Thanks RJI,   I took a second look and it turns out the vendor had provided a document with an example VTI config. But their example had not included the isakmp profile configuration which is what I was missing. I had instead included the old format isakmp + key + format . So I had tried to build the tunnel with only the example they provided, and of course it failed. I had only previous experience with crypto-maps, this was my first ipsec tunnel profile.    ... View more

Hi Sergey,   With my current configuration, if on R1 A or B I set the iBGP peers to use default-originate I was still getting the full routing table. I.e. I had put  router bgp 2***1 neighbor 2.2.2.3 remote-as 6502 neighbor 2.2.2.3 default-originate   into R1 A, and I saw the table start to fill up on R2. I had not saved the config so I reloaded the router to reset it, and removed the entries on R1 A. That is when I took a step back to look into what I needed to do. In a test on different set of routers, I had used default-originate which provided the interior router with only 0.0.0.0 via bgp, but the source router only had 1 static route of 0.0.0.0 to the ISP.   My original idea was to have R1 A and R1 B send the default route to devices such as R2 via BGP so they could dynamically adjust to link/service changes with our ISPs as opposed to them currently using static route with R1 B as their default.   If I do default-originate on R1 A, would I then filter on R2  only to get the 0.0.0.0 from R1 A such as:   router bgp 2***1 bgp log-neighbor-changes network 2.2.2.0 mask 255.255.255.0 neighbor 2.2.2.2 remote-as 2***1 neighbor 2.2.2.2 next-hop-self neighbor 2.2.2.3 remote-as 6502 neighbor 2.2.2.3 default-originate neighbor 3.3.3.254 remote-as 1**** neighbor 3.3.3.254 prefix-list ISP2 out ! ip prefix-list ISP2 seq 5 permit 2.2.2.0/24 ip route 0.0.0.0 0.0.0.0 3.3.3.254   ... View more

Hi George,   Thanks for replying. I think at this point my issue is with R1 to R2 that I will need to look further into. I am able to ping from a device at 10.190.0.0 to the R1 router, but R1 to the device fails. Doing a traceroute I do see the first hop is the other end of the tunnel, but everything after that is *  *  *. I had initially thought that R3 was suppose to be able to only communicate with the 10.1.1.0 subnet of R2, that is not the case.   R3 is using our edge router as it's gateway, and applying a static route for 10.172.40.0 to R2 solves the remote devices being able to reach R1. As R1 contains a lot of unnecessary configuration I am going to start from scratch on Monday to include only that which is needed. Suffice to say this is not an issue or need to use NAT. ... View more

Below are the configs as of this morning. R1 is a test/development unit whereas R2 is presently in use for a different purpose, but was available for this testing.   Originally R1 was using EIGRP with 2x R2 routers (could call them R2A and R2B), but for this issue I changed that to only use just the one R2 router as I wanted to keep things simple as I could.   R1 R2 crypto isakmp policy 1  encr aes  authentication pre-share  group 5 ! crypto isakmp policy 2  encr aes  authentication pre-share  group 5 crypto isakmp key ******* address 38.xx.xx.xx ! crypto ipsec transform-set T1 esp-aes esp-sha-hmac  mode tunnel crypto ipsec transform-set TM1 esp-aes 256 esp-sha-hmac  mode transport ! crypto ipsec profile IPSEC  set transform-set T1 ! crypto map VZ1 11 ipsec-isakmp  set peer 38.xx.xx.xx  set transform-set TM1  match address 131 ! interface Tunnel1  ip address 10.63.5.1 255.255.255.248  tunnel source 171.52.10.2  tunnel destination 38.xx.xx.xx ! interface GigabitEthernet0  ip address 171.52.10.2 255.255.255.248  ip nat outside  ip virtual-reassembly in  crypto map VZ1 ! interface GigabitEthernet1  ip address 10.172.40.1 255.255.255.224  ip nat inside  ip virtual-reassembly in ! router eigrp 1  network 10.62.5.0 0.0.0.7  network 10.63.5.0 0.0.0.7  network 10.172.40.0 0.0.0.31  neighbor 10.63.5.2 Tunnel1  neighbor 10.62.5.2 Tunnel0  no eigrp log-neighbor-changes ! ! ip nat inside source list NAT interface GigabitEthernet0 overload ip route 0.0.0.0 0.0.0.0 171.52.10.1 ip ssh version 2 ! ip access-list standard NAT  permit 10.172.40.0 0.0.255.255 ! ! route-map 10 permit 10  match ip address 110 ! route-map STATIC permit 10  match ip address 20  set metric 56 100 255 1 1500 ! access-list 20 permit 10.172.40.0 0.0.0.31 access-list 131 permit gre host 171.52.10.2 host 38.xx.xx.xx         crypto isakmp policy 1  encr aes  authentication pre-share  group 2 ! crypto isakmp policy 2  encr aes  authentication pre-share  group 5 crypto isakmp key ******* address 50.xx.xx.xx ! crypto ipsec transform-set TM1 esp-aes 256 esp-sha-hmac  mode transport crypto ipsec transform-set T1 esp-aes esp-sha-hmac  mode tunnel ! crypto ipsec profile IPSEC  set transform-set T1 ! crypto map VZ1 11 ipsec-isakmp  set peer 50.xx.xx.xx  set transform-set TM1  match address 151 ! interface Tunnel1  ip address 10.63.5.2 255.255.255.248  ip nat inside  ip virtual-reassembly in  tunnel source 10.1.1.40  tunnel destination 50.xx.xx.xx ! interface FastEthernet4  ip address 10.1.1.40 255.255.255.0  ip nat outside  ip virtual-reassembly in  crypto map VZ1 ! interface FastEthernet4.100  encapsulation dot1Q 100  ip address 38.xx.xx.xx 255.255.255.0 ! router eigrp 1  network 10.1.1.0 0.0.0.255  network 10.63.5.0 0.0.0.7  network 10.80.0.0 0.0.0.255  network 38.xx.xx.0 0.0.0.255  redistribute connected route-map STATIC  redistribute static route-map STATIC  neighbor 10.63.5.1 Tunnel1  eigrp router-id 10.1.1.40  no eigrp log-neighbor-changes ! ip nat inside source list NAT interface FastEthernet4 overload ip nat inside source static 10.172.40.1 10.1.1.45 ip route 0.0.0.0 0.0.0.0 10.1.1.20 ip route 10.55.7.0 255.255.255.0 10.1.1.35 ip route 10.190.0.0 255.255.255.0 10.1.1.50 ! ip access-list standard NAT  permit 10.172.40.0 0.0.0.255 ! route-map STATIC permit 10  match ip address 20  set metric 56 100 255 1 1500 ! access-list 20 permit 10.172.40.0 0.0.0.31 access-list 20 permit 10.80.0.0 0.0.0.255 access-list 20 permit 10.55.7.0 0.0.0.255 access-list 100 permit ip 10.172.40.0 0.0.0.255 any access-list 151 permit gre host 10.1.1.40 host 50.xx.xx.xx   ... View more

Hi Francesco, thank you for replying. It is the device at 10.172.40.1 at R1 that needs to communicate with 10.90.0.50 behind R3 which is the router I have no access to. If I did, I would simply add a static route to 10.172.40.0 via 10.1.1.40 (R2).      In the diagram, the PC behind the FW1 is able to communicate to 10.90.0.50 because FW1 has a route to R3 and it NAT's internally to 10.1.1.112 (The PC is at 192.168.2.1). R3 is a Jasper managed router, and I have requested whether a static route could be added but have yet to hear back. If they can not do this, my remaining options are not good short of figuring out how to send to 10.90.0.50 with a source of 10.1.1.45   BTW 10.90.0.50 can ping any device on 10.1.1.0/24 subnet, but nothing else. It is my understanding (or assumption) R3 is doing VTI with dynamic routing but only advertising the one subnet, so devices on 10.90.0.0 only could ever pass traffic to 10.1.1.0.  ... View more

Rahul, thanks for your reply. I did a debug platform and got the following: ASA5525# IKEv2-PLAT-2: (1506): Decrypt success status returned via ipc 1 IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 1 peer doesn't match map entry IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 4 is incomplete IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 5 peer doesn't match map entry IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 8 is incomplete IKEv2-PLAT-2: (1506): Crypto map OUTSIDE_MAP seq 21 is incomplete IKEv2-PLAT-2: (1506): PROXY MATCH on crypto map OUTSIDE_MAP seq 22 IKEv2-PLAT-1: (1506): Rejecting child SA with the same traffic selectors as existing child SA - local protocol: 0 local selector: 10.x.x.x/0 - 10.x.x.x/65535 remote protocol: 0 remote selector: 10.xy.xy.xy/0 - 10.xy.xy.xy/65535 IKEv2-PLAT-2: (1506): Encrypt success status returned via ipc 1 IKEv2-PLAT-3: (1506): SENT PKT [CREATE_CHILD_SA] [3x.xx.xx.xx]:500->[Sxxxyyy]:500 InitSPI=0x5062c9323081e4c0 RespSPI=0x5c10eb1d17fb53dc MID=00000007 IKEv2-PLAT-2: (1506): Encrypt success status returned via ipc 1 IKEv2-PLAT-3: (1506): SENT PKT [INFORMATIONAL] [3x.xx.xx.xx]:500->[ S xxxyyy ]:500 InitSPI=0x5062c9323081e4c0 RespSPI=0x5c10eb1d17fb53dc MID=000000ad IKEv2-PLAT-2: (1506): Decrypt success status returned via ipc 1   So far this has happened twice, this second time it was up for about 9 days without issue. (IKEv2 configured lifetime is 24 hours). The above debug in bold had me somewhat confused, specifically "existing child SA".  I checked isakmp and found I did have an SA. Once I cleared that (clear crypto ikev2 sa 6x.xx.xx.xx) the tunnel comes up, both IKE and IPSEC. Now however I am still not getting any traffic response from the remote end device. However debug on IKEv2 protocal no longer shows the initial failures, specifically the "Packet is missing KE payload".     So I am a few steps forward at least  ... View more