Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1771
Views
0
Helpful
2
Replies

ASA-IOS IKEv2 site-to-site VPN via PKI

sirbulandkhan1
Level 1
Level 1

‎08-07-2015 05:24 AM - edited ‎02-21-2020 05:33 AM

I have been trying to implement IKEv2 site-to-site VPN via PKI between ASA 8.4 & IOS 15.2(4)S5 for many days but still tunnel is not coming up... if anyone has any idea or configuration example please do share it... my configurations are as follows...

ASA's Configuration:

ip domain name cisco.local
!

crypto key generate rsa general-keys label CA-KEY modulus 1024
!

crypto ca trustpoint ROOT-CA
 enrollment url http://1.1.1.1:80
 revocation-check none
 keypair CA-KEY
!

crypto ikev2 policy 10
 encryption aes-256
 integrity sha512
 group 5
 prf sha512
 lifetime seconds 86400
crypto ikev2 enable outside
!

access-list 110 extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!

group-policy IKEv2-POLICY internal
group-policy IKEv2-POLICY attributes
 vpn-tunnel-protocol ikev1 ikev2
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 general-attributes
 default-group-policy IKEv2-POLICY
tunnel-group 192.168.1.1 ipsec-attributes
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate ROOT-CA
!

crypto ipsec ikev2 ipsec-proposal IKEv2-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
!
crypto map IKEv2-MAP 10 match address 110
crypto map IKEv2-MAP 10 set peer 192.168.2.1
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-PROPOSAL
crypto map IKEv2-MAP 10 set trustpoint ROOT-CA
crypto map IKEv2-MAP interface outside
!

 

Router's Configuration:

crypto key generate rsa general-keys label CA-KEY modulus 1024
!
!

ip domain name cisco.local
!

crypto pki trustpoint ROOT-CA
 enrollment url http://1.1.1.1
 revocation-check none
 rsakeypair CA-KEY
!
!
!

ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 1.1.1.1
!
!
!
crypto pki certificate map CERT-MAP 10
 issuer-name co root-ca

!
crypto ikev2 proposal IKEv2-PROPOSAL 
 encryption aes-cbc-256
 integrity sha512
 group 5
!
crypto ikev2 policy IKEv2-POLICY 
 match address local 192.168.2.1
 proposal IKEv2-PROPOSAL
!
!
crypto ikev2 profile IKEv2-PROFILE
 match address local 192.168.2.1
 match identity remote address 192.168.1.1 255.255.255.255 
 match certificate CERT-MAP
 identity local dn 
 authentication remote rsa-sig
 authentication local rsa-sig
 pki trustpoint ROOT-CA
!
no crypto ikev2 http-url cert
!
!
crypto ipsec transform-set IKEv2-SET esp-aes esp-sha-hmac 
 mode tunnel
!
!
!
crypto map IKEv2-MAP 10 ipsec-isakmp 
 set peer 192.168.1.1
 set transform-set IKEv2-SET 
 set pfs group2
 set ikev2-profile IKEv2-PROFILE
 match address 110
!

access-list 110 extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!

Labels:
0 Helpful
2 Replies 2

hazem.shoeib
Level 1
Level 1

‎09-05-2015 10:32 PM

Hi there, 

The below URL may assist you (it discribes ASA-to-ASA L-2-L VPN using PKI):

 

http://itzecurity.blogspot.com.eg/2014/02/cisco-asa-ikev2-pki-site-site-vpn.html 

 

If you have already sorted it out, please share your resolution.

0 Helpful

pjain2
Cisco Employee
Cisco Employee

‎09-06-2015 06:23 PM

what do you see in the debugs?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card