Troubleshooting ipsec tunnel setup.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Troubleshooting ipsec tunnel setup.

L3 Networker

I have setup ipsec between PA200 and cisco device. When trying to bring tunnel up not even able to establish phase1.

Getting following errors in logs. I have keyed in pre-shared key again on both the sides.

 

ikev2-nego-child-start:'IKEv2 child SA negotiation is started as initiator,non-rekey

ike-generic-event- received notify type AUTHENTICATION_FAILED

7 REPLIES 7

L6 Presenter

Hi,

 

For me you failing on P2 not P1. Cisco device router or ASA (route or policy based VPN)? Post an output of the below command please:

 

> tail lines 100 mp-log ikemgr.log

 

Thx,

Myky

2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] SPI:fb7749a0549253cf:0000000000000000 SN:251 <==== 2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 2017-02-01 10:26:42 [INFO]: CR hash (3) ignored, no match found. 2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] message id:0x00000000 parent SN:251 <==== 2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:received notify type AUTHENTICATION_FAILED 2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION FAILED AS INITIATOR, non-rekey <==== ====> Failed SA: 202.141.210.58[500]-213.152.246.225[500] SPI:fb7749a0549253cf:e7fffa7ae266483c SN 251 <==== 2017-02-01 10:26:42 [INFO]: 251:202.141.210.58[500] - 213.152.246.225[500]:(nil):aborting IKEv2 SA jdp-p1:251 2017-02-01 10:26:44 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=0.0.0.0[0] samode=137 tid=1 selid=137354744 2017-02-01 10:26:45 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=0.0.0.0[0] samode=137 tid=3 selid=135963664 2017-02-01 10:26:46 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=213.152.246.225[0] samode=137 tid=10 selid=135964440 2017-02-01 10:26:46 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] SPI:bcfa6b296e75a946:0000000000000000 SN:252 <==== 2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 2017-02-01 10:26:46 [INFO]: CR hash (3) ignored, no match found. 2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 2017-02-01 10:26:46 [PROTO_NOTIFY]: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] message id:0x00000000 parent SN:252 <==== 2017-02-01 10:26:47 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:received notify type AUTHENTICATION_FAILED 2017-02-01 10:26:47 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION FAILED AS INITIATOR, non-rekey <==== ====> Failed SA: 202.141.210.58[500]-213.152.246.225[500] SPI:bcfa6b296e75a946:9dd1de2ab91b7f21 SN 252 <==== 2017-02-01 10:26:47 [INFO]: 252:202.141.210.58[500] - 213.152.246.225[500]:(nil):aborting IKEv2 SA jdp-p1:252

Hi,

 

Thanks but these difficult to read. Can you ssh to the box over PuTTy and copy/paste text here? l still need to know which device on the other end ? For P2 do you have proxy ID in place? Are they matching?

As the initiator, you won't see much detail. This is by design of IPSec - you don't want to give an attacker a bunch of details why it didn't work so they can figure out the right things that will work.

 

See if you can initiate from the other side, or see the other side's logs if only you can do the initiating. 

 

Here are your logs with wrapping and monospace font:

2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] SPI:fb7749a0549253cf:0000000000000000 SN:251 <==== 
2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 
2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 
2017-02-01 10:26:42 [INFO]: CR hash (3) ignored, no match found. 
2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:vendor id payload ignored 
2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] message id:0x00000000 parent SN:251 <==== 
2017-02-01 10:26:42 [PROTO_WARN]: 251:202.141.210.58[500] - 213.152.246.225[500]:0x82fcc40:received notify type AUTHENTICATION_FAILED 
2017-02-01 10:26:42 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION FAILED AS INITIATOR, non-rekey <==== ====> Failed SA: 202.141.210.58[500]-213.152.246.225[500] SPI:fb7749a0549253cf:e7fffa7ae266483c SN 251 <==== 
2017-02-01 10:26:42 [INFO]: 251:202.141.210.58[500] - 213.152.246.225[500]:(nil):aborting IKEv2 SA jdp-p1:251 
2017-02-01 10:26:44 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=0.0.0.0[0] samode=137 tid=1 selid=137354744 
2017-02-01 10:26:45 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=0.0.0.0[0] samode=137 tid=3 selid=135963664 
2017-02-01 10:26:46 [INFO]: sadb_acquire_callback: seq=0 satype=141 sa_src=202.141.210.58[0] sa_dst=213.152.246.225[0] samode=137 tid=10 selid=135964440 
2017-02-01 10:26:46 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] SPI:bcfa6b296e75a946:0000000000000000 SN:252 <==== 
2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 
2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 
2017-02-01 10:26:46 [INFO]: CR hash (3) ignored, no match found. 
2017-02-01 10:26:46 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:vendor id payload ignored 
2017-02-01 10:26:46 [PROTO_NOTIFY]: ====> IKEv2 CHILD SA NEGOTIATION STARTED AS INITIATOR, non-rekey <==== ====> Initiated SA: 202.141.210.58[500]-213.152.246.225[500] message id:0x00000000 parent SN:252 <==== 
2017-02-01 10:26:47 [PROTO_WARN]: 252:202.141.210.58[500] - 213.152.246.225[500]:0x8190b20:received notify type AUTHENTICATION_FAILED 
2017-02-01 10:26:47 [PROTO_NOTIFY]: ====> IKEv2 IKE SA NEGOTIATION FAILED AS INITIATOR, non-rekey <==== ====> Failed SA: 202.141.210.58[500]-213.152.246.225[500] SPI:bcfa6b296e75a946:9dd1de2ab91b7f21 SN 252 <==== 
2017-02-01 10:26:47 [INFO]: 252:202.141.210.58[500] - 213.152.246.225[500]:(nil):aborting IKEv2 SA jdp-p1:252

@gwesson totally agree about the responder side but l didn't know the idea behind it. l just knew it tells you exactly why it fails (as more info there). 

@inderjit21 Put you PA in passive mode and post the same logs:

 

SAVE.PNG

 

p.s How did you put all these lines nicely?

 

@TranceforLife

 2017-01-31_16-21-09.jpg

 

 Edit: If you were asking how I separated the lines before formatting them, I knew it was output from the logs and that each line started with 2017. I just used a text editor to replace "2017" with "\r\n2017". The \r\n was just a newline, but I don't think that comes over well in the forums.

 

L6 Presenter

Seems like an authentication issue for phase 1. I'd check following things for phase 1:

- if both devices support IKEv2, (or just select IKEv1 on your side and see if it work)

- check authentication settings; local ID and PSK (or certificate and DNs for certificate authentication.)

  • 13129 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!