In contrast to IKEv1: when there is a PFS mismatch on an IPSec tunnel configured to use IKEv2, the tunnel will initially come up as expected.
It will continue to function and pass traffic without any issues until an IPSec rekey. During the IPSec rekey, the tunnel will go down, resulting in traffic disruption.
Alternatively, if multiple traffic selectors are configured, the first traffic selector pair comes up (at the conclusion of IKE_AUTH negotiations), however, subsequent traffic selectors (which will invoke CREATE_CHILD_SA negotiations), will not come up.
This is a misconfiguration. The reason why the tunnel comes up the first time is that there is only one traffic selector (for example: 0.0.0.0/0.0.0.0 to 0.0.0.0/0.0.0.0 i.e. any to any). After, the RFC for IKEv2 allows for the first IPSec SA to come up as part of completing the IKE_AUTH exchange.
As a result, following the completion of the first four messages being exchanged, the IKE and the IPSec SA (Security Association) come up and can start passing traffic over the tunnel. This is because PFS settings are not exchanged in IKE_AUTH.
However, during an IPSec rekey, the CREATE_CHILD_SA exchange is used. Because this is when the PFS settings are sent to the peer, the mismatch will be found, the rekey will fail, and the tunnel will go down.
The solution is to configure the IKEv2 IPSec tunnel properly, with PFS settings matched at both ends.
Sample debugs:
FortiGate as Initiator.
FortiGate as Responder.
Example 1: This device is the initiator for the CREATE_CHILD_SA exchange:
2023-10-19 10:36:04.712413 ike 0:pmbho-rto:7018725: received create-child request 2023-10-19 10:36:04.712418 ike 0:pmbho-rto:7018725: responder received CREATE_CHILD exchange 2023-10-19 10:36:04.712424 ike 0:pmbho-rto:7018725: responder creating new child 2023-10-19 10:36:04.712442 ike 0:pmbho-rto:7018725:13823377: peer proposal: 2023-10-19 10:36:04.712449 ike 0:pmbho-rto:7018725:13823377: TSi_0 0:10.0.0.0-10.0.0.255:0 2023-10-19 10:36:04.712455 ike 0:pmbho-rto:7018725:13823377: TSr_0 0:172.100.100.136-172.100.100.143:0 2023-10-19 10:36:04.712460 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: comparing selectors 2023-10-19 10:36:04.712469 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: matched by rfc-rule-2 2023-10-19 10:36:04.712473 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: phase2 matched by subset 2023-10-19 10:36:04.712479 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: accepted proposal: 2023-10-19 10:36:04.712485 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: TSi_0 0:10.0.0.0-10.0.0.255:0 2023-10-19 10:36:04.712491 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: TSr_0 0:172.100.100.136-172.100.100.143:0 2023-10-19 10:36:04.712496 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: autokey 2023-10-19 10:36:04.712503 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: incoming child SA proposal: 2023-10-19 10:36:04.712509 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: proposal id = 1: 2023-10-19 10:36:04.712518 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: protocol = ESP: 2023-10-19 10:36:04.712521 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: encapsulation = TUNNEL 2023-10-19 10:36:04.712526 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ENCR, val=AES_CBC (key_len = 256) 2023-10-19 10:36:04.712530 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=INTEGR, val=SHA256 2023-10-19 10:36:04.712533 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ESN, val=NO 2023-10-19 10:36:04.712538 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: PFS is disabled 2023-10-19 10:36:04.712542 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: my proposal: 2023-10-19 10:36:04.712545 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: proposal id = 1: 2023-10-19 10:36:04.712549 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: protocol = ESP: 2023-10-19 10:36:04.712553 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: encapsulation = TUNNEL 2023-10-19 10:36:04.712557 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ENCR, val=AES_CBC (key_len = 256) 2023-10-19 10:36:04.712561 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=INTEGR, val=SHA256 2023-10-19 10:36:04.712564 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=DH_GROUP, val=MODP2048 2023-10-19 10:36:04.712568 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: type=ESN, val=NO 2023-10-19 10:36:04.712572 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: lifetime=43200 2023-10-19 10:36:04.712576 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: no proposal chosen 2023-10-19 10:36:04.712589 ike Negotiate SA Error: 2023-10-19 10:36:04.712592 ike 2023-10-19 10:36:04.712595 ike [1468] 2023-10-19 10:36:04.712598 ike 0:pmbho-rto:7018725:pmbho-rto:13823377: responder preparing CREATE_CHILD message 2023-10-19 10:36:04.712605 ike 0:pmbho-rto:7018725: enc 000000080000000E0706050403020107 2023-10-19 10:36:04.712615 ike 0:pmbho-rto:7018725: out 24BEF7BC6260B90F1DC341428262099B2E202420000000130000005029000034083494B83272
C226C45EDD3364B251CFE0154C066802AC 7B1151A76FC2C11FBB1DA07E4F1F57BDC4EEBA565E3C76A74F 2023-10-19 10:36:04.712627 ike 0:pmbho-rto:7018725: sent IKE msg (CREATE_CHILD_RESPONSE):
10.11.11.11:500->10.12.12.12:500, len=80, id=24bef7bc6260b90f/1dc3414282 62099b:00000013 2023-10-19 10:36:04.712641 ike 0:pmbho-rto:7018725:13823377: no proposal chosen
Example 2: This device is the responder for the CREATE_CHILD_SA exchange:
2023-10-19 10:36:02.710224 ike 0:pmbho-rto:pmbho-rto: IPsec SA connect 9 10.11.11.11->10.12.12.12:0 2023-10-19 10:36:02.710246 ike 0:pmbho-rto:pmbho-rto: using existing connection 2023-10-19 10:36:02.710284 ike 0:pmbho-rto:pmbho-rto: config found 2023-10-19 10:36:02.710290 ike 0:pmbho-rto:pmbho-rto: IPsec SA connect 9 10.11.11.11->10.12.12.12:500 negotiating 2023-10-19 10:36:02.710364 ike 0:pmbho-rto:7018725:13823365 initiating CREATE_CHILD exchange 2023-10-19 10:36:02.710376 ike 0:pmbho-rto:7018725:pmbho-rto:13823365: PFS enabled 2023-10-19 10:36:02.710594 ike 0:pmbho-rto:7018725: enc <--output curtailed--> 2023-10-19 10:36:02.710628 ike 0:pmbho-rto:7018725: out <--output curtailed--> 2023-10-19 10:36:02.710651 ike 0:pmbho-rto:7018725: sent IKE msg (CREATE_CHILD):
10.11.11.11:500->10.12.12.12:500, len=464, id=24bef7bc6260b90f/1dc341428262099b:0 0000069 2023-10-19 10:36:02.751469 ike 0: comes 10.12.12.12:500->10.11.11.11:500,ifindex=9.... 2023-10-19 10:36:02.751483 ike 0: IKEv2 exchange=CREATE_CHILD_RESPONSE
id=24bef7bc6260b90f/1dc341428262099b:00000069 len=80 2023-10-19 10:36:02.751489 ike 0: in 24BEF7BC6260B90F1DC341428262099B2E202428000000690000005029000034C
7867B9854C5A353FA3505835CBF7DC62BA2B8B7381EA48037
B24F18966F89A36 3D3506A276A9258E17DD5514EA8ED54 2023-10-19 10:36:02.751496 ike 0:pmbho-rto: HA state master(2) 2023-10-19 10:36:02.751510 ike 0:pmbho-rto:7018725: dec 24BEF7BC6260B90F1DC341428262099B2E202428000000690000002829000004000000080000000E 2023-10-19 10:36:02.751516 ike 0:pmbho-rto:7018725: received create-child response 2023-10-19 10:36:02.751521 ike 0:pmbho-rto:7018725: initiator received CREATE_CHILD msg 2023-10-19 10:36:02.751526 ike 0:pmbho-rto:7018725:pmbho-rto:13823365: found child SA SPI fe84f1b0 state=3 2023-10-19 10:36:02.751532 ike 0:pmbho-rto:7018725: processing notify type NO_PROPOSAL_CHOSEN
|