06-16-2016 12:19 PM
Server has a static IP while client has dynamic IP (both ASAv). I am trying to connect them using ikev2 VPN. Following config I have done for that.
Headoffice:
crypto IKEv2 policy 3
encryption aes-256
integrity sha sha256
prf shacrypto ipsec IKEv2 ipsec-proposal Site2Site
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto dynamic-map test 10 set ikev2 ipsec-proposal Site2Site
crypto map Outside_map 10 ipsec-isakmp dynamic test
crypto map Outside_map interface outside
group-policy Site2Site internal
group-policy Site2Site attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IKEv2
tunnel-group DefaultL2LGroup general-attributes
default-group-policy Site2Site
tunnel-group DefaultL2LGroup ipsec-attributes
IKEv2 remote-authentication pre-shared-key cisco
IKEv2 local-authentication pre-shared-key cisco
CLIENT:
crypto IKEv2 policy 3
encryption aes-256
integrity sha sha256
prf shacrypto ipsec IKEv2 ipsec-proposal Site2Site
protocol esp encryption aes-256
protocol esp integrity sha-1access-list outside_cryptomap extended permit IP 2.2.2.0 255.255.255.0 1.1.1.0 255.255.255.0
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 172.16.1.1
crypto map outside_map 1 set IKEv2 ipsec-proposal Site2Site
crypto map outside_map interface outside
crypto IKEv2 enable outsidegroup-policy GroupPolicy_172.16.1.1 internal
group-policy GroupPolicy_172.16.1.1 attributes
vpn-tunnel-protocol IKEv2
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 general-attributes
default-group-policy GroupPolicy_172.16.1.1
tunnel-group 172.16.1.1 ipsec-attributes
IKEv2 remote-authentication pre-shared-key cisco
IKEv2 local-authentication pre-shared-key cisco
When i send traffic to 1.1.1.1 from the internal machine 2.2.2.2, nothing happens on the client ASA. Normally this happens when there is no route but I have checked that, debugs shows nothing. Am i missing something?
06-16-2016 02:37 PM
When nothing happens, it's very often a missing NAT exemption. Use packet-tracer on the client ASA to check if NAT is done correctly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide