Showing results for 
Search instead for 
Did you mean: 

IKEV2 issues

Level 1
Level 1

I come across with very wierd issue.. configuration on the lab for IKEv2 works find.. whih is soft copy of ASA and Router .. while I put that in production it just does not wan tto conect.. I ma not sure where I am going wrong.. due to the limited access I have tried to get as possible configuration out of the devices.. I have changed some passwords and dtails.. if anyone can find any issues or suggest anything that will be huge help..  I have replace external I P addresses with internal IP address.

topology is site router - external firewall ASA - DMZ firewall 

trying to do IKEV2 vpn between router and DMZ Firewall. 

following are the details


crypto ipsec ikev2 ipsec-proposal secpro

 protocol esp encryption aes-256

 protocol esp integrity sha-1

crypto map cmap 10 match address v2

crypto map cmap 10 set peer

crypto map cmap 10 set ikev2 ipsec-proposal secpro

crypto map cmap interface outside

crypto ikev2 policy 10

 encryption aes-256

 integrity sha256

 group 2

 prf sha256

 lifetime seconds 86400

crypto ikev2 enable outside


tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

 peer-id-validate nocheck

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

access-list v2 extended permit ip

Router configuration:

crypto ikev2 proposal sal

 encryption aes-cbc-256

 integrity sha256

 group 2

crypto ikev2 policy 10

 proposal sal

crypto ikev2 keyring key

 peer asa1


  pre-shared-key local ccie

  pre-shared-key remote ccie


crypto ikev2 profile v2

 match identity remote address

 identity local address

 authentication local pre-share

 authentication remote pre-share

 keyring key

crypto ipsec transform-set v2sec esp-aes 256 esp-sha-hmac

crypto map cmap 10 ipsec-isakmp

 set peer

 set transform-set v2sec

 set ikev2-profile v2

 match address acl


Extended IP access list acl

    10 permit ip

The firewall in between is configured with ike and asa ports to be enable

I have attached 4 files.. 

each file say router 2 asa which debug from the traffic generated from the site to data centre

and file says asa 2 router which debug from the traffic generated from data center to site.

please let me know when you find anything.. I have tried to replicate the fault on my virtual lab which is gns3 and unl and it worked.. so bit wieard for me



2 Replies 2

Abaji Rawool
Level 3
Level 3


What is the IOS version of the router, if it is below IOS 15.2(2)T, try upgrading it to IOS 15.2(2)T and then check.



ASA Version:

Cisco Adaptive Security Appliance Software Version 8.6(1)2

Device Manager Version 6.6(1)

Router Version:

IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technical Support:

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Tue 20-Mar-12 18:57 by prod_rel_team


ROM: System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)

Upgrade is not so easy option .. remote site is not constant .. it is on demand stand up connection ... network is confidential level so can't access all the time and it take bit of effort to get to the network..  is there any other fix ?? 

In the lab I am using 

Adaptive Security Appliance Software Version 8.4(2)



so it is above the on you have said.. in the lab.. so do you think it is really a IOS issue?