11-21-2019 11:13 AM
Hi, I have a Cisco ISR 4451 in which I have IKEv1 tunnels configured, I added an IKEv2 tunnel and aplied it to a VRF interface already used for a v1 but tunnel is not coming up. I have ipsec and isakmp debug and they don´t show anything. I aplied the same configuration to a C891 router with no other tunel configure for testing purposes and the tunnel came up. Here some of the configuration.
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha256
group 14
!
crypto ikev2 policy 1
proposal test
!
!
crypto ikev2 profile profile1
match identity remote address 200.33.200.50 255.255.255.255
authentication local pre-share key
authentication remote pre-share key
lifetime 28800
!
!
ncrypto ipsec transform-set AES-SHA2 esp-aes 256 esp-sha256-hmac
mode tunnel
crypto map ADIENT 10 ipsec-isakmp
set peer 200.33.200.50
set transform-set AES-SHA2
set pfs group14
set ikev2-profile profile1
match address ACL_VPN_BAN
interface GigabitEthernet0/0/3.109
encapsulation dot1Q 109
ip vrf forwarding ADIENT
ip address 201.174.34.139 255.255.255.248
ip flow monitor NFAmonitor input
crypto map ADIENT
Please help
Solved! Go to Solution.
11-25-2019 11:40 AM
Hello,
the other side needs to have a VTI, too, sorry if I forgot to mention that...
11-21-2019 12:04 PM
Hello,
the IKEv2 configuration looks correct. Do you have the configuration of the other side as well ?
Also, what is the access list ACL_VPN_BAN matching ?
11-21-2019 12:18 PM
Have been requesting it for days but they don´t want to share it, but like I said, this same configuration worked on the test router. As for the ACL, here it is:
ip access-list extended ACL_VPN_BAN
permit ip host 172.25.25.xx host 15.128.4.xx
permit ip host 172.25.25.xx host 15.128.1.xx
Behind this router we have a Cisco ASA for traffic filter too:
access-list adient_acl extended permit tcp host 15.128.1.xx host 172.25.25.xx eq 7001
access-list adient_acl extended permit tcp host 15.128.4.xx host 172.25.25.xx eq 443
11-21-2019 01:42 PM
Hello,
can you try and configure a VTI instead of the 'traditional' crypto map ?
11-22-2019 09:16 AM
Hi, can I have the VTI only for the IKEv2 tunnel and the IKEv1 as a map, or do I have to put both on the VTI? I know I can assingne the VRF interface to the ipsec profile and key ring (as below) in v1 but have´nt been able to do it for the v2.
crypto keyring adient-keyring vrf ADIENT
pre-shared-key address 198.35.73.10 key
crypto isakmp profile adient-peer
vrf ADIENT
keyring adient-keyring
match identity address 198.35.73.xx 255.255.255.255 ADIENT
isakmp authorization list default
Regards.
11-22-2019 10:04 AM
Hello,
I think you can keep the IKEv2 VTI completely separated from the IKEv1 crypto map. Below is a configuration example:
11-25-2019 10:18 AM
I just configured VTI but the interface does not come upcoul it be the crypto map interfieren, or tdoes the ather side has to configure a VTI too? Here is what I configured.
crypto ikev2 proposal test
encryption aes-cbc-256
integrity sha256
group 14
crypto ikev2 policy 1
proposal test
crypto ikev2 keyring KR-Banorte
peer Banorte
address 200.33.200.xx
pre-shared-key remote xxxxxxxxxx
pre-shared-key local xxxxxxxxx
crypto ikev2 profile banorte-peer
match identity remote address 200.33.200.xx 255.255.255.255
identity local address 201.174.34.xxx
authentication local pre-share
authentication remote pre-share
keyring local KR-Banorte
lifetime 28800
crypto ipsec profile Banorte
set transform-set AES-SHA2
set ikev2-profile banorte-peer
interface Tunnel0
ip address 192.168.12.1 255.255.255.252
tunnel source GigabitEthernet0/0/3.109
tunnel mode ipsec ipv4
tunnel destination 200.33.200.xx
tunnel protection ipsec profile Banorte
ip route 200.33.200.xx 255.255.255.255 Tunnel0
ip route 15.128.1.xx 255.255.255.255 Tunnel0
ip route 15.128.4.xx 255.255.255.255 Tunnel0
R1-JRZ(config)#do sho ip interface brief tunnel 0
Interface IP-Address OK? Method Status Protocol
Tunnel0 192.168.12.1 YES manual up down
11-25-2019 11:40 AM
Hello,
the other side needs to have a VTI, too, sorry if I forgot to mention that...
11-28-2019 08:23 AM
Thank you all for your help, since the other part won´t make any other modification we decided to configure a new device.
Regards.
11-22-2019 10:45 AM
Is IKEV2 enabled on your interface?
crypto map [ikev2Map] interface outside
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide