Hi guys, hoping someone might have some pointers.
I'm tryng to set up an IKEv2 vpn but going round in circles.
I have a number of IKEv1 vpn's connected using crypto maps on our external interface. I've been told that the most recent config advice would be to use VTI's, however we aren't able to create a VTI as we would need to remove the crypto maps of the existing connections. We should be able to use IKEv2 in the current setup using crypto map to route through the existing external interface.
Cisco IOS XE Software, Version 03.10.02.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.3(3)S2, RELEASE SOFTWARE (fc3)
Solved! Go to Solution.
Excellent! Thanks guys. Yes it needed to be SHA1.
The Azure V-WAN initiating the connection does not give SHA1 as an option for Phase1 or 2 in custom settings - However the documentation shows selecting "Default" for IPSEC config has a list of 4 Phase 1 & 4 Phase 2 combinations.
This isn't evident from the GUI - no details are shown identifying the settings being used.
I've created an acceptable IKEv2 proposal and added it to the policy:
crypto ikev2 proposal policy-1
crypto ikev2 policy 1
match fvrf any
The Azure side needs to have "Policy Based Traffic Selector" enabled, to match the ACL on the ASR.
Really appreciate all you help guys!
your debug is make me find the bug
Jun 16 14:30:20: IPSEC:(SESSION ID = 627759) (update_current_outbound_sa) updated peer site1vpnip current outbound sa to SPI 0 <- SPI never be ""0""