Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6010
Views
0
Helpful
5
Replies

ikev2 ipsec vpn on cisco router 2900 version 15.4(3)M1

csco12434455
Level 1
Level 1

‎06-09-2015 03:17 AM - edited ‎02-21-2020 08:16 PM

hi all,

i have a cisco router 2900, IOS software version of 15.4(3)M1.

I tried to setup a site to site ipsec vpn on my router and type 'crypto ikev2 proposal prop_1',

on the configuration mode. the router is not accepting the command. when i do 'crypto ?', i can only

see key- long term key operation

       pki-  public key components.

please am confuse now. i need someone help. i need to set the sits to site up. i have successfully configured my asa (peer).

Labels:
0 Helpful
5 Replies 5

Abaji Rawool
Level 3
Level 3

‎06-10-2015 06:29 AM

Hi,

make sure you running universal k9 image supporting crypto. check the full image name in show ver.

it should be like "c2900-universalk9-mz.SPA.154-3.M1.bin" & not a npe image

HTH

Abaji.

0 Helpful

csco12434455
Level 1
Level 1
In response to Abaji Rawool

‎06-13-2015 07:49 AM

thanks Abaji.

i have another problem. i was able to setup the site-to-site ikev2 on my 2911 router. in my configuration, i configured primary link and backup isp on the router as a failover. after the configuration, i does not get internet, until i remove the backup link. i want to know if backup link does not work with ikev2 ipsec on cisco router?

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to csco12434455

‎06-14-2015 08:49 AM

Hi,

I don't think ikev2 has any issues with backup link. We need to check the configuration and if the route failover is correct.

HTH

Abaji.


 

0 Helpful

csco12434455
Level 1
Level 1
In response to Abaji Rawool

‎06-15-2015 03:20 AM

Good day Abaji,

This is my configuration. 41.184.38.218 (Gi0/0) is my primary link
, 105.235.195.202 (Gi0/2) is my backup link while 197.210.199.154 is 
my peer ikev2 site-to-site vpn link
when i finished my configuration
the internet went down, until i remove the backup default route and the tracks.
after that my ikev2 site-to-site vpn stopped working also. until i removed 
ip nat inside source list 101 interface GigabitEthernet0/2 overload. could nat be the problem or the default routes?

 


!
interface GigabitEthernet0/0
 description LAN-NETWORK
 ip address 192.168.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description WAN-NETWORK
 ip address 41.184.38.218 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map CMAP
!
interface GigabitEthernet0/2
 description ICSL
 ip address 105.235.195.202 255.255.255.252
 ip nat outside
 duplex auto
 speed auto

ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip nat inside source list 101 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 41.184.38.217 track 10
ip route 0.0.0.0 0.0.0.0 105.184.195.201 track 2

ip route 172.168.1.0 255.255.255.0 197.210.199.154
ip route 192.168.1.0 255.255.255.0 197.210.199.154
ip route 192.168.5.0 255.255.255.248 197.210.199.154
ip route 192.168.5.8 255.255.255.248 197.210.199.154
!
ip access-list extended VPN-TRAFFIC
 permit ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
 permit ip 192.168.8.0 0.0.0.255 172.168.1.0 0.0.0.255
 permit ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.7
 permit ip 192.168.8.0 0.0.0.255 192.168.5.8 0.0.0.7
!
!
!
access-list 100 deny   ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny   ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.7
access-list 100 deny   ip 192.168.8.0 0.0.0.255 192.168.5.8 0.0.0.7
access-list 100 deny   ip 192.168.8.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.8.0 0.0.0.255 any
access-list 100 remark
!
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.8.0 0.0.0.255 172.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.5.0 0.0.0.7
access-list 101 deny ip 192.168.8.0 0.0.0.255 192.168.5.8 0.0.0.7
access-list 101 permit ip 192.168.8.0 0.0.0.255 any

ip sla 1
icmp-echo 8.8.8.8
frequency 5

ip sla schedule 1 start-time now life forever
track 10 rtr 1 reachability

 

0 Helpful

Abaji Rawool
Level 3
Level 3
In response to csco12434455

‎06-15-2015 09:06 PM

Hi,

Do you need your VPN only on one link? If yes, apply crypto map only on that interface. add route for peer and remote subnets through that ISP

If you need VPN to fail with internet apply crypto map on both interfaces along with nat configuration. Also peer should have these two public IPs configured as backup peer of each other.

For internet traffic fail-over you need track only on one default route.

ip route 0.0.0.0 0.0.0.0 41.184.38.217 track 10
ip route 0.0.0.0 0.0.0.0 105.184.195.201 200

1st make sure VPN comes up with one ISP and works fine then switch over to 2nd connection and test.

ip route 0.0.0.0 0.0.0.0 41.184.38.217 track 10
ip route 0.0.0.0 0.0.0.0 105.184.195.201 track 2 - See more at: https://supportforums.cisco.com/discussion/12528581/ikev2-ipsec-vpn-cisco-router-2900-version-1543m1#sthash.9ounqJBU.dpuf

HTH

Abaji.

 


 

0 Helpful
Customers Also Viewed These Support Documents