Hi @kasunrajapakse 

You don't have the ivrf specified in the ikev2 profile configuration, this is required when using a crypto map. The default ivrf would be the fvrf.  Use "show crypto ikev2 sa" to confirm the actual ivrf.

No you don't need to permit traffic from "self" to "PO1760", the "self" zone is for traffic to/from the router itself, not transit traffic. You would need a zone-pair from inside (PO1760) to outside (UNTRUST). If still a problem, can you enable logging on your class-default drop and provide the output.

FYI, your encryption and DH group values used are weak and insecure, consider using something stronger.

Hi Rob, 
I have slightly changed my design as per the following guide. It looks promising. But I can't define an ACL that should match the interesting traffic. I should be able to config an ACL to define the local and remote LAN subnets that I want to communicate with. 

Any help on this? Thank you very much for looking in to this.


https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-architecture-implementation/214938-configuring-ikev2-vrf-aware-svti.html

crypto ikev2 proposal Proposal_HF_Test_AR
encryption 3des
integrity sha1
group 2

crypto ikev2 policy Policy_HF_Test_AR
match fvrf FVRF
match address local 6.x.x.x
proposal Proposal_HF_Test_AR

crypto ikev2 keyring Keyring_HF_Test_AR
peer Peer_Test_AR
address 8.x.x.x
pre-shared-key abc123
!

crypto ikev2 profile IKEv2_Profile_HF_Test_AR
match fvrf FVRF
match address local interface Loopback2
match address local 6.x.x.x
match identity remote address 8.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Keyring_HF_Test_AR

crypto ipsec transform-set TS_HF_Test_AR esp-3des esp-sha-hmac
mode tunnel

crypto ipsec profile IPsec_Profile_HF_Test_AR
set transform-set TS_HF_Test_AR
set ikev2-profile IKEv2_Profile_HF_Test_AR

interface Tunnel 1
vrf forwarding trust
ip unnumbered Port-channel1.1760
zone-member security IPSEC
tunnel source Loopback 2
tunnel vrf FVRF
tunnel protection ipsec profile IPsec_Profile_HF_Test_AR

interface Loopback 2
vrf forwarding FVRF
ip address 6.x.x.x 255.255.255.255

ip route vrf trust 192.168.10.100 255.255.255.255 Tunnel 1

@kasunrajapakse 

You are getting confused, you've defined a tunnel interface so you are now using a route based VPN. You don't define an ACL to identify interesting traffic, you need to create static routes or use a routing protocol - you peer/route over the tunnel interface.

Examples of FlexVPN here and here.

Hi Rob, 
Thanks. Yes, I have moved on to route based VPN. 
I found the following document that I could define an ACL within the tunnel interface. 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214728-configure-multi-sa-virtual-tunnel-interf.html

What do you think of this? Do you think I can use this to define traffic between the two LAN subnets? 

I am aware of Multi-SA, but that's not what you've configured. Multi-SA is used as a replacement for crypto map and used when you are peering with a device that is using crypto map.

What device are you peering with and how is it configured? If the other device is a crypto map you can use my suggestion in the first reply to get the crypto map with VRF working or configure multi-SA. If you control both ends then just use a standard FlexVPN route based VPN.

Hi Rob, 
Thank you for the above comment / feedback. 
The peering device is a non cisco and uses policy based VPN. 

-
However, Going back to your 1st comment, I didn't have any iVRF configured in the ikev2 profile. So I have done that now.
I can now see both my vrfs (FVRF & trust). However there is no traffic flow yet. I can see crypto ipsec sa up, but no encrypt/decrypt packets.  But having done that, I can see the remote subnet 10.121.36.250 learned to my inside vrf (trust)

ASR100#show crypto ikev2 sa

Tunnel-id Local Remote fvrf/ivrf Status
1 62.x.x.x/500 81.x.x.x/500 FVRF/trust READY
Encr: 3DES, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/318 sec

ASR1000#show ip route vrf trust | inc 10.121.36
S 10.121.36.250/32 [1/0] via 81.x.x.x, TenGigabitEthernet0/0/0
ASR1000#


Could it be the Zone Based Firewall blocking traffic between the interfaces ??
My traffic flow is as follows. 
Remote Traffic >>> TenGigabitEthernet0/0/0 >>> Loopback 2 (VPN end point) >>>Port-channel1.1760 (LAN side).
=======

ASR1000#show crypto ipsec sa

interface: TenGigabitEthernet0/0/0
Crypto map tag: CMAP_Non_BTOP, local addr 62.x.x.x

protected vrf: trust
local ident (addr/mask/prot/port): (10.113.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.121.12.60/255.255.255.255/0/0)
current_peer 81.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 62.x.x.x, remote crypto endpt.: 81.x.x.x
plaintext mtu 1446, path mtu 1500, ip mtu 1500, ip mtu idb TenGigabitEthernet0/0/0
current outbound spi: 0xDF44B6(14632118)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x5712FCB2(1460862130)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6297, flow_id: HW:4297, sibling_flags FFFFFFFF80000048, crypto map: CMAP_Non_BTOP
sa timing: remaining key lifetime (k/sec): (1843200/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xDF44B6(14632118)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 6298, flow_id: HW:4298, sibling_flags FFFFFFFF80000048, crypto map: CMAP_Non_BTOP
sa timing: remaining key lifetime (k/sec): (1843200/3512)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

@kasunrajapakse 

Possibly. Did you look at my comment in the first response about creating zone-pair from inside to outside and vice versa if necessary?

If you want to confirm that it is a ZBFW issue disable it, test and work from there.

I see you have NAT enabled, ensure you "deny" traffic between the networks defined in the crypto ACL to ensure this traffic is not natted.

If you've a security zone defined on the outside interface don't also have an interface ACL, just include that as part of the self to untrust/outside policy.

Thanks Rob, 

I'm in the process of making the "LAN >> WAN" zone pair. Do you think the following could work? Do I need to allow IPSec traffic from LAN >> WAN as well? 

PO1760 = LAN
UNTRUST = WAN

zone-pair security PO1760_to_UNTRUST source PO1760 destination UNTRUST
service-policy type inspect PO1760_to_UNTRUST_Traffic_Policy

policy-map type inspect PO1760_to_UNTRUST_Traffic_Policy

class type inspect PO1760_to_UNTRUST_Traffic_Class
pass
class class-default
drop

class-map type inspect match-any PO1760_to_UNTRUST_Traffic_Class
match protocol icmp
match protocol tcp
match protocol udp

@kasunrajapakse Looks ok

Hi Rob, 

Zone pairs added to allow traffic from LAN to WAN. But no luck. 
When i check IPSec sa on the ASR - I see the following. 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16

Number of decaps matches the encaps on the remote end. So I think the packet is coming to the ASR ands decrypted. But for some reason it's not encapsulating the packets back and replying (This is my understanding )
I don't see anything useful on the debugs either. 

Running out of options to do. 

Hi Rob, 

Sorry for the late reply (I have been away) 
Thank you for all your help. Adding the zone from OUTSIDE to INSIDE worked. The IPSec is working now. 
Thank you again for your help!

Cheers!