cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
954
Views
5
Helpful
7
Replies

CSRv_IKev2 IPsec Profile and Crypto Map functionality

NDP
Beginner
Beginner

We recently launched CSRv instance on Oracle cloud. This router is configured to join DMVPN cloud. Everything is working as We expected . Underlay communication is secured through IKEv2 tunnels.

 

But, We noticed that when We tried to create another policy based IPSec tunnel with IKEv2 and apply the crypto map on egress interface, existing IKEv2 tunnels for DMVPN also got disconnected. This behavior is seen after We applied crypto map on egress interface with IKEv2 settings in it. But, When We changed the policy based tunnel to IKEv1 , DMVPN IKEv2 tunnels and IKEv1 crypto map tunnels both worked.

 

Attached is the rough diagram.

 

The following config-scenario didn't work:-

Interface tunnel 1

tunnel source Gi2

tunnel mode gre multipoint

tunnel protection ipsec profile <profilename>

 

 

crypto map VPNMAP 10 ipsec-isakmp

set peer <peeerIP>

set transform-set <TS>

match address <encryption>

set ikev2 profile <IKEv2 profile>

 

 

interface gi1

crypto map VPNMAP

 

It worked when We changed it to IKev1 (ISAKMP)

Rough Diagram.png

 

As it's CSRv on cloud, We didn't configure any front-door VRFs for DMVPN. Could someone advise if you are aware of this behavior. Thank you in advance

7 Replies 7

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

as I understand it, one IPSec ikev2 and one IPSec ikev1 work, but two ikev2 tunnels together don't work ? Are you using different profiles for the ikev2 tunnels ? Or are you sharing the ikev2 profile (tunnel protection ipsec profile <profilename> shared) ?

IPsec profile is applied to Tunnel interface. In IPsec profile, We called Ikev2 profile which has Keyring, policy.

 

where as Crypto Map for policy based VPN is applied to egress interface ( Gi1) . Gi1 interface is outgoing interface for default route and to internet.

 

 

Hello,

 

post the full running config of a working config and a non-working config.

This config didn't work.

crypto ikev2 keyring kr1
peer CUST1
address <peerIP>
identity address 10.76.15.226
pre-shared-key <presharedkey>

 

crypto ikev2 proposal pro
encryption aes-cbc-256
integrity sha256
group 5

 

crypto ikev2 policy cryptopolicy
proposal pro

 

ip access-list extended cust1vpn
10 permit ip <sourceIP> <DestinationIP>


crypto ikev2 profile profile1
match address local 10.76.15.226
match identity remote address <peerIP> 255.255.255.255
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local kr1

 

crypto ipsec transform-set ts1 esp-aes 256 esp-md5-hmac
mode tunnel

crypto map VPNMAP 10 ipsec-isakmp
set peer <peerIP>
set transform-set ts1
set pfs group19
set ikev2 profile profile1
match address cust1vpn

 

interface gi1
crypto map VPNMAP


DMVPN parameters


crypto ikev2 proposal dmvpn
encryption aes-gcm-256
prf sha256
group 20


crypto ikev2 policy dmvpn
proposal dmvpn
crypto ikev2 keyring dmvpn
peer any-ikev2
address 0.0.0.0 0.0.0.0
pre-shared-key <preshared-key>

 

crypto ikev2 profile dmvpn-ikev2
match address local 10.76.15.226
match identity remote address 0.0.0.0
identity local address 10.76.15.226
authentication remote pre-share
authentication local pre-share
keyring local dmvpn
lifetime 28800

 

interface tun101
  tunnel source gi1
  tunnel mode gre multipoint
    tunnel protection ipsec profile dmvpn

 

 

We modified crypto map entry to Ikev1 and added isakm policies , then , it met our requirement.

Hello,

 

got it.

 

I am pretty sure the problem is that you mix VTIs and crypto maps. Try and configure two VTIs instead (don't configure the crypto map, which is considered legacy anyway.)