Solved: Re: Ikev2 Tunnel status " Ready " - Page 2

Yahya · ‎01-17-2024

Dear Experts!

I am beginner with vpn configs. I am trying to make tunnel up and ive done all configuration required from my side. After all, it showing many tunnels with status "ready". I dont know what is the issue!

My device is cisco ISR4321/K9 ,, peer side is none cisco device.

below resulte of # sh cry ikev2 sa

Yahya · ‎01-17-2024

Hi MHM,

Please see diagram for more details.

Thanks!

MHM Cisco World · ‎01-18-2024

Yahya · ‎01-18-2024

I changed acl by using remote access to router, but lost connectivity immediatley .

I will check through console soon.

Thank you..

Yahya · ‎01-19-2024

Hi MHM!

thank you for your kind support, I would say we still in same issue not solved yet. But let me share you configuration of my side to be clear.

## Phase1 ##

crypto ikev2 proposal Q50

encryption 3des

integrity sha256

group 21

***

crypto ikev2 policy P50
proposal Q50

crypto ikev2 keyring Keyring

peer ISP

address X.X.1.132

pre-shared-key local XXXXXX

pre-shared-key remote XXXXXX

***

crypto ikev2 profile IKEv2PROFILE

match identity remote address X.X.1.132 255.255.255.255

authentication remote pre-share

authentication local pre-share

keyring local Keyring

***

## Phase 2 ##

crypto ipsec transform-set SETSET esp-3des esp-sha256-hmac

mode tunnel

***

## Interesting Traffic ##

ip access-list extended 102
1 permit ip host X.X.150.2 host X.X.129.59
2 permit ip host X.X.150.2 host X.X.129.200

***

no crypto ipsec nat-transparency udp-encapsulation

***

crypto map CCCC ipsec-isakmp
set peer X.X.1.132
set transform-set SETSET
set pfs group21
set ikev2-profile IKEv2PROFILE

***

interface gx/x/x

match address 102
crypto map CCCC

MHM Cisco World · ‎01-19-2024

match address 102 <<- this must be under the crypto map not under the interface
MHM

Yahya · ‎01-19-2024

yes Its under crypto map.

I just shared from output >> sh run | sec crypto

MHM Cisco World · ‎01-19-2024

show crypto ikev2 sa detail <<- share this when you ping from LAN to LAN (from x.x.150.2 to x.x.129.59)
MHM

Yahya · ‎01-19-2024

MHM Cisco World · ‎01-19-2024

detail friend add it to command and share result
MHM

Yahya · ‎01-19-2024

sh crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
2085 X.X.60.219/500 .X.1.132/500 none/none DELETE
Encr: 3DES, PRF: SHA256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/583 sec
CE id: 16324, Session-id: 2733
Status Description: Deleting IKE SA
Local spi: 001833629387607B Remote spi: A41C16C459F04673

Yahya · ‎01-22-2024

SOLVED!

Peer side misconfiguration.

Thank you for support.