03-13-2024 03:00 AM - edited 04-09-2024 03:20 AM
03-13-2024 03:03 AM
you dont apply Crypto map under any interface !!
MHM
03-13-2024 03:11 AM - edited 04-09-2024 06:24 AM
Ok
03-13-2024 03:28 AM
check the link above the ikev2 profile must config under the crypto map not under the ipsec profile ( ipsec profile use only for VTI)
MHM
03-13-2024 01:40 PM - edited 04-09-2024 06:24 AM
ok
03-13-2024 01:51 PM - last edited on 04-15-2024 11:08 PM by rupeshah
Both ACL must change' use instead of ANY remote LAN
ip access-list extended VPN_ACL
10 permit ip host x.x.x.x remote-LAN
!
ip access-list extended 100
10 permit x.x.x.x x.x.x.x remote-LAN
Clear crypto sa
Clear crypto isakmp sa
And check again.
MHM
03-14-2024 01:39 AM
Thank you MHM,
That has been done, and Phase 1 has come up, but Phase 2 is down. The remote side connection is getting an error, and I am refusing the p2 proposal. How can I mitigate that per the early configuration I shared?
03-14-2024 07:11 AM
did you clear crypto after change the ACL ?
MHM
03-14-2024 07:24 AM
03-14-2024 07:27 AM
can I see
show crypto ipsec sa <<- after ping few times
03-14-2024 07:47 AM - edited 04-09-2024 03:21 AM
removed
03-14-2024 08:00 AM - last edited on 04-15-2024 11:03 PM by rupeshah
this ACL for traffic
ip access-list extended VPN_ACL
10 permit ip host x.x.x.x remote-LAN
this from IPSec sa
local ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)
remote ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)
these two line must list the subnet show in above ACL it not,
can you sure the other side use crypto map or use VTI (tunnel)
03-14-2024 09:25 AM
By look of this the other side is using a strongwan software firewall.
03-17-2024 11:22 PM
sorry I dont get your reply can you more elaborate
thanks
MHM
03-13-2024 10:28 PM - last edited on 04-15-2024 11:08 PM by rupeshah
your configuration are right hence in your configuration you have provided/configured the LOCAL-ACL 192.168.70.2 but you did not mentioned what is your Remote-LAN-Network. instead you have put in ANY.
SERVICE-RT#show crypto ipsec sa
interface: GigabitEthernet0/0/0
Crypto map tag: CRYPTO_MAP, local addr x.x.x.x
protected vrf: (none)
local ident (addr/mask/prot/port): (x.x.x.x/x.x.x.x/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer x.x.x.x port 500
you need to define the VPN_ACL in this order to make this work.
ip access-list extended VPN_ACL
5 permit ip x.x.x.x x.x.x.x x.x.x.x x.x.x.x
!
side note:- Do not share your public ip addresses either source or destination and also do not share any sensitive information either before posting you can sanitize it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide