09-16-2021 05:21 AM
I am trying to configure an IKEv1 IPSEC tunnel on this ASR1001X. Phase I comes up no issue. However, none of the interesting traffic specified in the ACL being used for the encryption domain is being matched and therefor Phase 2 is never established. I've confirmed my configuration with the provider on the other end of the tunnel, and I have also ran "monitor capture" commands and have confirmed that the correct traffic is making it to the router for the correct destination.
We have other IPSEC tunnels that are functioning without issue, but these tunnels are route-based as opposed to this one which is policy-based. Is it possible that there is an overlap of the routes on the router or is there something I am missing? We do have a route that points any 10.0.0.0/8 network traffic to the firewall, but the networks specified in the encryption domain ACL are more specific. Please help!
Thanks!
Solved! Go to Solution.
09-21-2021 08:16 AM
Thanks for the update. Interesting that SHA2 is not supported on this platform/version of code. Perhaps you could go back to Cisco TAC and ask about whether the access list implementation has a bug?
09-23-2021 07:16 AM
Hi All,
TAC was able to figure this out and it was a very simple issue. We have other route-based tunnels on this same router and one of the static routes on the router was sending all traffic destined to this new policy-based tunnel to another direction, so it was never hitting the external interface where the crypto map was applied. I added a static route for the particular network in question (10.223.251.0/24) pointing out the external interface where the crypto map is applied and this has fixed the issue.
Thanks to all for taking a look!
09-24-2021 03:48 PM
Thanks for the update. Glad to know that TAC was able to identify the issue. Interesting that it was a mistake in the routing logic and solved by a static route for the particular network involved in the vpn.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide