Re: crypto ipsec profile command missing for IKEv2 VTI VPN

wesley_johns · ‎06-18-2019

I have a 5506 with 9.8 (device 1). If I issue crypto ipsec ? Profile is not an option. This command appears to be needed for IKEv2 VTI to Azure route based VPN. (Device 2) does show the option with the same command. I cannot tell what feature set (device 1) is missing. Any hints appreciated.

crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec profile “some name”

device 1
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 5 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 12 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Cluster : Disabled perpetual
This platform has a Base license.

Device 2
Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 150            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 300            perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 300            perpetual
Total VPN Peers                   : 300            perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 1000           perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual
VPN Load Balancing                : Enabled        perpetual

Mohammed al Baqari · ‎06-18-2019

In asa you don't use ipsec profile for IKEv2. This is used in IOS ikev2

wesley_johns · ‎06-19-2019

According to this cisco article you do "Configure ASA IPsec VTI Connection to Azure"

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/214109-configure-asa-ipsec-vti-connection-to-az.html

One device has the command and the other does not. I am assuming it is some license feature that explains the differance.

wes

GeorgeBoros19223 · ‎10-07-2020

i bumped in the same problem and the answer is: you don't have crypto ipsec profile on a context

a careful read at: https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-vti.html has 2 tiny lines:

Context Mode

Supported in single mode only.

hope it helps.