Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4207
Views
0
Helpful
2
Replies

IKEV2 issues

vyas.nilay
Level 1
Level 1

‎06-05-2016 08:29 PM

I come across with very wierd issue.. configuration on the lab for IKEv2 works find.. whih is soft copy of ASA and Router .. while I put that in production it just does not wan tto conect.. I ma not sure where I am going wrong.. due to the limited access I have tried to get as possible configuration out of the devices.. I have changed some passwords and dtails.. if anyone can find any issues or suggest anything that will be huge help..  I have replace external I P addresses with internal IP address.

topology is site router - external firewall ASA - DMZ firewall 

trying to do IKEV2 vpn between router and DMZ Firewall. 

following are the details

ASA:

crypto ipsec ikev2 ipsec-proposal secpro

 protocol esp encryption aes-256

 protocol esp integrity sha-1

crypto map cmap 10 match address v2

crypto map cmap 10 set peer 19.19.19.6

crypto map cmap 10 set ikev2 ipsec-proposal secpro

crypto map cmap interface outside

crypto ikev2 policy 10

 encryption aes-256

 integrity sha256

 group 2

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside

 

tunnel-group 19.19.19.6 type ipsec-l2l

tunnel-group 19.19.19.6 ipsec-attributes

 peer-id-validate nocheck

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

access-list v2 extended permit ip 10.4.4.0 255.255.255.0 192.168.6.0 255.255.255.0

Router configuration:

crypto ikev2 proposal sal

 encryption aes-cbc-256

 integrity sha256

 group 2

crypto ikev2 policy 10

 proposal sal

crypto ikev2 keyring key

 peer asa1

  address 19.19.4.10

  pre-shared-key local ccie

  pre-shared-key remote ccie

 !

crypto ikev2 profile v2

 match identity remote address 19.19.4.10 255.255.255.255

 identity local address 19.19.19.6

 authentication local pre-share

 authentication remote pre-share

 keyring key

crypto ipsec transform-set v2sec esp-aes 256 esp-sha-hmac

crypto map cmap 10 ipsec-isakmp

 set peer 19.19.4.10

 set transform-set v2sec

 set ikev2-profile v2

 match address acl

 

Extended IP access list acl

    10 permit ip 192.168.6.0 0.0.0.255 10.4.4.0 0.0.0.255

The firewall in between is configured with ike and asa ports to be enable

I have attached 4 files.. 

each file say router 2 asa which debug from the traffic generated from the site to data centre

and file says asa 2 router which debug from the traffic generated from data center to site.

please let me know when you find anything.. I have tried to replicate the fault on my virtual lab which is gns3 and unl and it worked.. so bit wieard for me

thanks

NIlay.

Labels:
Preview file
38 KB
Preview file
28 KB
Preview file
15 KB
Preview file
20 KB
0 Helpful
2 Replies 2

Abaji Rawool
Level 3
Level 3

‎06-05-2016 10:25 PM

Hi,

What is the IOS version of the router, if it is below IOS 15.2(2)T, try upgrading it to IOS 15.2(2)T and then check.

HTH,

Abaji.

0 Helpful

vyas.nilay
Level 1
Level 1
In response to Abaji Rawool

‎06-06-2016 12:16 AM

ASA Version:

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

Router Version:

IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 20-Mar-12 18:57 by prod_rel_team

 

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Upgrade is not so easy option .. remote site is not constant .. it is on demand stand up connection ... network is confidential level so can't access all the time and it take bit of effort to get to the network..  is there any other fix ?? 

In the lab I am using 

Adaptive Security Appliance Software Version 8.4(2)

Router

Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE

so it is above the on you have said.. in the lab.. so do you think it is really a IOS issue?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents