11-13-2018 05:43 AM - edited 11-14-2018 04:36 AM
Hi
I'm trying to add another Site to site vpn in a ikev2 configuration. However the debug on the router shows that the second connection coming in is matching against the first proposal.
GMT: IKEv2-ERROR:(SESSION ID = 588,SA ID = 1):Received Policies: : Failed to find a matching policyProposal 1: AES-GCM-256 SHA512 DH_GROUP_ --More-- 2048_256_MODP/Group 24 091495: *Nov 13 13:06:59.969 GMT: 091496: *Nov 13 13:06:59.969 GMT: Proposal 2: AES-CBC-128 SHA1 SHA512 DH_GROUP_2048_256_MODP/Group 24 091497: *Nov 13 13:06:59.973 GMT: 091498: *Nov 13 13:06:59.973 GMT: 091499: *Nov 13 13:06:59.973 GMT: IKEv2-ERROR:(SESSION ID = 588,SA ID = 1):Expected Policies: : Failed to find a matching policyProposal 1: AES-CBC-256 SHA512 SHA512 DH_GROUP_2048_256_MODP/Group 24
I think the issue is:
:Searching Policy with fvrf 0, local address 192.168.1.2 091697: *Nov 13 13:09:35.260 GMT: IKEv2:Found Policy '236'
This is the wrong policy, it should be '127' but the fvrf is 0, and the local address will always be 192.168.1.2, this is because the ASA address attached to the router is where the incoming connection for the vpn is PASSING THROUGH, not coming from.
i think its to do with the match fvrf any, but im no expert on this matter
crypto ikev2 policy 236 match fvrf any proposal 236 crypto ikev2 policy 127 match fvrf any proposal 127
edit: Just clarify im behind a firewall (NAT-T)
Solved! Go to Solution.
11-14-2018 06:57 AM
11-13-2018 09:15 AM
11-13-2018 10:36 AM - edited 11-13-2018 10:46 AM
crypto ikev2 proposal 236 encryption aes-cbc-256 integrity sha512 group 24 ! crypto ikev2 proposal 127 encryption aes-gcm-256 prf sha512 group 24 ! crypto ikev2 policy 236 match fvrf any proposal 236 ! crypto ikev2 policy 127 match fvrf any proposal 127 ! crypto ikev2 keyring 236 peer 236 address 195.xxx.xxx.xxx pre-shared-key <----Key-----> ! crypto ikev2 keyring 127 peer 127 address 94.xxx.xxx.xxx pre-shared-key local <----Key-----> pre-shared-key remote <----Key-----> ! crypto ikev2 profile 236 match identity remote fqdn xxxxxxxxxxxxx identity local fqdn xxxxxxxxxxxxx authentication local pre-share authentication remote pre-share keyring local 236 dpd 1000 2 periodic ! crypto ikev2 profile 127 match identity remote address 94.xxx.xxx.xxx 255.255.255.248 identity local address 192.168.1.2 authentication local pre-share authentication remote pre-share keyring local 127 dpd 1000 2 periodic ! crypto ipsec transform-set 236 esp-aes esp-sha512-hmac mode tunnel crypto ipsec transform-set 127 esp-gcm 256 mode tunnel ! crypto ipsec profile 236 set transform-set 236 set ikev2-profile 236 ! crypto ipsec profile 127 set transform-set 127 set ikev2-profile 127 ! interface Tunnel127 ip address 172.16.4.1 255.255.255.252 ip mtu 1400 ip tcp adjust-mss 1360 tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel destination 94.xxx.xxx.xxx tunnel protection ipsec profile 127 ! interface Tunnel236 ip address 172.16.3.1 255.255.255.252 ip mtu 1400 zone-member security 236 ip tcp adjust-mss 1360 ip ospf 1 area 0 tunnel source GigabitEthernet0/1 tunnel mode ipsec ipv4 tunnel destination 195.xxx.xxx.xxx tunnel protection ipsec profile 236 !
11-14-2018 03:03 AM
I have found, removing:
match fvrf any
from Policy 127 will cause a match, however I feel there will be config issues with policy 236.
11-14-2018 04:57 AM
11-14-2018 06:16 AM
But would not matching on a local address for both policies cause the same conflict when the local interface address is the same ?
11-14-2018 06:26 AM
11-14-2018 06:40 AM
11-14-2018 06:57 AM
08-25-2020 02:31 AM
Good, at least it solved my problem.
Thanks
10-02-2020 08:33 AM
Thank you so much, this hack saved my project.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide