OPERATIONAL DEFECT DATABASE
...
...
IKEv1 or IKEv2 tunnel using pre-shared key is not getting established. Debugs indicate problem with pre-shared key mismatch. IKEv2: Failed to authenticate SA errors are seen IKEv1: %CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed The problem with router behaviour is that when it cannot decrypt the pre-shared key it is sending the encrypted form of pre-shared key to the peer. This is not correct - the router should abort the negotiation.
"password encryption aes" is configured, encrypted pre-shared keys are present in the configuration, e.g.: crypto ikev2 keyring CRYPTO peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB AND the actual password encryption key is missing on the router. Why could it be missing? Because configuration was copy-pasted from backup, or another device, with encrypted pre-shared-keys, but the "key config-key password-encrypt " with correct password was not configured. How to know if password encryption key is missing? Configure a dummy pre-shared key and check if it gets encrypted. If encryption key is missing the following error is seen: crypto ikev2 keyring CRYPTO peer test address 203.0.113.1 pre-shared-key test-password >>Cannot encrypt password. Please configure a configuration-key with 'key config-key'<<
How to get out of missing encryption key situation: 1. If the old "key config-key password-encrypt" key is stored in documentation and available - reapply it: conf t key config-key password-encrypt The VPN should start working. 2. If the "key config-key password-encrypt" key is not known, then set a new one, document it, and re-apply all the pre-shared keys in clear text form, so that they get encrypted with the new encryption key.
The problem is caused by missing password encryption key - configured with "key config-key password-encrypt ". This bug fix doesn't address why the password encryptio key is missing. Note - this configuration part is used to encrypt pre-shared-keys in running-config and IS NOT displayed in the running-config. There is no way to retrieve it from the router. When password encryption is used the pre-shared-keys are stored in configuration in encrypted form - e.g.: before encryption: pre-shared-key Example-password after encryption: pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB When router needs to use the pre-shared-key to establish VPN it decrypts it with the password encryption key - configured with "key config-key password-encrypt ", stored in secure storage and not visible in the running config. If the encryption key is missing, for whatever reason, the router cannot decrypt the pre-shared-key. This bug fix is changing behaviour - when router is not able to decrypt pre-shared-key: - before the fix - it is sending the encrypted form as pre-shared key - e.g. FcdG`K_gaK\EAVAUDORGHNIfLEQAAB in the above example. - after the fix - the router is aborting negotiation and showing in ISAKMP/IKEv2 debugs that it cannot decrypt the pre-shared-key. The signs that the password was configured, but is lost are: Passwords are saved as type 6, e.g.: crypto ikev2 keyring CRYPTO peer ANY address 0.0.0.0 0.0.0.0 pre-shared-key 6 FcdG`K_gaK\EAVAUDORGHNIfLEQAAB <-- note 6! AND router gives warning when trying to configure a new password: "configure terminal crypto ikev2 keyring TEST peer test address 203.0.113.1 pre-shared-key test-password Cannot encrypt password. Please configure a configuration-key with 'key config-key'" The new password is saved in configuration without " 6 " - as clear text password. The fix: if the router is unable to decrypt password the clear debug message is produced: IKEv1: 000194: *Sep 5 10:26:07.995 GMT-SUM: ISAKMP: (0):found peer pre-shared key matching x.x.x.x 000195: *Sep 5 10:26:07.995 GMT-SUM: ISAKMP: Failed to decrypt key IKEv2: 001898: *Sep 5 10:43:14.332 GMT-SUM: IKEv2:(SESSION ID = 1,SA ID = 2):Generate my authentication data 001899: *Sep 5 10:43:14.332 GMT-SUM: IKEv2-ERROR:(SESSION ID = 1,SA ID = 2):: No pskey found 001900: *Sep 5 10:43:14.332 GMT-SUM: IKEv2:(SESSION ID = 1,SA ID = 2):Auth exchange failed More about the password encryption: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html WARNING - There could be a situation where the configuration was restored from a backup, and password encryption key was not set. Someone not knowing how password encryption works could assume the encrypted form of pre-shared key is the pre-shared key itself and give it to the peer - and the VPN goes up. In such scenario the VPN works on misconfigured routers without the fix - the router is sending encrypted blob as pre-shared key, and the peer is configured to accept it. After the upgrade to a fixed version the VPN stops working, as the misconfigured router is aborting the negotiation.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
