Re: site-2-site VPN between Cisco IOS and PaloAlto VPN device

cciesec2011 · ‎10-28-2019

I have problem with site-2-site IKEv2 VPN between Cisco IOS c2900-universalk9-mz.SPA.151-4.M10.bin and PaloAlto VPN version 8.1.11. I even tried to upgrade to IOS version c2900-universalk9-mz.SPA.157-3.M5.bin without much luck. The case is being looking at by Cisco TAC but I am not keeping my hope up. One interesting thing is that this scenario works perfectly with IKEv1.

The IKEv2 VPN works fine between Cisco ASA version 9.1(7)29 and PaloAlto VPN version 8.1.11.

Anyone able to get IKEv2 working between Cisco IOS and PaloAlto VPN devices?

NetEng0424 · ‎10-31-2019

You should post your sanitized IKEv2 configs for both devices. The configurations between the ASA and IOS CLI differ, and there may be something that was missed.

cciesec2011 · ‎11-01-2019

@NetEng0424 wrote:
You should post your sanitized IKEv2 configs for both devices. The configurations between the ASA and IOS CLI differ, and there may be something that was missed.

Well, I sent the configuration to Cisco TAC and they look at the configuration and confirmed that the configuration on the IOS is good. The configuration is verified by two different TAC engineers.

If you can't trust TAC, who can you trust? But here it is:

crypto ikev2 proposal CCIESEC
encryption aes-cbc-256
integrity sha256
group 20
!
crypto ikev2 policy CCIESEC
proposal CCIESEC
!
crypto ikev2 keyring CCIESEC
peer CCIESEC
address 1.1.1.1 --> Palo Alto VPN Peer
pre-shared-key cciesec
!
crypto ikev2 profile CCIESEC
match identity remote address 1.1.1.1 255.255.255.255 --> Palo Alto VPN Peer
authentication local pre-share
authentication remote pre-share

!

crypto isakmp keepalive 10
!
crypto ipsec transform-set tset esp-aes 256 esp-sha256-hmac
mode tunnel

crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1 --> Palo Alto VPN Peer
set transform-set tset
set pfs group20
set ikev2-profile CCIESEC
match address vpn

ip access-list extended vpn
permit ip host 192.168.2.1 host 192.168.1.1

interface Loopback0
ip address 192.168.2.1 255.255.255.0

interface GigabitEthernet0/1
ip address 2.2.2.1 255.255.255.0
load-interval 30
duplex auto
speed auto
crypto map vpn

NetEng0424 · ‎11-01-2019

One thing I see here is that you did not apply your key ring to the IKEv2 profile. Also, I would recommend moving away from a crypto map on the physical interface move to using a SVTI with a IPSec profile. I have seen bugs in the past (mostly on the ASA) using crypto maps with FlexVPN. Let me know if this helps.

cciesec2011 · ‎11-01-2019

@NetEng0424 wrote:
One thing I see here is that you did not apply your key ring to the IKEv2 profile. Also, I would recommend moving away from a crypto map on the physical interface move to using a SVTI with a IPSec profile. I have seen bugs in the past (mostly on the ASA) using crypto maps with FlexVPN. Let me know if this helps.

It is there. I left it out during the cut and paste. I have multiple customers on this IOS router with crypto map so moving it to SVTI with IPsec profile requires lot of work and I don't have the bandwidth to do it at the moment.

NetEng0424 · ‎11-01-2019

Could you post the output from "debug crypto ikev2"?