Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1403
Views
7
Helpful
23
Replies

Can't up ipsec beetween cisco asr1001 and c9300x

Go to solution
dijix1990
VIP
VIP

‎01-13-2024 03:06 AM

I stucked with ipsec configuration between cisco asr1001 and c9300x (asr1001-asr1001 works and c9300x-c9300x works)

My config for asr 1001

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.10
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.2 255.255.255.252
 tunnel source 172.17.9.10
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.9
 tunnel protection ipsec profile ipsec_profile

config for c9300x

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source 172.17.9.9
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

and debug file is included

Labels:
Preview file
92 KB
0 Helpful
23 Replies 23

Go to solution
MHM Cisco World
VIP
VIP
In response to dijix1990

‎01-13-2024 08:31 AM

goodluck friend 
have a nice weekend 
MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to dijix1990

‎01-13-2024 02:10 PM - edited ‎01-13-2024 02:10 PM

Hi friend 
I have time to test VTI protect by ikev2 profile in lab
I face same issue the IKEv2 stop responding after I clear crypto in one Peer 
the solution is 
shut/ no shut the tunnel in both ASR and C9300X
try it and check 


MHM

0 Helpful

Go to solution
dijix1990
VIP
VIP
In response to MHM Cisco World

‎01-13-2024 03:14 PM

No, my problem is different, it doesn't work at all from start

0 Helpful

Go to solution
dijix1990
VIP
VIP
In response to MHM Cisco World

‎01-14-2024 12:17 AM - edited ‎01-14-2024 01:27 AM

so, it's not because of platform (device which I use can AES GCM 256 by datasheets and exploitation). I think it's a bug, ASR1001 is too old platform for c9300X. I tested my config between ASR1001-X and C9300X and isr4331 and C9300x and it worked with aes-gcm 256.

For ASR1001 I used this config and it works (change TS to esp-aes esp-sha-hmac)

 

 

 

crypto ikev2 proposal ikev2_proposal
 encryption aes-cbc-256
 integrity sha512
 group 24

crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal

crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123

crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring

crypto ipsec transform-set ipsec_transform_set esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile

interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source TwentyFiveGigE1/0/3
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

 

 

 

Go to solution
MHM Cisco World
VIP
VIP
In response to dijix1990

‎01-14-2024 01:28 AM - edited ‎01-14-2024 01:29 AM

Thanks for Update us
happy news in end 
glad issue is solve in end 
have a nice day friend 
MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-13-2024 03:25 AM

ASR(config-ikev2-profile)# no config-exchange request <- add this and check 

MHM

Go to solution
dijix1990
VIP
VIP
In response to MHM Cisco World

‎01-13-2024 03:40 AM

didn't help

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-13-2024 05:14 AM - edited ‎01-13-2024 05:15 AM

@dijix1990 you have the following error in your logs....

Jan 13 13:58:08.474: IKEv2-ERROR:(SESSION ID = 23309,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed

...this could relate to this bug https://quickview.cloudapps.cisco.com/quickview/bug/CSCve08418

If indeed this relates to simultaneous negotiations, for testing you could set one side to be a responder only (thus the other device must initiate connectivity). Also consider review your IOS-XE version and upgrade.

crypto ipsec profile IPSEC_PROFILE
 responder-only

If that is not the issue I would log a call with TAC, the basic configuration appears to be ok, it could be a different bug.

 

0 Helpful

Go to solution
dijix1990
VIP
VIP
In response to Rob Ingram

‎01-13-2024 06:00 AM

I will test it, for c9300x I have latest version 17.9.4a

asr1001 has latest version

BTW asr1001-asr1001 works

9300x-9300x worsk

9300x-asr1001 doesn't

0 Helpful
Customers Also Viewed These Support Documents