Re: FPR 1010 Debugging Ipsec

loopin3 · ‎09-30-2022

Hi all,

i have a FPR 1010 with site-to-site tunnel configured with preshared key but it dosent connect to remote peer

MHM Cisco World · ‎09-30-2022

many reason may cause this
but the first is
can you ping the remote peer ?

loopin3 · ‎09-30-2022

Yes i can ping the peer

MHM Cisco World · ‎09-30-2022

are you have dual WAN interface ?

loopin3 · ‎09-30-2022

No i have one Wan interface

Aref Alsouqi · ‎09-30-2022

Please share your sanitized configs for review.

loopin3 · ‎10-03-2022

this is my configuration

show running-config crypto

crypto ipsec ikev2 ipsec-proposal SAP_IPSEC

protocol esp encryption aes-256

protocol esp integrity sha-256

crypto ipsec security-association pmtu-aging infinite

crypto map s2sCryptoMap 2 match address |s2sAcl|5e049f9e-40b6-11ed-9f80-81ae564ba8a4

crypto map s2sCryptoMap 2 set pfs group20

crypto map s2sCryptoMap 2 set peer xxx.xxx.xxx.xxx

crypto map s2sCryptoMap 2 set ikev2 ipsec-proposal SAP_IPSEC

crypto map s2sCryptoMap interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha384

group 20

prf sha256

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 policy 150

authentication rsa-sig

encryption des

hash sha

group 5

lifetime 86400

crypto ikev1 policy 160

authentication pre-share

encryption des

hash sha

group 5

lifetime 86400

when i check the tunnel is down and there isn't assocation with ikev2 e isakmp..

how can i debug the process of connection?

Thanks!

MHM Cisco World · ‎10-03-2022

crypto ikev2 enable outside
but you dont have any IKEv2 policy config ??
the config is for IKEv1 not for IKEv2.

loopin3 · ‎10-03-2022

i create the tunnel from the web interface and i select IkeV2 policy

to enable crypto ikev2 on outside interface i need f the console ( usb cable ) or ssh session from the managment interface?

Sheraz.Salim · ‎10-03-2022

use the management Interface (ssh to it). login to it and give these command

>
> expert
FTD:~$ sudo sfconsole

debug crypto condition peer x.x.x.x

debug crypto ikev2 platform 255

debug crypto ikev2 protocol 255

debug crypto ipsec 255

have to configure the NAT rules (NAT exmption) I do not see it. unless you have not posted them.

you can run the packet-trace command on your CLI.

packet-tracer input inside tcp c.c.c.c.c 22 d.d.d.d.d 22 detail

where c.c.c.c is source and d.d.d.d is destination of the remote network

please do not forget to rate.

loopin3 · ‎10-03-2022

this is the output

loopin3 · ‎10-03-2022

this is the configuration with nat and ikev2 only enabled but i cant see the vpn tunnel

Sheraz.Salim · ‎10-03-2022

In order to see the live logs you have to put a command "terminal monitor"

looking into your screen shots you are not hitting your ACL rule. have you define the ACL and NAT rules?

have a look on this provided link I guess you are using stand-a-lone FTD

Configure Site-to-Site VPN on FTD Managed by FDM - Cisco

please do not forget to rate.

Sheraz.Salim · ‎10-05-2022

You had a NAT issue once fixed the traffic was going through the tunnel.

please do not forget to rate.