Which action do you take to resolve the issue?

Refer to the exhibit. You are implementing an IKEv2 Ipsec tunnel between two Internet routers by using PSKs. After the configuration is complete, the Ipsec VPN tunnel fails to negotiate. You enable debugging to troubleshoot the issue.Which action do you take to resolve the issue?

A. Verify the IKEv2 keyring address and PSK configuration on both routers.
B. Configure an IKEv2 authorization policy to authorize the peer router.
C. Configure the IKEv2 identity of each router by using an email address.
D. Modify the Diffie-Hellman key used in the IKEv2 policy.

cisco-exams

3 thoughts on “Which action do you take to resolve the issue?

  1. I concur correct answer is A.

    I did a similar test when is mainly on keyring address or psk. When you change any of those parameters authentication fails and you get the exact debug error asked on the question.

    When there is an issue with DH the key exchange will fail and the error will be
    Initiator SPI : 35BCB96B12E9989C – Responder SPI : C99D416CD7F9DA2C Message id: 0
    IKEv2 IKE_SA_INIT Exchange RESPONSE
    Payload contents:
    NOTIFY(NO_PROPOSAL_CHOSEN)

    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Received no proposal chosen notify

    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):
    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Failed SA init exchange
    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Initial exchange failed

    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Initial exchange failed
    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1
    R1#):Abort exchange
    *Nov 25 22:04:44.547: IKEv2:(SA ID = 1):Deleting SA

  2. Correct answer is A (Adding keyring config)
    R1
    crypto ikev2 keyring ikev2-keyring
    peer site-a
    address 13.0.0.1
    pre-shared-key local cisco123
    pre-shared-key remote cisco123
    R2
    crypto ikev2 keyring ikev2-keyring
    peer site-a
    address 13.0.0.1
    pre-shared-key local cisco1234
    pre-shared-key remote cisco1234

  3. Correct answer is A
    You get this error when you have keyring PSK mismatch (I did lab this)

    Debugs
    *Sep 16 13:38:42.347: IKEv2:(SA ID = 1):Received Packet [From 13.0.0.1:500/To 23.0.0.2:500/VRF i0:f0]
    Initiator SPI : B9A2E87C0DA8515E – Responder SPI : 5E3BB564E5801E0C Message id: 1
    IKEv2 IKE_AUTH Exchange RESPONSE
    Payload contents:
    NOTIFY(AUTHENTICATION_FAILED)

    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Process auth response notify
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Auth exchange failed
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Auth exchange failed
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Auth exchange failed
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Abort exchange
    *Sep 16 13:38:42.351: IKEv2:(SA ID = 1):Deleting SA

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.