With more people working from home  using IKEv2 EAP  for VPN connections, It helps to understand the IKEv2 EAP creation process and the logs to troubleshoot any issues.

The IKEv2 EAP VPN creation process and the corresponding VPN logs are as follows:

  1. IKE_SA_INIT I1: The Initiator sends INIT packet for negotiating the proposal, NAT-T and the authentication method.
    IKEv2 DBG : Recv IKEv2_SA_INIT[34] Request from 118.166.179.117, Peer is IKEv2 Initiator
    IKEv2 DBG : Received IKEv2 Notify (null)[16430]
    IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
    IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]

 

2. IKE_SA_INIT R1: The responder responses the used proposal, NAT-T option and the authentication method.

IKEv2 DBG : IKESA inI1_outR1 : Create IKE SA #980
IKEv2 DBG : NAT_T Lookup : Peer is behind NAT
IKEv2 DBG : IKESA inI1_outR1 : Responding IKE SA to 118.166.179.117

3. IKE_SA_AUTH I2: The initiator sends the IKEv2 AUTH packet and ask for using EAP authentication.

(Some clients, like windows 10 will send its certificate list out in this step, so the AUTH I2 packet size is big and would be fragmented.)

IKEv2 DBG : Recv IKEv2_AUTH[35] Request from 118.166.179.117, Peer is IKEv2 Initiator
IKEv2 DBG : Received IKEv2 Notify IKEv2_MOBIKE_SUPPORTED[16396]
IKEv2 DBG : Missing payload : 0x40
IKEv2 DBG : IKESA inI2_outR2 : Peer requests EAP …

4. IKE_SA_AUTH R2: The responder sends its local certificate out, including the chain certificate and ask the client’s EAP Identity for authentication.

Since the certificate size is usually over 2048 bytes, the responder will fragment the packet and send the packets out.

IKEv2 DBG : EAP_START : Always send My Certificate
IKEv2 DBG : EAP_START : Receive IKEv2 Notify IKEv2_MOBIKE_SUPPORTED[16396]
IKEv2 DBG : EAP_START : Send intermediate CA Certificate
IKEv2 DBG : EAP_START : Create Child SA #981, IKE SA is #980
Get large size of IKE buffer:2932, from:IKEv2 reply packet. Try malloc…

5. EAP Authentication I_R_1: The initiator responds its EAP Identity, and the responder authenticate the ID. If the ID authentication is successful, the responder will ask to use MSCHAP to continue the EAP authentication.
IKEv2 DBG : Recv IKEv2_AUTH[35] Request from 118.166.179.117, Peer is IKEv2 Initiator
IKEv2 DBG : EAP continue : eap_msg.code = IKEv2_EAP_RESPONSE[2] eap_msg.type = IKEv2_EAP_IDENTITY[1]
IKEv2 DBG : IKEv2 EAP ID In : receive ID vivian

6. EAP Authentication I_R_2: The initiator responds to use MSCHAPv2 for the EAP authentication, the server starts authenticating the EAP connection and responds the authentication result.
IKEv2 DBG : EAP continue : eap_msg.code = IKEv2_EAP_RESPONSE[2] eap_msg.type = IKEv2_EAP_MSCHAPV2[26]
IKEv2 DBG : EAP_PROC_RES : Verify Username/Password : vivian/****** ifno = 59 index = 5
IKEv2 DBG : EAP_PROC_RES : Authentication Successful

7. AUTH I3_R3: After the EAP authentication is successful, the responder will assign IP to the Initiator and create the IPsec SA.
IKEv2 DBG : Recv IKEv2_AUTH[35] Request from 118.166.179.117, Peer is IKEv2 Initiator
IKEv2 DBG : EAP continue : eap_msg.code = IKEv2_EAP_RESPONSE[2] eap_msg.type = IKEv2_EAP_MSCHAPV2[26]
IKEv2 DBG : Recv IKEv2_AUTH[35] Request from 118.166.179.117, Peer is IKEv2 Initiator
IKEv2 DBG : Missing payload : 0x8000IKEv2 DBG : Unexpected payload : 0x40
IKEv2 DBG : EAP SUCCESS! Create Child SA
IKEv2 DBG : EAP Finish : Receive Configuration Payload
Prase error : Attribute Type of IKEv2 Configuration Payload Attribute has an unknown value: 23456
IKEv2 DBG : Parse IKEv2_NP_v2CP payload : Can’t parse CP attr
IKEv2 DBG : Parse IKEv2_NP_v2CP payload : ifno 59 Match profile 5, assign IP address form LAN
IKEv2 DBG : Assign IP address 192.168.177.14
[H2l][UP][IPsec][@5:vivian]
IKEv2 DBG : Process Packet : #980 IKE SA Established, IKE SA is Responder, EXPIRE after 28800 seconds
IKEv2 DBG : Process Packet : #981 CHILD SA Established, CHILD SA is Responder, EXPIRE after 3600 seconds

Common logs for  VPN establishment failure and solutions.

  1. If the IKEv2 client sends the first Auth packet but the VPN server doesn’t receive the AUTH packet (VPN log stays in IKESA inI1_outR1 : Responding IKE SA to x.x.x.x), please check if the NAT router in front of the client or the server blocks the fragmented packets wrongly. Capturing WAN packets on the client and on the router’s, WAN can help to confirm this issue.

  1. If IKEv2 server receives the Auth packet that the client sends but says” last packet may be lost” and “Can’t decrypt message”, that means the IKEv2 server cannot assemble the packets correctly, so cannot continue the AUTH process.

Check if the NAT router in front of the client or the server did forward the fragmented packets correctly. Capturing WAN packets on the client and on the router’s, WAN can help to compare the issues.

 ## IKEv2 DBG : EAP continue : Can’t decrypt message
 ## IKEv2 DBG : Unexpected payload : IKEv2_NP_v2SA+0x5824
 ## IKEv2 DBG : Missing payload : 0x8000
 ## IKEv2 DBG : Received IKEv2 Notify IKEv2_MOBIKE_SUPPORTED[16396]
 ## IKEv2 DBG : Process Packet : Receive Duplicate IKEv2_AUTH request iCookie = 1c37c0f767147da8 rCookie = 24d1da06c01c257f msgid = 00000001 <= 00000001, last packet may be lost …
 ## IKEv2 DBG : Recv IKEv2_AUTH[35] Request from 172.16.2.194, Peer is IKEv2 Initiator

If the NAT router is a Vigor Router, we can check if the Firewall option “Allow pass inbound fragmented large packets” is enabled.

3. If IKEv2 server receives the AUTH packet that the client sends but says Incoming Call Failed : No Such Entry for xxx, please check if the IKEv2 server has the VPN Remote Dial-in profile with user name xxx.

4. If IKEv2 server receives the AUTH packet that the client sends but says EAP_PROC_RES : Password mismatch , please re-check the password on both the IKEv2 client and the IKEv2 server.