La fase 2 no se plantea para IKE V2 debido a que "la negociación infantil IKEv2 SA es un mensaje fallido carece de carga KE útil"
71346
Created On 07/08/20 20:02 PM - Last Modified 03/26/21 18:28 PM
Symptom
La fase 2 IKEV2 falla o la renegociación falla.
Environment
- Sitio a sitio VPN
- IPSec VPN con Azure Gateway
Resolution
- Cambie DH el grupo en el IPSec Crypto para hacer juego al par remoto.
- En el caso del mismo nivel de Azure, establezca DH group en No PFS .
Additional Information
Salida del registro del sistema:
2020/MM/DD 10:48:32 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is succeeded as responder, non-rekey. Established SA : 14.98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011B, SPI:0xB3BC8745/0x4D286384. 2020/MM/DD 10:48:32 info vpn JTC ipsec-k 0 IPSec key installed. Installed SA: 14.98.XXX.YY[500]-185.66.AAA.BBB[500] SPI:0x B3BC8745/0x4D286384 lifetime 28800 Sec lifesize unlimited. 2020/MM/DD 10:48:32 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011B. 2020/MM/DD 10:48:26 info vpn ike-con 0 IKE daemon configuration load phase-2 succeeded. 2020/MM/DD 10:48:01 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:48:01 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x0000011A. 2020/MM/DD 10:47:59 info vpn ike-con 0 IKE daemon configuration load phase-1 succeeded. 2020/MM/DD 10:47:30 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:47:30 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000119. 2020/MM/DD 10:46:59 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:46:59 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000118. 2020/MM/DD 10:46:28 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload 2020/MM/DD 10:46:28 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is started as responder, non-rekey. Initiated SA: 14 .98.XXX.YY[500]-185.66.AAA.BBB[500] message id:0x00000117. 2020/MM/DD 10:45:57 info vpn JTC ikev2-n 0 IKEv2 child SA negotiation is failed message lacks KE payload
Debug Ikemgrd.log
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: TS matching for configured selector JTC:local 192.168.92.0[0]/24-172.17.0.0[0]/1
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: .. check local TS (num 1, TS0 is not specific) against selector 0:192.168.92.0[0
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { : 7}: ... TS 0: exact match
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: ... result: local TS = 192.168.92.0[0]/24
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: .. check remote TS (num 1, TS0 is not specific) against selector 0:172.17.0.0[0]
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { : 7}: ... TS 0: exact match
2020-MM-DD 10:42:20.741 +0530 [DEBG]: { 4: 7}: ... result: remote TS = 172.17.0.0[0]/16
2020-MM-DD 10:42:20.742 +0530 [DEBG]: { 4: 7}: TS matching result: TS_l match(=), TS_r match(=) *
2020-MM-DD 10:42:20.742 +0530 [DEBG]: { 4: 7}: selector chosen JTC:local: tid 7`
2020-MM-DD 10:42:20.742 +0530 [PERR]: { 4: 7}: message lacks KE payload <<<<<<<<<<<---------------
2020-MM-DD 10:42:20.742 +0530 [DEBG]: 14.98.XXX.YY[500] - 185.66.AAA.BBB[500]:(nil) 1 times of 80 bytes message will be sent over soc
2020-MM-DD 10:42:26.014 +0530 [DEBG]: 14.98.XXX.YY[500] - 185.66.AAA.BBB[500]:(nil) 1 times of 80 bytes message will be sent over soc
2020-MM-DD 10:42:26.188 +0530 [DEBG]: processing isakmp packet