Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2189
Views
6
Helpful
15
Replies

converting isakmp tunnels to Ikev2 and tunnels are not coming up

Mark1110
Level 1
Level 1

‎02-25-2023 01:14 PM

Hello, i have isakmp working tunnels and when i convert them to ikev2. They are not coming up. As soon as i config new ikev2 tunnel profile to tunnel interface ospf neighborship went down and having below errors. There is no issue with isakmp tunnels. Having below config on both sides.

error

*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired

*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47

Configuration:

SiteA#
crypto ikev2 proposal prop-1
encryption aes-cbc-256

integrity sha512
group 24


crypto ikev2 policy policy-1
match fvrf DMVPN
match address local 1.1.1.1
proposal prop-1


crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!


crypto ikev2 profile IKEv2-Profile-1
match fvrf DMVPN
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1

crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport


crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1

interface Tunnel10
description tunnel to SiteB
bandwidth 50000
vrf forwarding PRIVATE_CORE
ip address 10.10.10.1 255.255.255.252
no ip redirects
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source GigabitEthernet0/0/5(1.1.1.1)
tunnel destination 2.2.2.2
tunnel key 10
tunnel vrf DMVPN
tunnel protection ipsec profile IPSEC-Profile-1 shared
end


*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired

=----------------------------------------------------------

SiteB#

crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha512
group 24

crypto ikev2 policy policy-1
match address local 2.2.2.2
proposal prop-1

crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!

crypto ikev2 profile IKEv2-Profile-1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1


crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport

crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1

interface Tunnel10
description tunnel to siteA
bandwidth 50000
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1440
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source Vlan105(2.2.2.2)
tunnel destination 1.1.1.1
tunnel key 10
tunnel protection ipsec profile IPSEC-Profile-1 shared
end


error


*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47

0 Helpful
15 Replies 15

MHM Cisco World
VIP
VIP
In response to Mark1110

‎04-20-2023 12:38 PM

You are so so welcome 
and I am glad the issue solved. 
I will try in my lab add keyword shared to tunnel protection and see it effect 
thanks for update 
have a nice day

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card