Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3032
Views
0
Helpful
1
Replies

Failed to establish IKEv2 VPN tunnel on ASAv with Sophos Firewall

Go to solution
S.U.H.E.L
Level 1
Level 1

‎02-18-2020 09:37 PM - edited ‎02-18-2020 10:20 PM

Configured the following on ASAv:

 

object network LOCAL

host <local private address>

 

object network REMOTE

host <remote private address>

 

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE no-proxy-arp

 

access-list outside_cryptomap_25 extended permit ip object LOCAL object REMOTE

 

crypto ikev2 policy 10

enc aes-256

int sha256

group 5

prf sha256

lifetime seconds 5400

 

crypto ipsec ikev2 ipsec-proposal AES256-SHA256

protocol esp encryption aes-256

protocol esp integrity sha-256

 

group-policy GroupPolicy_<remote public ip> internal

group-policy GroupPolicy_<remote public ip> attributes

 vpn-tunnel-protocol ikev2

 

tunnel-group <remote public ip> type ipsec-l2l

tunnel-group <remote public ip> ipsec-attributes

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

tunnel-group <remote public ip> general-attributes

default-group-policy GroupPolicy_<remote public ip>

 

crypto map MYMAP 25 match address outside_cryptomap_25

crypto map MYMAP 25 set peer <remote public ip>

crypto map MYMAP 25 set ikev2 ipsec-proposal AES256-SHA256

crypto map MYMAP 25 set pfs group5

crypto map MYMAP 25 set security-association lifetime seconds 3600

crypto map MYMAP 25 set security-association lifetime kilobytes unlimited

 

crypto map MYMAP interface outside

crypto ikev2 enable outside

 

The following logs were observed after running packet-tracer output:

%ASA-vpn-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = MYMAP. Map Sequence Number = 25.
%ASA-vpn-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-vpn-5-750001: Local:XXXX Remote:XXXX Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: XXXX Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: XXXX Protocol: 0 Port Range: 0-65535

%ASA-vpn-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = MYMAP. Map Sequence Number = 25.
%ASA-vpn-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= MYMAP. Map Sequence Number = 25.

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-18-2020 10:44 PM

Hi Suhel,

 

It look like on Sophos, you have ikev1 configured only for the tunnel. can you check ikev2 is configured on sophos or ikev1 ?

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎02-18-2020 10:44 PM

Hi Suhel,

 

It look like on Sophos, you have ikev1 configured only for the tunnel. can you check ikev2 is configured on sophos or ikev1 ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card