Solved: Help with Router to ASA IKEv2 VPN

Travis-Fleming · ‎12-06-2019

Hello,

I'm trying to establish a simple IKEv2 site-to-site VPN between a Cisco 2911 and ASA 5516. I believe the IPSec tunnel comes up (phase1) but the IKEv2 doesn't form. Attached are the relevant configs for the router and ASA, as well as the debugs from the router for ipsec and ikev2. I have multiple ASA5505's doing a site-to-site to our ASA 5516 so I don't think the problem is on that end, but with my router. Any help would be greatly appreciated.

Router Local Subnet - 10.10.74.0/24

Remote Network Subnet to form VPN with (from router) - 172.16.0.0/12

Router Public IP - 1.2.3.4

ASA Public IP - 4.3.2.1

Georg Pauwen · ‎12-07-2019

Hello,

I rebuilt your setup in the lab, and after a lot of testing, it seems that you are simply using the wrong transform set. This one works:

crypto ipsec transform-set ATS-TS esp-aes 256 esp-sha-hmac
mode tunnel

So try to replace your old one with this one...

View solution in original post

Georg Pauwen · ‎12-06-2019

Hello,

on the router, you have this configured:

identity local key-id DefaultL2LGroup

Make sure you are using the same group on the ASA as well. Other than that, the config looks ok...

Travis-Fleming · ‎12-06-2019

Thank you for the reply. I do have DefaultL2LGroup defined in the tunnel-group of the ASA. Is there someone else I may need it? WIth my 20+ ASA5505's they work without it somewhere else, so guessing if it's needed elsewhere it would only affect my router trying to connect?

Below is the excerpt from the ASA config as it pertains to the DefaultL2LGroup.

I did try removing that statement from the IKEv2 profile on my router as well, and the problem still existed. I'm unable to communicate over the VPN because I do not believe the IKEv2 piece fully establishes.

tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Georg Pauwen · ‎12-06-2019

Hello,

I think on the ASA you need:

crypto map outside_map 20 ipsec-isakmp dynamic DHCP-Agents

Travis-Fleming · ‎12-06-2019

Ah sorry I didn't include that in my original, but the below line already existed on my ASA. Should I maybe change the priority to a lower number?

crypto map outside_map 65000 ipsec-isakmp dynamic DHCP-Agents

There are two other crypto maps in play. One for our Puerto Rico location.

crypto map outside_map 36 match address crypto-atscmn-puertorico

crypto map outside_map interface outside

Georg Pauwen · ‎12-06-2019

Hello,

you could try and change it to 1, not sure if that makes a difference though, to be honest...

Travis-Fleming · ‎12-06-2019

I will try that and see if it helps on Monday. We do have a new 881 on the way we want to put in play with the IKEv2 vpn to our ASA in the long run and will have smartnet on it to create a case if I can't get it to work either. Glad I wasn't missing something big on this one. Thanks!

Georg Pauwen · ‎12-07-2019

Hello,

I rebuilt your setup in the lab, and after a lot of testing, it seems that you are simply using the wrong transform set. This one works:

crypto ipsec transform-set ATS-TS esp-aes 256 esp-sha-hmac
mode tunnel

So try to replace your old one with this one...