Thursday, February 10, 2022

Cisco VRF Aware IPSec crypto keyring command

Here's a good Cisco link for the VRF Aware IPSec configuration. You can configure multiple pre-shared key (PSK) and peer address under the crypto keyring vrf command.

R1(config)#crypto keyring MYKEYRING vrf CUST-1
R1(conf-keyring)#pre-shared-key address 20.7.16.4 key key123
R1(conf-keyring)#pre-shared-key address 202.8.26.1 key key456
R1(conf-keyring)#
R1(conf-keyring)#do show run | section crypto
crypto keyring MYKEYRING vrf CUST-1
  pre-shared-key address 20.7.16.4 key key123
  pre-shared-key address 202.8.26.1 key key456

 

I just used tunnel vrf CUST-1 under the GRE tunnel used by CUST-2 VRF.

R1#show run interface Tunnel1

Building configuration...

 

Current configuration : 288 bytes

!

interface Tunnel1

 ip vrf forwarding CUST-2

 ip address 172.20.1.1 255.255.255.252

 tunnel source 172.20.10.6

 tunnel destination 172.20.10.7

 tunnel vrf CUST-1

 !

end

 

I initially configured a separate crypto keyring using a different VRF (CUST-2) but was getting this log error:

.Feb  9 10:29:08.488 UTC: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 202.8.26.1 is missing


The debug also showed it's due to a missing PSK. I didn't notice it's using CUST-1 VRF.

R1#debug crypto isakmp

Crypto ISAKMP debugging is on

 

.Feb  9 10:32:12.466 UTC: ISAKMP (0): received packet from 202.8.26.1 dport 500 sport 500 CUST-1 (N) NEW SA

.Feb  9 10:32:12.466 UTC: ISAKMP: Created a peer struct for 202.8.26.1, peer port 500

.Feb  9 10:32:12.466 UTC: ISAKMP: New peer created peer = 0x2A60D02C peer_handle = 0x8000004E

.Feb  9 10:32:12.466 UTC: ISAKMP: Locking peer struct 0x2A60D02C, refcount 1 for crypto_isakmp_process_block

.Feb  9 10:32:12.466 UTC: ISAKMP: local port 500, remote port 500

.Feb  9 10:32:12.466 UTC: ISAKMP:(0):insert sa successfully sa = 2A4C0234

.Feb  9 10:32:12.466 UTC: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

.Feb  9 10:32:12.466 UTC: ISAKMP:(0):Old State = IKE_READY  New State = IKE_R_MM1

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing SA payload. message ID = 0

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing vendor id payload

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): vendor ID is NAT-T v2

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing vendor id payload

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): vendor ID is NAT-T v3

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing vendor id payload

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch

.Feb  9 10:32:12.466 UTC: ISAKMP (0): vendor ID is NAT-T RFC 3947

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing vendor id payload

.Feb  9 10:32:12.466 UTC: ISAKMP:(0): processing IKE frag vendor id payload

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):No pre-shared key with 202.8.26.1!

.Feb  9 10:32:12.470 UTC: %CRYPTO-6-IKMP_NO_PRESHARED_KEY: Pre-shared key for remote peer at 202.8.26.1 is missing

.Feb  9 10:32:12.470 UTC: ISAKMP : Scanning profiles for xauth ...

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy

.Feb  9 10:32:12.470 UTC: ISAKMP:      default group 2

.Feb  9 10:32:12.470 UTC: ISAKMP:      encryption AES-CBC

.Feb  9 10:32:12.470 UTC: ISAKMP:      keylength of 128

.Feb  9 10:32:12.470 UTC: ISAKMP:      hash SHA

.Feb  9 10:32:12.470 UTC: ISAKMP:      auth pre-share

.Feb  9 10:32:12.470 UTC: ISAKMP:      life type in seconds

.Feb  9 10:32:12.470 UTC: ISAKMP:      life duration (VPI) of  0x0 0x0 0xA8 0xC0

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):Preshared authentication offered but does not match policy!

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):atts are not acceptable. Next payload is 0

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):no offers accepted!

.Feb  9 10:32:12.470 UTC: ISAKMP:(0): phase 1 SA policy not acceptable! (local 61.4.11.2 remote 202.8.26.1)

.Feb  9 10:32:12.470 UTC: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init

.Feb  9 10:32:12.470 UTC: ISAKMP:(0): Failed to construct AG informational message.

.Feb  9 10:32:12.470 UTC: ISAKMP:(0): sending packet to 202.8.26.1 my_port 500 peer_port 500 (R) MM_NO_STATE

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):Sending an IKE IPv4 Packet.

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):peer does not do paranoid keepalives.

.Feb  9 10:32:12.470 UTC: ISAKMP:(0):deleting SA reason "Phase1 SA policy proposal not accepted" state (R) MM_NO_STATE (peer 202.8.26.1)


No comments:

Post a Comment