Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4294
Views
40
Helpful
18
Replies

IPSec Profile

Go to solution
MrBeginner
Spotlight
Spotlight

‎02-19-2019 06:29 PM - edited ‎02-21-2020 09:34 PM

Dear All,

Let me know which one is the best practice of below two type of configuration for IPSec profile .

I saw this message  (Each policy has a unique priority number assigned to it.The peers must share at least one common policy to allow for successful secure communication. ) in cisco ebook.That mean i need to use unique policy for all tunnels(DMVPN,PtP)? that mean for remote site ?

crypto ikev2 policy IPSec 
proposal proposal
!

crypto ikev2 profile profile
description IKEv2 profile
match certificate CERT-MAP
identity local dn 
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

 OR

crypto ikev2 policy IPSec 

match address local x.x.x.x
proposal proposal

crypto ikev2 profile profile
description IKEv2 profile
match identity remote address x.x.x.x
identity local address x.x.x.x
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎02-19-2019 10:54 PM

Hi,

crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

 

This is offering local and remote identity authentication, which is adding additional level authentication and profile verifications. If you have multiple VPN with multiple Vendors then it uses to recommend. You may add one more command for verifying two-way Identity "match identity remote fqdn ....."

 

And 

 

 crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

 

This is a simple profile without a remote or local identity. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

18 Replies 18

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎02-19-2019 08:00 PM

You need to use the 1st one. The 2nd will generate errors as the
certificate name (cn) will be different from the identity in the message.
In the 1st one use fqdn instead of dn

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Mohammed al Baqari

‎02-19-2019 09:41 PM - edited ‎02-19-2019 10:08 PM

Hi,
Let me know if i have one router with two wan link,i need to run two different tunnel.do i need to create one policy and two different profile or can i use shared profile ?

do you want me to change as below ?

 

crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎02-19-2019 10:32 PM

Hi,

I love Cisco VPN Technology because If you have multiple VPN connections then you can share Phase 1 with all VPN connections means you need only one Phase1 policy. 

IKEV2 is also offering Phase2 as a shared profile. You can use a single phase2 policy for all VPN Connections. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Deepak Kumar

‎02-19-2019 10:40 PM

Hi ,
let me know the different below command (pro and cons).because if i put fqdn phase 2 doesnt work Tunnel is down.When i remote local dn. it is working now. which one is better way ?

crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

OR
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎02-19-2019 10:54 PM

Hi,

crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

 

This is offering local and remote identity authentication, which is adding additional level authentication and profile verifications. If you have multiple VPN with multiple Vendors then it uses to recommend. You may add one more command for verifying two-way Identity "match identity remote fqdn ....."

 

And 

 

 crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca

 

This is a simple profile without a remote or local identity. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Deepak Kumar

‎02-19-2019 11:03 PM

Hi,
Thanks. but if i use wo-way Identity "match identity remote fqdn ..... or identity local fqdn ....." , phase2 is doesn't work. It cannot authenticated. it may be certificate template error ? should i use multiple profile 1,2,etc ?
0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎02-19-2019 11:05 PM

Hi,

Have you enabled the identity on remote site as well?

Please share the configuration from both end and error msg. 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Deepak Kumar

‎02-19-2019 11:31 PM - edited ‎02-19-2019 11:35 PM

Hi,
please see below attachment and error message. can i use match identity remote command in DMVPN ?
and i always saw "insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb"
*Feb 20 15:16:56.803: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of cbtme-hub.crypto.local (type 2) and certificate fqdn with cbtme-spoke1.crypto.local

 

0 Helpful

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to MrBeginner

‎02-19-2019 11:09 PM

Hi,
Yes, You can use multiple Phase1 and Phase2.

Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to Deepak Kumar

‎02-19-2019 11:38 PM

Hi,

fqdn, the fully qualified domain name, provided by the vpn peer doesn't match the one stated on the digital certificate.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to MrBeginner

‎02-19-2019 11:36 PM

Can you post debugs
0 Helpful

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Mohammed al Baqari

‎02-20-2019 12:44 AM - edited ‎02-20-2019 12:45 AM

hi ,

Please see below attachment for debug.

Feb 20 16:44:31.927: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.100.2 (Tunnel1) is down: holding time expired
Cbtme-Hub#
*Feb 20 16:44:35.315: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x88D51ED5(2295668437), srcaddr=120.120.120.1, input interface=FastEthernet0/0
Cbtme-Hub#
*Feb 20 16:44:36.735: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.100.2 (Tunnel1) is up: new adjacency

Preview file
88 KB
Preview file
63 KB
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11
In response to MrBeginner

‎02-19-2019 11:07 PM

Create a loopback interface and use it as tunnel source. In this case you
don't need to be worried about wan links. They will be load balanced by
routing. You can nat the tunnel source at both wan links (nat outside) and
have nat inside on the loopback interface.

Go to solution
MrBeginner
Spotlight
Spotlight
In response to Mohammed al Baqari

‎02-20-2019 12:19 AM - edited ‎02-20-2019 12:23 AM

if i will use loopback interface, i need to use lookback every site ? my sites didn't have NAT. We don't need to use internet.I use static route. Can I use lookback interface in hub site only ? lookback interface for one tunnel ? 

0 Helpful
Customers Also Viewed These Support Documents