Solved: ike2 l2l ipsec not coming up

Warren · ‎12-18-2018

Good morning All

I have been looking at this all morning now and am at a lost. I am trying to configure a ikev2 l2l ipsec tunnel but

when I send interesting traffic the tunnel doesn't even attempt to come up. The tunnel terminates on my ASA5520

runnning Cisco Adaptive Security Appliance Software Version 8.4(7)30 Cisco Adaptive Security Appliance Software Version 8.4(7)30 Device Manager Version 6.4(9). My config is as follows:

object network Seed.Peer
host 38.14.65.15

object-group network Seed-Local-host
network-object 10.16.10.0 255.255.255.0

object-group network Seed-Remote-host
network-object 10.50.10.0 255.255.255.128
network-object 10.60.10.0 255.255.255.128

object-group network Seed-PAT
network-object 10.77.0.112 255.255.255.248

object-group network GW-Seed-Nat
network-object 10.16.10.73 255.255.255.255

object-group network Seed-NAT
network-object 10.77.0.113 255.255.255.255

access-list OUTSIDE_cryptomap_2 extended permit ip object-group Seed-Local-host object-group Seed-Remote-host

access-list SEED-VPN extended permit ip object-group Seed-Local-host object-group Seed-Remote-host
access-list SEED-VPN extended permit ip host 38.14.65.15 host 207.12.15.10

nat (INSIDE,OUTSIDE) source dynamic GW-Seed-Nat Seed-NAT destination static Seed-Remote-host Seed-Remote-host

group-policy SEED internal
group-policy SEED attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value SEED-VPN
vpn-tunnel-protocol ikev2

crypto map OUTSIDE_map 4 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 4 set peer 38.14.65.15
crypto map OUTSIDE_map 4 set ikev2 ipsec-proposal ikev2-proposal DES 3DES AES AES192 AES256

tunnel-group 38.14.65.15 type ipsec-l2l
tunnel-group 38.14.65.15 general-attributes
default-group-policy SEED
tunnel-group 38.14.65.15 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

crypto ikev2 policy 50
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28800

crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5

I don't see what I am doing wrong at the moment, any guidance or help would be greatly appreciated.

Thank you in advance!!!

Warren

Rob Ingram · ‎12-18-2018

Hi,
You've defined the Seed-Local-host object in the crypto map ACL but in the nat rule defined you are natting behind Seed-NAT object, therefore the other VPN peer would expect traffic from the NAT ip address. You would need to modify the OUTSIDE_cryptomap_2 ACL and include the Seed-NAT ip address.

HTH

View solution in original post

Rob Ingram · ‎12-18-2018

Hi,
You've defined the Seed-Local-host object in the crypto map ACL but in the nat rule defined you are natting behind Seed-NAT object, therefore the other VPN peer would expect traffic from the NAT ip address. You would need to modify the OUTSIDE_cryptomap_2 ACL and include the Seed-NAT ip address.

HTH

Warren · ‎12-18-2018

oh my if it was a snake it would of bit me in the behind!!!!! Thank you sir the tunnel isn't up yet but at least

now I see phase1 activated which is a lot better from where I started, Let me see what is going on

let you know but thank you for now RJI!!!!!

Warren · ‎12-18-2018

Just an update phase 1 and phase 2 are up the distant end has verified the tunnel is up but

I cannot ping across but at least we got the tunnel up. Thank you again for your help!!!

Rob Ingram · ‎12-18-2018

Glad to hear it's working

If the other device is also an ASA and you are pinging the inside interface over the tunnel you will need to add the command "management-access inside".

HTH

Warren · ‎12-18-2018

hmm ok let me find out what he is terminating his tunnel on and if it is an ASA like you said I will add that

"management-access inside".

Warren · ‎12-18-2018

just in case where do I need to add this? management-access inside".

Warren · ‎12-18-2018

nevermind I got it thank you!!