FlexVPN Debugs

FlexVPN IKEv2 Setup can be summarized:

The details are below:

• FlexVPN follows legacy IKEv2 messaging by exchanging IKE_SA_INIT followed by IKE_AUTH exchange
• For sites with virtual template interface (such as DVTI spoke), initiator will include CFG_Req in its IKE_AUTH message

*Feb 13 03:58:03.389: IKEv2:(SESSION ID = 23,SA ID = 1):Received Packet [From 10.150.3.1:500/To 10.150.1.1:500/VRF i0:f0]

Initiator SPI : 98DB5FD5979EAC12 - Responder SPI : 1398F140044ABC30 Message id: 1

IKEv2 IKE_AUTH Exchange REQUEST

Payload contents:

 VID IDi AUTH CFG SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

• CFG_Req includes the authorization group name and password configured in the spoke IKEv2 profile which was picked during initiation

Spoke Config

…………………………………………………………………………….

crypto ikev2 profile prof-01

 match identity remote address 0.0.0.0

 authentication local pre-share

 authentication remote pre-share

 keyring local kr-01

 aaa authorization group psk list flex flex

 virtual-template 2

• Based on the IDi, the appropriate IKEv2 profile is selected with its associated virtual access interface

*Feb 13 03:58:03.402: IKEv2:(SESSION ID = 23,SA ID = 1):Searching policy based on peer's identity '10.150.3.1' of type 'IPv4 address'

*Feb 13 03:58:03.402: IKEv2:found matching IKEv2 profile 'prof-01'

*Feb 13 03:58:03.402: IKEv2:% Getting preshared key from profile keyring kr-01

*Feb 13 03:58:03.403: IKEv2:% Matched peer block 'all'

*Feb 13 03:58:03.404: IKEv2:Searching Policy with fvrf 0, local address 10.150.1.1

*Feb 13 03:58:03.404: IKEv2:Found Policy 'pol-01'

*Feb 13 03:58:03.406: IKEv2:(SESSION ID = 23,SA ID = 1):Verify peer's policy

*Feb 13 03:58:03.408: IKEv2:(SESSION ID = 23,SA ID = 1):Peer's policy verified

*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID = 1):Get peer's authentication method

*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID = 1):Peer's authentication method is 'PSK'

*Feb 13 03:58:03.410: IKEv2:(SESSION ID = 23,SA ID = 1):Get peer's preshared key for 10.150.3.1

*Feb 13 03:58:03.411: IKEv2:(SESSION ID = 23,SA ID = 1):Verify peer's authentication data

*Feb 13 03:58:03.411: IKEv2:(SESSION ID = 23,SA ID = 1):Use preshared key for id 10.150.3.1, key len 8

*Feb 13 03:58:03.411: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data

*Feb 13 03:58:03.412: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED

*Feb 13 03:58:03.412: IKEv2:(SESSION ID = 23,SA ID = 1):Verification of peer's authentication data PASSED

• After successful authentication:
• The responder will create virtual access interface for that peer communication, e.g. Vi1
• The responder will verify the received aaa group name/password against associated authorization policy with the IKEv2 profile

*Feb 13 03:58:03.417: IKEv2:Using mlist flex and username flex for group author request    …… This was received from initiator

*Feb 13 03:58:03.418: IKEv2:(SA ID = 1):[IKEv2 -> AAA] Authorisation request sent    …… IKEv2 process is sending the verification request to AAA process

*Feb 13 03:58:03.418: IKEv2:(SESSION ID = 22,SA ID = 2):Check for existing active SA

*Feb 13 03:58:03.419: IKEv2:(SESSION ID = 22,SA ID = 2):Deleting SA

*Feb 13 03:58:03.437: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

*Feb 13 03:58:03.440: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to down

• After successful authorization, configuration data will be sent to initiator (IP, Mask, Route, etc)

*Feb 13 03:58:03.449: IKEv2:(SA ID = 1):[AAA -> IKEv2] Received AAA authorisation response

*Feb 13 03:58:03.451: IKEv2:(SESSION ID = 23,SA ID = 1):Received valid config mode data

*Feb 13 03:58:03.452: IKEv2:Config data recieved:

………………output omitted………………

*Feb 13 03:58:03.517: IKEv2:(SESSION ID = 23,SA ID = 1):Config-type: Config-reply

*Feb 13 03:58:03.517: IKEv2:(SESSION ID = 23,SA ID = 1):Attrib type: ipv4-addr, length: 4, data: 192.168.1.13

*Feb 13 03:58:03.518: IKEv2:(SESSION ID = 23,SA ID = 1):Attrib type: ipv4-subnet, length: 8, data: 192.168.1.1 255.255.255.255

*Feb 13 03:58:03.526: IKEv2:(SESSION ID = 23,SA ID = 1):Building packet for encryption.

Payload contents:

 VID IDr AUTH CFG SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

• Initiator will apply the received configuration and send INFORMATIONAL message to responder.
• This message will include CFG_Set payload to configure host route  towards the initiator tunnel IP (route set interface command)

*Feb 13 03:59:05.377: IKEv2:(SESSION ID = 26,SA ID = 2):Received Packet [From 10.150.3.1:500/To 10.150.1.1:500/VRF i0:f0]

Initiator SPI : 8F721AF1CE7527FD - Responder SPI : E891556AF0D35777 Message id: 2

IKEv2 INFORMATIONAL Exchange REQUEST

Payload contents:

 CFG

*Feb 13 03:59:05.381: IKEv2:Config data recieved:

*Feb 13 03:59:05.381: IKEv2:(SESSION ID = 26,SA ID = 2):Config-type: Config-set

*Feb 13 03:59:05.384: IKEv2:(SESSION ID = 26,SA ID = 2):Attrib type: ipv4-subnet, length: 8, data: 192.168.1.13 255.255.255.255

*Feb 13 03:59:05.385: IKEv2:VPN Route Added 192.168.1.13 255.255.255.255 via Virtual-Access2 in vrf global

*Feb 13 03:59:05.386: IKEv2:(SESSION ID = 26,SA ID = 2):Set received config mode data

• The responder will acknowledge this message with CFG_Ack payload

*Feb 13 03:59:05.390: IKEv2:Config data to send:

*Feb 13 03:59:05.390: IKEv2:(SESSION ID = 26,SA ID = 2):Config-type: Config-ack

*Feb 13 03:59:05.391: IKEv2:(SESSION ID = 26,SA ID = 2):Attrib type: ipv4-subnet, length: 0

*Feb 13 03:59:05.392: IKEv2:(SESSION ID = 26,SA ID = 2):Have config mode data to send

*Feb 13 03:59:05.392: IKEv2:(SESSION ID = 26,SA ID = 2):Sending info exch config resp

*Feb 13 03:59:05.393: IKEv2:(SESSION ID = 26,SA ID = 2):Building packet for encryption.

Payload contents:

 CFG