Cisco/AWS IKEv2/IPSEC Site-to-Site VPN: Received an IKE msg id outside supported window

Question

I'm encountering an issue with an IKEv2 setup where the authentication exchange fails and I receive the error message: "Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2 : Received an IKE msg id outside supported window".

I am trying to establish an IPSEC VPN tunnel between AWS and a Cisco C1111-8PLTEEA running Cisco IOS XE Software, Version 17.03.04a.

Please note, I can establish a VPN between this router and AWS when using the standard shared secret authentication method. I only have these problems when using certificate authentication. AWS Support states the authentication is working (noted below).

I have been reading about IKEv2 and trying out different things in the Cisco configuration related to IKEv2 and IPSEC fragmentation, but I have had no luck.

Any assistance is greatly appreciated!

Cisco Debug Output

Jun 12 09:49:24.788: IKEv2-ERROR:(SESSION ID = 1,SA ID = 5):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window

Jun 12 09:49:24.788: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 18.218.X.X:4500/To 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange RESPON
C12345R1#SE
Jun 12 09:49:24.788: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 2556
Jun 12 09:49:26.559: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 5):SM Trace-> SA: I_SPI=A47449A2BD1AE71A R_SPI=5A1E2DF2291B6E9D (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Jun 12 09:49:26.560: IKEv2:(SESSION ID = 1,SA ID = 5):Retransmitting packet

Jun 12 09:49:26.560: IKEv2:(SESSION ID = 1,SA ID = 5):Sending Packet [To 18.218.X.X:4500/From 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Jun 12 09:49:26.560: IKEv2-PAK:(SESSION ID = 1,SA ID = 5):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 1820
Payload contents:
 ENCR  Next payload: VID, reserved: 0x0, length: 1792


Jun 12 09:49:26.561: IKE
C12345R1#v2-INTERNAL:(SESSION ID = 1,SA ID = 5):SM Trace-> SA: I_SPI=A47449A2BD1AE71A R_SPI=5A1E2DF2291B6E9D (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_NO_EVENT
Jun 12 09:49:26.649: IKEv2-ERROR:(SESSION ID = 1,SA ID = 5):Response is outside of window received 0x1, expect 0x2 <= mess_id < 0x2
: Received an IKE msg id outside supported window

Jun 12 09:49:26.650: IKEv2:(SESSION ID = 0,SA ID = 0):Received Packet [From 18.218.X.X:4500/To 24.106.X.X:4500/VRF i0:f0]
Initiator SPI : A47449A2BD1AE71A - Responder SPI : 5A1E2DF2291B6E9D Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Jun 12 09:49:26.650: IKEv2-PAK:(SESSION ID = 0,SA ID = 0):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 2556
Jun 12 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT
Jun 12
C12345R1# 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: I_WAIT_AUTH Event: EV_RE_XMT_EXCEED
Jun 12 09:49:29.372: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached
Jun 12 09:49:29.372: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: AUTH_DONE Event: EV_FAIL
Jun 12 09:49:29.372: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
Jun 12 09:49:29.372: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_ABORT
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: E
C12345R1#V_CHK_PENDING_ABORT
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_CHK_GKM
Jun 12 09:49:29.373: IKEv2-INTERNAL:(SESSION ID = 1,SA ID = 1):SM Trace-> SA: I_SPI=08C6AFB6BCC3F41A R_SPI=714EC031D5EDCEB3 (I) MsgID = 1 CurState: EXIT Event: EV_UPDATE_CAC_STATS
Jun 12 09:49:29.373: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Jun 12 09:49:29.373: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA

AWS DEBUG (Provided by AWS Support Team)

2023-06-12 21:53:22.890 24.106.X.X is initiating an IKE_SA
2023-06-12 21:53:22.892 sending cert request for <CERT REDACTED>
2023-06-12 21:53:22.892 sending cert request for <CERT REDACTED>
2023-06-12 21:53:22.892 sending packet to 24.106.X.X[500]
2023-06-12 21:53:22.985 received end entity cert "CN=X.io"
2023-06-12 21:53:22.985 looking for peer configs matching 24.106.X.X[X.io]
2023-06-12 21:53:22.985 using certificate "CN=X.io"
2023-06-12 21:53:22.985 using trusted intermediate ca certificate <CERT REDACTED>
2023-06-12 21:53:22.985 checking certificate status of "CN=X.io"
2023-06-12 21:53:22.985 reached self-signed root ca with a path length of 1
2023-06-12 21:53:22.985 authentication of 'X.io' with RSA signature successful
2023-06-12 21:53:22.986 authentication of 'CN=vpn-X.endpoint-0' (myself) with RSA signature successful
2023-06-12 21:53:22.986 destroying duplicate IKE_SA for peer 'X.io', received INITIAL_CONTACT
2023-06-12 21:53:23.231 IKE_SA established between [CN=vpn-X.endpoint-0]...24.106.X.X[X.io] <== Phase-1 established
2023-06-12 21:53:23.232 sending end entity cert "CN=vpn-X.endpoint-0"
2023-06-12 21:53:23.232 sending issuer cert <CERT REDACTED>
2023-06-12 21:53:23.232 selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
2023-06-12 21:53:23.233 CHILD_SA established with SPIs cacf4f07_i a8b7c369_o and TS 0.0.0.0/0 === 0.0.0.0/0 <== Phase-2 established

2023-06-12 21:53:23.495 received retransmit of request with ID 1 <=== IKE_AUTH request 1
2023-06-12 21:53:23.495 sending packet to 24.106.X.X[4500] <=== resent the IKE_AUTH 
2023-06-12 21:53:25.375 received retransmit of request with ID 1
2023-06-12 21:53:25.375 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:29.248 received retransmit of request with ID 1
2023-06-12 21:53:29.248 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:36.681 received retransmit of request with ID 1
2023-06-12 21:53:36.681 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:42.892 sending keep alive to 24.106.X.X[4500]
2023-06-12 21:53:47.232 sending DPD request
2023-06-12 21:53:47.232 generating INFORMATIONAL request 0 [ ]
2023-06-12 21:53:47.232 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:51.334 received retransmit of request with ID 1
2023-06-12 21:53:51.334 sending packet to 24.106.X.X[4500]
2023-06-12 21:53:52.889 received Cisco Delete Reason vendor ID <=== CGW bring down the Tunnel
2023-06-12 21:53:52.889 received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
2023-06-12 21:53:52.889 received unknown vendor ID: 43:49:53:43:4f:2d:44:59:4e:41:4d:49:43:2d:52:4f:55:54:45
2023-06-12 21:53:52.889 received Cisco FlexVPN Supported vendor ID

AWS Notes

I can see that authentication was successful but the CGW keep request to resend the Phase-1 Authentication, after awhile, the CGW torn

Can you please check why the CGW request to retransmiss the Phase-1 authentication? I also believe the cert setup is correct as we do not see issue with Authentication Failed.

Cisco Configuration (Relevant Sections)

crypto pki trustpoint AWSVPNCert
 enrollment pkcs12
 usage ike
 fqdn X.io
 subject-name CN=X.io
 subject-alt-name X.io
 revocation-check none
 rsakeypair AWSVPNCert
!
crypto pki trustpoint AWSVPNCert-rrr1
 revocation-check none
!
!
!
crypto pki certificate map AWSVPNCert 10
 subject-name co vpn-X.endpoint-0
!
crypto pki certificate chain AWSVPNCert
 certificate 00BB42667CDD1117BED5D136A8221FAE2A
  308203C3 
  ...

certificate ca 543539C4284EBA5D13C1FEC18665700A
  3082041A 
  ...

crypto pki certificate chain AWSVPNCert-rrr1
 certificate ca 3FD703D2A83CF19C25B2CED41D9425A4
  308203F4 
  ...

crypto ikev2 proposal PROPOSAL1 
 encryption aes-cbc-128
 integrity sha1
 group 2
!
crypto ikev2 policy POLICY1 
 match fvrf any
 proposal PROPOSAL1
!
!
crypto ikev2 profile IKEV2-PROFILE
 match certificate AWSVPNCert
 identity local fqdn X.io
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint AWSVPNCert
 lifetime 28800
 dpd 10 10 periodic
!
crypto ipsec security-association replay window-size 128
!
crypto ipsec transform-set awsvpntransform esp-aes esp-sha-hmac 
 mode tunnel
crypto ipsec df-bit clear
!
!
crypto ipsec profile ipsec-vpn-X-0
 set transform-set awsvpntransform 
 set pfs group2
 set ikev2-profile IKEV2-PROFILE
!
interface Tunnel1
 ip address 169.254.221.170 255.255.255.252
 ip tcp adjust-mss 1379
 tunnel source GigabitEthernet0/0/0
 tunnel mode ipsec ipv4
 tunnel destination 18.218.X.X
 tunnel protection ipsec profile ipsec-vpn-X-0
 ip virtual-reassembly
!
interface GigabitEthernet0/0/0
 ip address 24.106.X.X 255.255.X.X
 negotiation auto

score 0 · Answer 1 · answered Jun 14 '23 at 10:34

0

Resolved. There is a bug in IOS per Cisco.

IKEv2 fragmentation causes wrong message ID used for EAP authentication CSCwb76988
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb76988

answered Jun 14 '23 at 10:34

Justin Michael Dudley

19
1

Cisco/AWS IKEv2/IPSEC Site-to-Site VPN: Received an IKE msg id outside supported window

1 Answers1