topic Re: No logs for ikev2 on router in VPN

No logs for ikev2 on router

cisco-ninja — Mon, 25 Jul 2022 04:15:59 GMT

Hi. I was hoping to see ikev2 logs after entering "debug crypto ikev2" on a cisco router (C891FJ-K9) but nothing shows up on the router log. What could I be missing here?

Re: No logs for ikev2 on router

Kasun Bandara — Mon, 25 Jul 2022 04:25:15 GMT

is your router have access to IPsec peer? is it pingable if ping enabled on peer side? did you configured default route towards internet (to connect with IPSec peer)?

Re: No logs for ikev2 on router

cisco-ninja — Mon, 25 Jul 2022 04:36:39 GMT

@Kasun Bandara
Thank you.

is your router have access to IPsec peer? --> sorry not sure what you mean...

is it pingable if ping enabled on peer side? --> yes

did you configured default route towards internet (to connect with IPSec peer)? --> yes

Actually, there is another crypto map using IKEv1 I believe which is working normally.

Re: No logs for ikev2 on router

Kasun Bandara — Mon, 25 Jul 2022 04:41:12 GMT

if it pingable both sides, i can guess that you have access between 2 IPsec peers. is that IKEv1 configured for same peer?

Re: No logs for ikev2 on router

cisco-ninja — Mon, 25 Jul 2022 04:58:39 GMT

@Kasun Bandara
sorry i meant it was pingable using the global Ip addresses on both sides. Not able to ping LAN IPs.
IKEv1 is configured for a different router.

Re: No logs for ikev2 on router

Kasun Bandara — Mon, 25 Jul 2022 11:35:45 GMT

what is the exact debug command you are using? also are you connected to router via Console or SSH/Telnet?

Re: No logs for ikev2 on router

MHM Cisco World — Mon, 25 Jul 2022 12:02:02 GMT

Share config I will check

Re: No logs for ikev2 on router

cisco-ninja — Wed, 27 Jul 2022 03:40:00 GMT

@Kasun Bandara
debug crypto ikev2
this is the exact debug command nothing special i hope

@MHM Cisco World
please see the attached file that i have posed in the beginning.

Re: No logs for ikev2 on router

cisco-ninja — Wed, 27 Jul 2022 03:42:00 GMT

@Kasun Bandara
i was accessing via ssh but i went to the office today and connected via console but same output.

Re: No logs for ikev2 on router

Rob Ingram — Wed, 27 Jul 2022 07:52:46 GMT

@cisco-ninja you are using a policy based VPN (crypto map) you will need to generate interesting traffic before the tunnel will even attempt to establish, and only then will it generate logs. Run a ping to a destination from the VLAN10 network - from the router "ping <dest ip> source vlan 10"

You've got NAT configured. What is the configuration of list "1"? Are you unintentially translating the internal traffic behind VLAN20 - this would cause a problem with the VPN as the crypto ACL is configured to use zz.zz.zz.zz (VLAN10) as the source.

Why do you even need NAT if you are tunnelling all traffic over the VPN?

What the configuration of the ACLs on the VLAN20 interface?

Re: No logs for ikev2 on router

MHM Cisco World — Wed, 27 Jul 2022 12:26:38 GMT

ip nat insde source list 100 interface vlan 20 overload
!
ip access-list NAT-ACL extended
deny ip <LAN your site> <LAN other site>

permit ip <LAN your side> <any>
!
ip access-list IKEv2-ACL extended
permit ip <LAN your site> <LAN other site>

Re: No logs for ikev2 on router

cisco-ninja — Fri, 29 Jul 2022 03:03:49 GMT

Thank you all for your help!
@Rob Ingram It worked! Thank you so much. Your advice cleared the issue!