Re: CSRv_IKev2 IPsec Profile and Crypto Map functionality

NDP · ‎12-02-2020

We recently launched CSRv instance on Oracle cloud. This router is configured to join DMVPN cloud. Everything is working as We expected . Underlay communication is secured through IKEv2 tunnels.

But, We noticed that when We tried to create another policy based IPSec tunnel with IKEv2 and apply the crypto map on egress interface, existing IKEv2 tunnels for DMVPN also got disconnected. This behavior is seen after We applied crypto map on egress interface with IKEv2 settings in it. But, When We changed the policy based tunnel to IKEv1 , DMVPN IKEv2 tunnels and IKEv1 crypto map tunnels both worked.

Attached is the rough diagram.

The following config-scenario didn't work:-

Interface tunnel 1

tunnel source Gi2

tunnel mode gre multipoint

tunnel protection ipsec profile <profilename>

crypto map VPNMAP 10 ipsec-isakmp

set peer <peeerIP>

set transform-set <TS>

match address <encryption>

set ikev2 profile <IKEv2 profile>

interface gi1

crypto map VPNMAP

It worked when We changed it to IKev1 (ISAKMP)

As it's CSRv on cloud, We didn't configure any front-door VRFs for DMVPN. Could someone advise if you are aware of this behavior. Thank you in advance

Georg Pauwen · ‎12-02-2020

Hello,

as I understand it, one IPSec ikev2 and one IPSec ikev1 work, but two ikev2 tunnels together don't work ? Are you using different profiles for the ikev2 tunnels ? Or are you sharing the ikev2 profile (tunnel protection ipsec profile <profilename> shared) ?

NDP · ‎12-03-2020

IPsec profile is applied to Tunnel interface. In IPsec profile, We called Ikev2 profile which has Keyring, policy.

where as Crypto Map for policy based VPN is applied to egress interface ( Gi1) . Gi1 interface is outgoing interface for default route and to internet.

Georg Pauwen · ‎12-03-2020

Hello,

post the full running config of a working config and a non-working config.

NDP · ‎12-03-2020

This config didn't work.

crypto ikev2 keyring kr1
peer CUST1
address <peerIP>
identity address 10.76.15.226
pre-shared-key <presharedkey>

crypto ikev2 proposal pro
encryption aes-cbc-256
integrity sha256
group 5

crypto ikev2 policy cryptopolicy
proposal pro

ip access-list extended cust1vpn
10 permit ip <sourceIP> <DestinationIP>

crypto ikev2 profile profile1
match address local 10.76.15.226
match identity remote address <peerIP> 255.255.255.255
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local kr1

crypto ipsec transform-set ts1 esp-aes 256 esp-md5-hmac
mode tunnel

crypto map VPNMAP 10 ipsec-isakmp
set peer <peerIP>
set transform-set ts1
set pfs group19
set ikev2 profile profile1
match address cust1vpn

interface gi1
crypto map VPNMAP

DMVPN parameters

crypto ikev2 proposal dmvpn
encryption aes-gcm-256
prf sha256
group 20

crypto ikev2 policy dmvpn
proposal dmvpn
crypto ikev2 keyring dmvpn
peer any-ikev2
address 0.0.0.0 0.0.0.0
pre-shared-key <preshared-key>

crypto ikev2 profile dmvpn-ikev2
match address local 10.76.15.226
match identity remote address 0.0.0.0
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local dmvpn
lifetime 28800

interface tun101
tunnel source gi1
tunnel mode gre multipoint
tunnel protection ipsec profile dmvpn

We modified crypto map entry to Ikev1 and added isakm policies , then , it met our requirement.

Georg Pauwen · ‎12-03-2020

Hello,

got it.

I am pretty sure the problem is that you mix VTIs and crypto maps. Try and configure two VTIs instead (don't configure the crypto map, which is considered legacy anyway.)

NDP · ‎12-03-2020

I just found one link and see that crypto map on physical interface which is source for another tunnel interface with ipsec profile protection is not supported

https://community.cisco.com/t5/vpn/site-to-site-vpn-and-dmvpn-on-same-router/td-p/2010012

Georg Pauwen · ‎12-03-2020

Hello,

that would mean Ikev1 would not work either I suppose.

Have you tried two VTIs with Ikev2, as suggested ?