Phase 2 does not come up for IKE V2 due to "IKEv2 child SA negotiation is failed message lacks KE payload"
71202
Created On 07/08/20 20:02 PM - Last Modified 07/30/20 19:16 PM
Symptom
IKEV2 Phase 2 fails or renegotiation fails.
Environment
- Site to Site VPN
- IPSec VPN with Azure Gateway
Resolution
- Change DH group in IPSec Crypto to match the remote peer.
- In case of Azure peer, set DH group to No PFS.
Additional Information
System Log output:
2020/MM/DD 10:48:32 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is succeeded as responder, non-rekey. Established SA : 14.98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011B, SPI:0xB3BC8745/0x4D286384. 2020/MM/DD 10:48:32 info vpn JTC ipsec-k 0 IPSec key installed. Installed SA: 14.98.XXX.YY[500]-185.66.AAA.BBB[500] SPI:0x B3BC8745/0x4D286384 lifetime 28800 Sec lifesize unlimited. 2020/MM/DD 10:48:32 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011B. 2020/MM/DD 10:48:26 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded. 2020/MM/DD 10:48:01 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:48:01 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011A. 2020/MM/DD 10:47:59 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded. 2020/MM/DD 10:47:30 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:47:30 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000119. 2020/MM/DD 10:46:59 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:46:59 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000118. 2020/MM/DD 10:46:28 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:46:28 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000117. 2020/MM/DD 10:45:57 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload
Debug Ikemgrd.log
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: TS matching for configured selector JTC:local 192.168.92.0[0]/24-172.17.0.0[0]/1
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: .. check local TS (num 1, TS0 is not specific) against selector 0:192.168.92.0[0
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { : 7}: ... TS 0: exact match
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: ... result: local TS = 192.168.92.0[0]/24
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: .. check remote TS (num 1, TS0 is not specific) against selector 0:172.17.0.0[0]
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { : 7}: ... TS 0: exact match
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: ... result: remote TS = 172.17.0.0[0]/16
2020-MM-DD 10:42:20.742 +0530 [DEBG]: { 4: 7}: TS matching result: TS_l match(=), TS_r match(=) *
2020-MM-DD 10:42:20.742 +0530 [DEBG]: { 4: 7}: selector chosen JTC:local: tid 7`
2020-MM-DD 10:42:20.742 +0530 [PERR]: { 4: 7}: message lacks KE payload <<<<<<<<<<<---------------
2020-MM-DD 10:42:20.742 +0530 [DEBG]: 14.98.XXX.YY[500] - 185.66.AAA.BBB[500]:(nil) 1 times of 80 bytes message will be sent over soc
2020-MM-DD 10:42:26.014 +0530 [DEBG]: 14.98.XXX.YY[500] - 185.66.AAA.BBB[500]:(nil) 1 times of 80 bytes message will be sent over soc
2020-MM-DD 10:42:26.188 +0530 [DEBG]: processing isakmp packet