06-05-2016 08:29 PM
I come across with very wierd issue.. configuration on the lab for IKEv2 works find.. whih is soft copy of ASA and Router .. while I put that in production it just does not wan tto conect.. I ma not sure where I am going wrong.. due to the limited access I have tried to get as possible configuration out of the devices.. I have changed some passwords and dtails.. if anyone can find any issues or suggest anything that will be huge help.. I have replace external I P addresses with internal IP address.
topology is site router - external firewall ASA - DMZ firewall
trying to do IKEV2 vpn between router and DMZ Firewall.
following are the details
ASA:
crypto ipsec ikev2 ipsec-proposal secpro
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map cmap 10 match address v2
crypto map cmap 10 set peer 19.19.19.6
crypto map cmap 10 set ikev2 ipsec-proposal secpro
crypto map cmap interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 19.19.19.6 type ipsec-l2l
tunnel-group 19.19.19.6 ipsec-attributes
peer-id-validate nocheck
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
access-list v2 extended permit ip 10.4.4.0 255.255.255.0 192.168.6.0 255.255.255.0
Router configuration:
crypto ikev2 proposal sal
encryption aes-cbc-256
integrity sha256
group 2
crypto ikev2 policy 10
proposal sal
crypto ikev2 keyring key
peer asa1
address 19.19.4.10
pre-shared-key local ccie
pre-shared-key remote ccie
!
crypto ikev2 profile v2
match identity remote address 19.19.4.10 255.255.255.255
identity local address 19.19.19.6
authentication local pre-share
authentication remote pre-share
keyring key
crypto ipsec transform-set v2sec esp-aes 256 esp-sha-hmac
crypto map cmap 10 ipsec-isakmp
set peer 19.19.4.10
set transform-set v2sec
set ikev2-profile v2
match address acl
Extended IP access list acl
10 permit ip 192.168.6.0 0.0.0.255 10.4.4.0 0.0.0.255
The firewall in between is configured with ike and asa ports to be enable
I have attached 4 files..
each file say router 2 asa which debug from the traffic generated from the site to data centre
and file says asa 2 router which debug from the traffic generated from data center to site.
please let me know when you find anything.. I have tried to replicate the fault on my virtual lab which is gns3 and unl and it worked.. so bit wieard for me
thanks
NIlay.
06-05-2016 10:25 PM
Hi,
What is the IOS version of the router, if it is below IOS 15.2(2)T, try upgrading it to IOS 15.2(2)T and then check.
HTH,
Abaji.
06-06-2016 12:16 AM
ASA Version:
Cisco Adaptive Security Appliance Software Version 8.6(1)2
Device Manager Version 6.6(1)
Router Version:
IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Tue 20-Mar-12 18:57 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Upgrade is not so easy option .. remote site is not constant .. it is on demand stand up connection ... network is confidential level so can't access all the time and it take bit of effort to get to the network.. is there any other fix ??
In the lab I am using
Adaptive Security Appliance Software Version 8.4(2)
Router
Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE
so it is above the on you have said.. in the lab.. so do you think it is really a IOS issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide