Hi Team,
Following is the IPSec config I have on my ASR. There are multiple "ikev2 policies" calling multiple "ikev2 proposals" - This is just one set of them. Each IKev2 Policy and IKev2 Proposal is configured with different parameters for each peer.
My issue is that, the Cisco ASR doesn't match the correct IKEv2 Policy. It's trying to use a different IKev2 Policy and hence not being able to get Phase 1 up. The only way to fix the issue is to amend the parameters on the of the Policy / Proposal it is trying to couple with. (When I do a debug, I can see what IKEv2 Policy it is trying to couple with)
Any idea how to fix ? Troubleshoot this issue? I have also noticed that "crypto ikev2 policy IKEv2_Policy_GARBUTT_LEEDS" is never called anywhere in the config. So I would assume that this is configured Globally.
There are multiple policies / proposals configured - But it doesn't pick the right Policy .
crypto ikev2 proposal Proposal_GE_Leeds
encryption aes-cbc-256
integrity sha1
group 5
crypto ikev2 policy IKEv2_Policy_GARBUTT_LEEDS
match fvrf FVRF
match address local 62.x.x.x
proposal Proposal_GE_Leeds
crypto ikev2 keyring Keyring_GE_Leeds
peer Peer_Garbutt_Leeds
address 185.x.x.x
pre-shared-key abc123
!
crypto ikev2 profile IKEv2_Profile_GE_Leeds
match fvrf FVRF
match address local interface Loopback2
match address local 62.x.x.x
match identity remote address 185.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local Keyring_GE_Leeds
crypto ipsec transform-set TS_GE_Leeds esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile IPsec_Profile_Garbutt_Leeds
set transform-set TS_GE_Leeds
set pfs group5
set ikev2-profile IKEv2_Profile_GE_Leeds
reverse-route
ip access-list extended IPSec_ACL_GE_Leeds
10 permit ip 10.113.25.0 0.0.0.15 10.9.3.0 0.0.0.255
20 permit ip 10.113.13.232 0.0.0.7 10.9.3.0 0.0.0.255
30 permit ip 10.113.13.240 0.0.0.7 10.9.3.0 0.0.0.255
40 permit ip 10.113.15.208 0.0.0.15 10.9.3.0 0.0.0.255
50 permit ip 10.113.15.176 0.0.0.7 10.9.3.0 0.0.0.255
60 permit ip 10.113.15.184 0.0.0.7 10.9.3.0 0.0.0.255
interface Tunnel 4
description IKEv2 IPSec Ga_E - Leeds
vrf forwarding garbutt_leeds
ip unnumbered Port-channel1.1760
zone-member security GARBUTT_LEEDS
tunnel source Loopback2
tunnel mode ipsec ipv4
tunnel destination 185.x.x.x
tunnel vrf FVRF
tunnel protection ipsec policy ipv4 IPSec_ACL_GE_Leeds
tunnel protection ipsec profile IPsec_Profile_Garbutt_Leeds
end
