Solved: 829 router to spoke ikev2

Hawk-on · ‎02-09-2021

Hi

We are trying to implement a spoke structure for a service we want to provide, but for it to have acceptable levels of security we want to use ikev2 in our configurations.

What I am struggling with now is the ikev2 tunnel configuration on the 829 Router. When I do a check “show crypto session”, the session status shows “down”, but I am expecting “negotiating”.

I do not have much (any) experience in VPN configurations, but I hope I get some pointers to where my configuration is missing something important which I have overlooked.

Hawk-on · ‎02-10-2021

Hi

Sent an updated config, i changed the ip addresses of the peer in the previous config as i thought it was not relevant to the problem.

the interface you are referring to might have been a "trial and error" attempt from me to make something more than nothing to happen.

The peer is a Cisco 1120 FTD on firepower. Also a picture of the endpoints tab in the configuration.

View solution in original post

Rob Ingram · ‎02-10-2021

It still looks like you have nat configured on the router.

interface Cellular0
 no ip nat outside
interface Vlan1
 no ip nat inside
no ip nat inside source list 101 interface Cellular0 overload

View solution in original post

Rob Ingram · ‎02-09-2021

Hi @Hawk-on

Is this network 182.18.0.0/255.255.0.0 correct? Your internal network is 172.18.207.0 and you don't appear to have a static route to 182.18.0.0, so it doesn't appear to be the local network. Is 182.18.0.0 a typo?

As you are using a policy based VPN, you should check the ACL is also correct on the peer devices.

If you have a lot of spokes, you should consider a route based VPN (FlexVPN) using dynamic VTIs.

Hawk-on · ‎02-09-2021

Hi

Yes,

That would be a typo. Thanks.

ACL is now re-checked and fixed on both peer and local device.

Still no change in the tunnel status.

Also, what would "a lot of spokes" mean in numbers? 5-10-20-50 sites?

Mohammed al Baqari · ‎02-09-2021

Hi,

You are using ipsec-manual instead if ipsec-isakmp.

Remove your crypto map, change to crypto map map-1 1 ipsec-isakmp, then
apply it to interface again

As Rob said, go to flexvpn with spoke provisioning for more than 10 sites.

***** please remember to rate useful posts

Hawk-on · ‎02-10-2021

Hi,

Thanks. did change as you suggested

IPsec still wont attempt negotiate.

But, got this in the log now : %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

crypto map map-1 local-address Cellular0
crypto map map-1 1 ipsec-isakmp
 set peer 192.168.10.10
 set transform-set T-set
 set ikev2-profile prof-1
 match address 100

interface Cellular0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 dialer in-band
 dialer idle-timeout 0
 dialer string lte
 dialer-group 1
 ipv6 address autoconfig
 crypto map map-1

Thanks for the input

Mohammed al Baqari · ‎02-10-2021

Hi,

Share the output of 'debug crypto ikev2 'to see where its getting stuck.
Also, as Rob suggested, if everything is going through the tunnel, remove
the nat statement from outside interface to ensure that you are not hitting
nat.

***** please remember to rate useful posts

Rob Ingram · ‎02-09-2021

Your crypto ACL has set the destination network as 0.0.0.0/0.0.0.0 and you have NAT configured aswell. It looks like all traffic would be tunneled over the VPN and natted behind the outside interface. What is the configuration of the VPN of the peer?

Turn on IKEv2 debugs, generate some traffic from the network defined in the crypto ACL and provide the output for review.

It depends, I'd personally implement a route based VPN for all sites. Regardless, Cisco considers a Policy Based VPN (crypto map) as legacy and recommends using a Route based VPN.

Hawk-on · ‎02-10-2021

Hi thanks for your reply

Yes, i want all traffic to be sent through the ipsec, is this not the correct way to do that?

I did add the line for route map group "no-nat", which might be the cause here? See config snippet below

How do i enable the ikev2 debug logging?

The peer configuration is not relevant at this point, as the 829 dont even attempt to contact the peer. I can see no traffic from the Router to the peer. I can ping the peer from the router and it responds to my pings, and I also see that at the peer packet capture. But I am unable to find any udp or tcp 500 packets in any captures.

Also, I will look into the FlexVPN

route-map no-nat permit 10
 match ip address 100
ip nat inside source route-map no-nat interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular 0

Again, thanks so far

Rob Ingram · ‎02-10-2021

If all traffic is being tunneled there is no need for the nat configuration, remove the nat configuration from the interfaces, turn on ikev2 debugs and generate some traffic from the inside networks and upload the output for review. Also provide the output of "show crypto ikev2 sa".

Aside from that, what is the configuration of the peer device?

Hawk-on · ‎02-10-2021

Cisco-829(config)#do show crypto ikev2 sa
Cisco-829(config)#

Hi,

This is the output you requested, (thats it, really)

How do i turn on ikev2 debugs? this is unknown for me.

i have modified the nat configuration

And what would the configuration of the peer do to stop the "attempt" at negotiation? nothing related to the ipsec is leaving the 829 unit's network interface.

Rob Ingram · ‎02-10-2021

Use the command:-

debug crypto ikev2 packet and debug crypto ikev2 internal

You are generating interesting traffic from the source network defined in the ACL right? A Policy Based VPN won't establish a tunnel automatically.

The configuration of the peer could be set to initiate a tunnel only, so would never respond if you generated traffic from the 829. Without see both configurations it's hard to tell what you have configured.

Hawk-on · ‎02-10-2021

Thank you,

#noob speaking. how do i show the "log buffer", when i do a show log i know there are 200 debugging log'entries but they dont show up in the show log command, only the console logs are "viewable"

How do i show the debug "buffered" log?

Cisco-829#show log
Syslog logging: enabled (5 messages dropped, 8 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 54 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 200 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: enabled
    Persistent logging: disabled

Hawk-on · ‎02-10-2021

And yes, i am generating traffic

Rob Ingram · ‎02-10-2021

The debugs should be displayed on the console by default, you could just copy and paste. It looks like the command logging buffered is enabled, so I'd have thought you should see the output from the show logging command.

Refer to this link for more information:

https://www.cisco.com/c/en/us/support/docs/dial-access/integrated-services-digital-networks-isdn-channel-associated-signaling-cas/10374-debug.html

Hawk-on · ‎02-10-2021

Hi

This is the entire output of the show logging command. as you can see, there is no debug's listed.

Cisco-829#show logging
Syslog logging: enabled (5 messages dropped, 8 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 55 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 201 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (8192 bytes)
    Count and timestamp logging messages: enabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 194 message lines logged
        Logging to 172.18.241.99  (udp port 514, audit disabled,
              link up),
              45 message lines logged,
              0 message lines rate-limited,
              0 message lines dropped-by-MD,
              xml disabled, sequence number disabled
              filtering disabled
        Logging Source-Interface:       VRF Name:

Log Buffer (8192 bytes):

%SYS-5-LOGGING_START: Logging enabled - CLI initiated

%SYS-5-LOG_CONFIG_CHANGE: Console logging disabled
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-LOG_CONFIG_CHANGE: Console logging: level debugging, xml disabled, filtering disabled
%SYS-5-CONFIG_I: Configured from console by console
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%SYS-5-CONFIG_I: Configured from console by console
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
%SYS-5-CONFIG_I: Configured from console by console
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-CONFIG_I: Configured from console by console
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-CONFIG_I: Configured from console by console
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-CONFIG_I: Configured from console by console
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to down
%LINK-3-UPDOWN: Interface GigabitEthernet1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1, changed state to up
%SYS-5-CONFIG_I: Configured from console by console
%SYS-5-CONFIG_I: Configured from console by console
Cisco-829#