remaining key lifetime (k/sec): (4607999/3088)
IV size: 8 bytes
replay detection support: N
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas: