Symptom
IKEv2 session does not establish.
"debug crypto ikev2" shows that the responder is stuck during IKEv2 selection process:
Searching policy based on peer's identity 'spoke1.example.com' of type 'FQDN'
IKEv1 sessions do not establish.
The debugs are not showing answers for DPD or other ISAKMP messages, while capture is showing packets are arriving.
The IKEv1 is stuck on:
*Sep 4 14:11:02 UTC: ISAKMP-PAK: (49923):received packet from 198.51.100.226 dport 500 sport 500 FVRF-INET (I) MM_KEY_EXCH
*Sep 4 14:11:02 UTC: ISAKMP: (49923):processing ID payload. message ID = 0
*Sep 4 14:11:02 UTC: ISAKMP: (49923):ID payload
next-payload : 8
type : 2
*Sep 4 14:11:02 UTC: ISAKMP: (49923): FQDN name : SPOKE111.EXAMPLE.COM
*Sep 4 14:11:02 UTC: ISAKMP: (49923): protocol : 17
port : 500
length : 27
*Sep 4 14:11:10 UTC: ISAKMP-ERROR: (49923):Expected ISAKMP-FQDN-TEST profile doesn't match, aborting exchange
Conditions
- IKEv2 or IKEv1 profile is configured to match based on IKE_ID of type IP address, for example:
crypto ikev2 profile PROF
match identity remote address 0.0.0.0
crypto isakmp profile PROF
match identity address 0.0.0.0
or mix of match identity address and fqdn, e.g.:
crypto ikev2 profile PROF
match identity remote address 198.51.100.1 255.255.255.255
match identity remote fqdn domain example.com
AND
- DNS lookup is enabled and DNS servers are configured:
ip domain-lookup (enabled by default)
ip name-server 10.10.10.10
AND
There is a peer that tries to establish VPN and uses IKE_ID of type FQDN - which can be expected if profile is matching on both IP address or FQDN.
Workaround
- Disable DNS lookups by configuring:
no ip domain-lookup
Further Problem Description
The IOS will perform DNS lookup for the IKE_ID of the remote peer. If the DNS server is not responding, the DNS timeout may take more than IKE_AUTH timeout causing the session to never be established.
The DNS resolution of IKE_ID type FQDN is not needed and the bug fix removes it from IKEv1/IKEv2 profile matching.
