08-07-2015 05:24 AM - edited 02-21-2020 05:33 AM
I have been trying to implement IKEv2 site-to-site VPN via PKI between ASA 8.4 & IOS 15.2(4)S5 for many days but still tunnel is not coming up... if anyone has any idea or configuration example please do share it... my configurations are as follows...
ASA's Configuration:
ip domain name cisco.local
!
crypto key generate rsa general-keys label CA-KEY modulus 1024
!
crypto ca trustpoint ROOT-CA
enrollment url http://1.1.1.1:80
revocation-check none
keypair CA-KEY
!
crypto ikev2 policy 10
encryption aes-256
integrity sha512
group 5
prf sha512
lifetime seconds 86400
crypto ikev2 enable outside
!
access-list 110 extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
!
group-policy IKEv2-POLICY internal
group-policy IKEv2-POLICY attributes
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 general-attributes
default-group-policy IKEv2-POLICY
tunnel-group 192.168.1.1 ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate ROOT-CA
!
crypto ipsec ikev2 ipsec-proposal IKEv2-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-1
!
!
crypto map IKEv2-MAP 10 match address 110
crypto map IKEv2-MAP 10 set peer 192.168.2.1
crypto map IKEv2-MAP 10 set ikev2 ipsec-proposal IKEv2-PROPOSAL
crypto map IKEv2-MAP 10 set trustpoint ROOT-CA
crypto map IKEv2-MAP interface outside
!
Router's Configuration:
crypto key generate rsa general-keys label CA-KEY modulus 1024
!
!
ip domain name cisco.local
!
crypto pki trustpoint ROOT-CA
enrollment url http://1.1.1.1
revocation-check none
rsakeypair CA-KEY
!
!
!
ntp authentication-key 1 md5 cisco
ntp authenticate
ntp trusted-key 1
ntp server 1.1.1.1
!
!
!
crypto pki certificate map CERT-MAP 10
issuer-name co root-ca
!
!
crypto ikev2 proposal IKEv2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 5
!
crypto ikev2 policy IKEv2-POLICY
match address local 192.168.2.1
proposal IKEv2-PROPOSAL
!
!
crypto ikev2 profile IKEv2-PROFILE
match address local 192.168.2.1
match identity remote address 192.168.1.1 255.255.255.255
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint ROOT-CA
!
no crypto ikev2 http-url cert
!
!
crypto ipsec transform-set IKEv2-SET esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map IKEv2-MAP 10 ipsec-isakmp
set peer 192.168.1.1
set transform-set IKEv2-SET
set pfs group2
set ikev2-profile IKEv2-PROFILE
match address 110
!
access-list 110 extended permit ip 10.10.20.0 255.255.255.0 10.10.10.0 255.255.255.0
!
09-05-2015 10:32 PM
Hi there,
The below URL may assist you (it discribes ASA-to-ASA L-2-L VPN using PKI):
http://itzecurity.blogspot.com.eg/2014/02/cisco-asa-ikev2-pki-site-site-vpn.html
If you have already sorted it out, please share your resolution.
09-06-2015 06:23 PM
what do you see in the debugs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide