cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2430
Views
0
Helpful
2
Replies
vyas.nilay
Beginner

IKEV2 issues

I come across with very wierd issue.. configuration on the lab for IKEv2 works find.. whih is soft copy of ASA and Router .. while I put that in production it just does not wan tto conect.. I ma not sure where I am going wrong.. due to the limited access I have tried to get as possible configuration out of the devices.. I have changed some passwords and dtails.. if anyone can find any issues or suggest anything that will be huge help..  I have replace external I P addresses with internal IP address.

topology is site router - external firewall ASA - DMZ firewall 

trying to do IKEV2 vpn between router and DMZ Firewall. 

following are the details

ASA:

crypto ipsec ikev2 ipsec-proposal secpro

 protocol esp encryption aes-256

 protocol esp integrity sha-1

crypto map cmap 10 match address v2

crypto map cmap 10 set peer 19.19.19.6

crypto map cmap 10 set ikev2 ipsec-proposal secpro

crypto map cmap interface outside

crypto ikev2 policy 10

 encryption aes-256

 integrity sha256

 group 2

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside

 

tunnel-group 19.19.19.6 type ipsec-l2l

tunnel-group 19.19.19.6 ipsec-attributes

 peer-id-validate nocheck

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

access-list v2 extended permit ip 10.4.4.0 255.255.255.0 192.168.6.0 255.255.255.0

Router configuration:

crypto ikev2 proposal sal

 encryption aes-cbc-256

 integrity sha256

 group 2

crypto ikev2 policy 10

 proposal sal

crypto ikev2 keyring key

 peer asa1

  address 19.19.4.10

  pre-shared-key local ccie

  pre-shared-key remote ccie

 !

crypto ikev2 profile v2

 match identity remote address 19.19.4.10 255.255.255.255

 identity local address 19.19.19.6

 authentication local pre-share

 authentication remote pre-share

 keyring key

crypto ipsec transform-set v2sec esp-aes 256 esp-sha-hmac

crypto map cmap 10 ipsec-isakmp

 set peer 19.19.4.10

 set transform-set v2sec

 set ikev2-profile v2

 match address acl

 

Extended IP access list acl

    10 permit ip 192.168.6.0 0.0.0.255 10.4.4.0 0.0.0.255

The firewall in between is configured with ike and asa ports to be enable

I have attached 4 files.. 

each file say router 2 asa which debug from the traffic generated from the site to data centre

and file says asa 2 router which debug from the traffic generated from data center to site.

please let me know when you find anything.. I have tried to replicate the fault on my virtual lab which is gns3 and unl and it worked.. so bit wieard for me

thanks

NIlay.

2 REPLIES 2
Abaji Rawool
Participant

Hi,

What is the IOS version of the router, if it is below IOS 15.2(2)T, try upgrading it to IOS 15.2(2)T and then check.

HTH,

Abaji.

ASA Version:

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

Router Version:

IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 20-Mar-12 18:57 by prod_rel_team

 

ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Upgrade is not so easy option .. remote site is not constant .. it is on demand stand up connection ... network is confidential level so can't access all the time and it take bit of effort to get to the network..  is there any other fix ?? 

In the lab I am using 

Adaptive Security Appliance Software Version 8.4(2)

Router

Version 15.4(1)T, DEVELOPMENT TEST SOFTWARE

so it is above the on you have said.. in the lab.. so do you think it is really a IOS issue?

Create
Recognize Your Peers
Content for Community-Ad