Re: IKEv2 Site 2 Site outgoing traffic is zero

dissai · ‎03-13-2024

MHM Cisco World · ‎03-13-2024

you dont apply Crypto map under any interface !!

MHM

dissai · ‎03-13-2024

Ok

MHM Cisco World · ‎03-13-2024

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

check the link above the ikev2 profile must config under the crypto map not under the ipsec profile ( ipsec profile use only for VTI)

MHM

dissai · ‎03-13-2024

ok

MHM Cisco World · ‎03-13-2024

Both ACL must change' use instead of ANY remote LAN

ip access-list extended VPN_ACL
10 permit ip host x.x.x.x remote-LAN
!
ip access-list extended 100
10 permit x.x.x.x x.x.x.x remote-LAN

Clear crypto sa

Clear crypto isakmp sa

And check again.

MHM

dissai · ‎03-14-2024

Thank you MHM,

That has been done, and Phase 1 has come up, but Phase 2 is down. The remote side connection is getting an error, and I am refusing the p2 proposal. How can I mitigate that per the early configuration I shared?

MHM Cisco World · ‎03-14-2024

did you clear crypto after change the ACL ?

MHM

dissai · ‎03-14-2024

Yes Brother.

MHM Cisco World · ‎03-14-2024

can I see
show crypto ipsec sa <<- after ping few times

dissai · ‎03-14-2024

removed

MHM Cisco World · ‎03-14-2024

this ACL for traffic
ip access-list extended VPN_ACL
10 permit ip host x.x.x.x remote-LAN

this from IPSec sa

local ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)

these two line must list the subnet show in above ACL it not,
can you sure the other side use crypto map or use VTI (tunnel)

Sheraz.Salim · ‎03-14-2024

By look of this the other side is using a strongwan software firewall.

please do not forget to rate.

MHM Cisco World · ‎03-17-2024

sorry I dont get your reply can you more elaborate
thanks

MHM

Sheraz.Salim · ‎03-13-2024

your configuration are right hence in your configuration you have provided/configured the LOCAL-ACL 192.168.70.2 but you did not mentioned what is your Remote-LAN-Network. instead you have put in ANY.

SERVICE-RT#show crypto ipsec sa

interface: GigabitEthernet0/0/0
Crypto map tag: CRYPTO_MAP, local addr x.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500

you need to define the VPN_ACL in this order to make this work.

ip access-list extended VPN_ACL
 5 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x 
!

side note:- Do not share your public ip addresses either source or destination and also do not share any sensitive information either before posting you can sanitize it.

please do not forget to rate.