cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1405
Views
7
Helpful
23
Replies

Can't up ipsec beetween cisco asr1001 and c9300x

dijix1990
VIP
VIP

I stucked with ipsec configuration between cisco asr1001 and c9300x (asr1001-asr1001 works and c9300x-c9300x works)

My config for asr 1001

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.10
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.2 255.255.255.252
 tunnel source 172.17.9.10
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.9
 tunnel protection ipsec profile ipsec_profile

config for c9300x

crypto ikev2 proposal ikev2_proposal 
 encryption aes-cbc-256
 integrity sha512
 group 5
 
crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal
 
crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123
  
crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0 
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring
 
crypto ipsec transform-set ipsec_transform_set esp-gcm 256
mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile
 
interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source 172.17.9.9
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

and debug file is included

23 Replies 23

goodluck friend 
have a nice weekend 
MHM

Hi friend 
I have time to test VTI protect by ikev2 profile in lab
I face same issue the IKEv2 stop responding after I clear crypto in one Peer 
the solution is 
shut/ no shut the tunnel in both ASR and C9300X
try it and check 


MHM

No, my problem is different, it doesn't work at all from start

so, it's not because of platform (device which I use can AES GCM 256 by datasheets and exploitation). I think it's a bug, ASR1001 is too old platform for c9300X. I tested my config between ASR1001-X and C9300X and isr4331 and C9300x and it worked with aes-gcm 256.

For ASR1001 I used this config and it works (change TS to esp-aes esp-sha-hmac)

 

 

 

crypto ikev2 proposal ikev2_proposal
 encryption aes-cbc-256
 integrity sha512
 group 24

crypto ikev2 policy ikev2_policy
 match fvrf any
 match address local 172.17.9.9
 proposal ikev2_proposal

crypto ikev2 keyring ikev2_keyring
 peer ANY
  address 0.0.0.0 0.0.0.0
  pre-shared-key cisco123

crypto ikev2 profile ikev2_profile
 match identity remote address 0.0.0.0
 authentication remote pre-share
 authentication local pre-share
 keyring local ikev2_keyring

crypto ipsec transform-set ipsec_transform_set esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile ipsec_profile
 set transform-set ipsec_transform_set
 set ikev2-profile ikev2_profile

interface Tunnel999
 ip address 10.100.101.1 255.255.255.252
 tunnel source TwentyFiveGigE1/0/3
 tunnel mode ipsec ipv4
 tunnel destination 172.17.9.10
 tunnel protection ipsec profile ipsec_profile

 

 

 

Thanks for Update us
happy news in end 
glad issue is solve in end 
have a nice day friend 
MHM

ASR(config-ikev2-profile)# no config-exchange request <- add this and check 

MHM

didn't help

@dijix1990 you have the following error in your logs....

Jan 13 13:58:08.474: IKEv2-ERROR:(SESSION ID = 23309,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed

...this could relate to this bug https://quickview.cloudapps.cisco.com/quickview/bug/CSCve08418

If indeed this relates to simultaneous negotiations, for testing you could set one side to be a responder only (thus the other device must initiate connectivity). Also consider review your IOS-XE version and upgrade.

crypto ipsec profile IPSEC_PROFILE
 responder-only

If that is not the issue I would log a call with TAC, the basic configuration appears to be ok, it could be a different bug.

 

I will test it, for c9300x I have latest version 17.9.4a

asr1001 has latest version

BTW asr1001-asr1001 works

9300x-9300x worsk

9300x-asr1001 doesn't