Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
IKEv1 or IKEv2 tunnel using pre-shared key is not getting established. Debugs indicate problem with pre-shared key mismatch. IKEv2: Failed to authenticate SA errors are seen IKEv1: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed The problem with router behaviour is that when it cannot decrypt the pre-shared key it is sending the encrypted form of pre-shared key to the peer. This is not correct - the router should abort the negotiation.
"password encryption aes" is configured, encrypted pre-shared keys are present in the configuration, e.g.: crypto ikev2 keyring CRYPTO peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB AND the actual password encryption key is missing on the router. Why could it be missing? Because configuration was copy-pasted from backup, or another device, with encrypted pre-shared-keys, but the "key config-key password-encrypt " with correct password was not configured. How to know if password encryption key is missing? Configure a dummy pre-shared key and check if it gets encrypted. If encryption key is missing the following error is seen: crypto ikev2 keyring CRYPTO peer test address 203.0.113.1 pre-shared-key test-password >>Cannot encrypt password. Please configure a configuration-key with 'key config-key'<<
How to get out of missing encryption key situation: 1. If the old "key config-key password-encrypt" key is stored in documentation and available - reapply it: conf t key config-key password-encrypt The VPN should start working. 2. If the "key config-key password-encrypt" key is not known, then set a new one, document it, and re-apply all the pre-shared keys in clear text form, so that they get encrypted with the new encryption key.
The problem is caused by missing password encryption key - configured with "key config-key password-encrypt ". This bug fix doesn't address why the password encryptio key is missing. Note - this configuration part is used to encrypt pre-shared-keys in running-config and IS NOT displayed in the running-config. There is no way to retrieve it from the router. When password encryption is used the pre-shared-keys are stored in configuration in encrypted form - e.g.: before encryption: pre-shared-key Example-password after encryption: pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB When router needs to use the pre-shared-key to establish VPN it decrypts it with the password encryption key - configured with "key config-key password-encrypt ", stored in secure storage and not visible in the running config. If the encryption key is missing, for whatever reason, the router cannot decrypt the pre-shared-key. This bug fix is changing behaviour - when router is not able to decrypt pre-shared-key: - before the fix - it is sending the encrypted form as pre-shared key - e.g. FcdG`K_gaK\EAVAUDORGHNIfLEQAAB in the above example. - after the fix - the router is aborting negotiation and showing in ISAKMP/IKEv2 debugs that it cannot decrypt the pre-shared-key. The signs that the password was configured, but is lost are: Passwords are saved as type 6, e.g.: crypto ikev2 keyring CRYPTO peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB <-- note 6! AND router gives warning when trying to configure a new password: "configure terminal crypto ikev2 keyring TEST peer test address 203.0.113.1 pre-shared-key test-password Cannot encrypt password. Please configure a configuration-key with 'key config-key'" The new password is saved in configuration without " 6 " - as clear text password. The fix: if the router is unable to decrypt password the clear debug message is produced: IKEv1: 000194: *Sep 5 10:26:07.995 GMT-SUM: ISAKMP: (0):found peer pre-shared key matching x.x.x.x 000195: *Sep 5 10:26:07.995 GMT-SUM: ISAKMP: Failed to decrypt key IKEv2: 001898: *Sep 5 10:43:14.332 GMT-SUM: IKEv2:(SESSION ID = 1,SA ID = 2):Generate my authentication data 001899: *Sep 5 10:43:14.332 GMT-SUM: IKEv2-ERROR:(SESSION ID = 1,SA ID = 2):: No pskey found 001900: *Sep 5 10:43:14.332 GMT-SUM: IKEv2:(SESSION ID = 1,SA ID = 2):Auth exchange failed More about the password encryption: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html WARNING - There could be a situation where the configuration was restored from a backup, and password encryption key was not set. Someone not knowing how password encryption works could assume the encrypted form of pre-shared key is the pre-shared key itself and give it to the peer - and the VPN goes up. In such scenario the VPN works on misconfigured routers without the fix - the router is sending encrypted blob as pre-shared key, and the peer is configured to accept it. After the upgrade to a fixed version the VPN stops working, as the misconfigured router is aborting the negotiation.