02-25-2023 01:14 PM
Hello, i have isakmp working tunnels and when i convert them to ikev2. They are not coming up. As soon as i config new ikev2 tunnel profile to tunnel interface ospf neighborship went down and having below errors. There is no issue with isakmp tunnels. Having below config on both sides.
error
*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired
*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47
Configuration:
SiteA#
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 policy policy-1
match fvrf DMVPN
match address local 1.1.1.1
proposal prop-1
crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!
crypto ikev2 profile IKEv2-Profile-1
match fvrf DMVPN
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1
crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1
interface Tunnel10
description tunnel to SiteB
bandwidth 50000
vrf forwarding PRIVATE_CORE
ip address 10.10.10.1 255.255.255.252
no ip redirects
ip mtu 1440
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source GigabitEthernet0/0/5(1.1.1.1)
tunnel destination 2.2.2.2
tunnel key 10
tunnel vrf DMVPN
tunnel protection ipsec profile IPSEC-Profile-1 shared
end
*Feb 25 13:26:04.857: %OSPF-5-ADJCHG: Process 3, Nbr 10.10.10.2 on Tunnel10 from FULL to DOWN, Neighbor Down: Dead timer expired
=----------------------------------------------------------
SiteB#
crypto ikev2 proposal prop-1
encryption aes-cbc-256
integrity sha512
group 24
crypto ikev2 policy policy-1
match address local 2.2.2.2
proposal prop-1
crypto ikev2 keyring keyring-1
peer ANY
address 0.0.0.0 0.0.0.0
pre-shared-key IKEV2@test@2023
!
crypto ikev2 profile IKEv2-Profile-1
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local keyring-1
crypto ipsec transform-set transform-1 esp-aes 256 esp-sha256-hmac
mode transport
crypto ipsec profile IPSEC-Profile-1
set transform-set transform-1
set ikev2-profile IKEv2-Profile-1
interface Tunnel10
description tunnel to siteA
bandwidth 50000
ip address 10.10.10.2 255.255.255.252
no ip redirects
ip mtu 1440
ip nat outside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip ospf message-digest-key 1 md5 ospftest123
ip ospf cost 3600
tunnel source Vlan105(2.2.2.2)
tunnel destination 1.1.1.1
tunnel key 10
tunnel protection ipsec profile IPSEC-Profile-1 shared
end
error
*Feb 25 18:56:44.291: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /2.2.2.2, src_addr= 1.1.1.1, prot= 47
04-20-2023 12:38 PM
You are so so welcome
and I am glad the issue solved.
I will try in my lab add keyword shared to tunnel protection and see it effect
thanks for update
have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide