Solved: Re: Cisco 3945- IKEv2 IPsec VPN- IKEv2:% IKEv2 profile not found

gautamanish · ‎10-03-2018

Hi

i am trying to establish ikev2 ipsec vpn with cisco 3945 and Microsoft Azure.

Cisco 3945 is using image c3900e-universalk9-mz.SPA.154-3.M2.bin.

ipsec does not come up and in the debug we keep getting following error that profile not found.

IKEv2:% IKEv2 profile not found

configuration of cisco 3945 is enclosed

Rob Ingram · ‎10-03-2018

I labbed this configuration, without the commands I've idenfied below and it worked ok. Try these modifications:-

crypto ikev2 profile GDH
no ivrf tp_hub
no match address local interface GigabitEthernet0/0 << you are already identifying the local router using the "identity local ...." command.

interface Tunnel1
no ip vrf forwarding internet_out

HTH

Please provide the debug output if this does not work

View solution in original post

Rob Ingram · ‎10-03-2018

Hi,
What VRF is the WAN interface configured in?
Please provide the full debug for analysis.

gautamanish · ‎10-03-2018

Hi

wan is configured with vrf internet_out. debug is enclosed

Rob Ingram · ‎10-03-2018

Well from the debug:

Oct 3 00:11:45.561: IKEv2:(SESSION ID = 314128,SA ID = 1):Searching policy based on peer's identity '137.117.166.71' of type 'IPv4 address'
Oct 3 00:11:45.561: IKEv2:% IKEv2 profile not found

The peer identity is not the same as you've defined in the IKEv2 Profile, so it would therefore not match that IKEv2 Profile. Or is that a fake IP address in your original configuration?

gautamanish · ‎10-03-2018

Hi

yes i changed the ip address in config i shared than original but debug is of original config

Rob Ingram · ‎10-03-2018

Ok well it's not matching, try putting the wan interface and the ikev2 profile in the same vrf.

gautamanish · ‎10-03-2018

Hi

please find the whole config below also we had tried creating a tunnel interface instead of crypto-map but that didnt help either.

Rob Ingram · ‎10-03-2018

I labbed this configuration, without the commands I've idenfied below and it worked ok. Try these modifications:-

crypto ikev2 profile GDH
no ivrf tp_hub
no match address local interface GigabitEthernet0/0 << you are already identifying the local router using the "identity local ...." command.

interface Tunnel1
no ip vrf forwarding internet_out

HTH

Please provide the debug output if this does not work

gautamanish · ‎10-04-2018

thanks will try out the changes and come back

gautamanish · ‎10-05-2018

Hi thanks for your help, tunnel is up with your receommended config. can you suggest how do we define interesting traffic acl ?

Rob Ingram · ‎10-05-2018

Well the configuration I provided was for the tunnel interface you said you configured. When using a VTI you don't define an ACL for interesting traffic, you would either use a routing protocol or define a static route e.g.- "ip route 10.1.0.0 255.255.255.0 Tunnel0"

gautamanish · ‎10-05-2018

thanks , that means routes for interesting traffic in global instead of vrf as the tunnel is in global ?

gautamanish · ‎10-05-2018

Hi we can see traffic arrive but no getting encapsulating, please see below

mr039r02#show crypto ipsec sa peer 137.117.166.71

interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 92.41.252.164

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 137.117.166.71 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 92.41.252.164, remote crypto endpt.: 137.117.166.71
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xBB569138(3143012664)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xBCDDC2E8(3168649960)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4948, flow_id: Onboard VPN:2948, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4222050/3552)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xBB569138(3143012664)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4947, flow_id: Onboard VPN:2947, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4222051/3552)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 137.117.166.71 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 92.41.252.164, remote crypto endpt.: 137.117.166.71
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
mr039r02#

Rob Ingram · ‎10-05-2018

Ok, please post the full configuration of both devices

gautamanish · ‎10-05-2018

Hi config enclosed, please have a look