What are some of the requirements around IKEV2 on a Cisco ASA? Is it dependent on hardware? License? Code?
I have been trying to implement this for a bit now and can't seem to get things up and running. My Site to Site VPN skills are very "Novice", so it could be that I am missing some basics here.
Here is a template I have started:
crypto ikev2 policy 10
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
crypto ipsec ikev2 ipsec-proposal MNF_TRSET01_AES256_SHA256
protocol esp encryption aes-256
protocol esp integrity sha-1
object-group network MNL_INTERNAL_NETWORKS
network-object 10.81.112.0 255.255.255.0
network-object 10.81.113.0 255.255.255.0
network-object 10.81.114.0 255.255.255.0
network-object 10.81.115.0 255.255.255.0
object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
access-list MNF_TO_MNL_L2L extended permit ip object-group RFC_1918 object-group MNL_INTERNAL_NETWORKS
nat (INSIDE,OUTSIDE) source static RFC_1918 RFC_1918 destination static MNL_INTERNAL_NETWORKS MNL_INTERNAL_NETWORKS
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 ipsec-attributes
ikev2 remote-authentication pre-shared-key **
ikev2 local-authentication pre-shared-key **
isakmp keepalive threshold 10 retry 2
crypto map MNF_TO_MNL 1 match address MNF_TO_MNL_L2L
crypto map MNF_TO_MNL 1 set peer 18.104.22.168
crypto map MNF_TO_MNL 1 set ikev2 ipsec-proposal MNF_TRSET01_AES256_SHA256
crypto map MNF_TO_MNL interface OUTSIDE
So I need a route to the networks over the tunnel since I cannot use a dynamic routing protocol over the L2L tunnel, so my question is what is the next hop address for the route? The outside Pubic address of the peer?
I can never get the tunnel up and debugs show nothing. I am running a 5508-x and 5506-x both running code 9.8.
Is this Lab environment ? do you have reachbility between ASA like 22.214.171.124 ( in your case), where is other side ASA config ?
i start with simple tunnel configuration and build more ACL on top of it. ( make sure you do not have Overlap subnet both the side, if that is the case you need to do NAT)
You only need a route if the default route does not use the same interface you applied the crypto map to.
If you are not seeing any debug output at all then it is either this or your traffic is not being seen as interesting traffic eg. it is being translated to a different IP(s) before the crypto acl is checked.