Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7927
Views
5
Helpful
1
Replies

IKEv2 Site to Site between ASA5515 and 3925 Router. Need help!

cradivonyk
Level 1
Level 1

‎11-15-2012 08:35 AM

Spent quite some time last night trying to figure out how to configure a site to site tunnel using IKEv2 between our offices using an ASA 5515-X and a Cisco 3925 router running IOS 15.2

Connecting ASA to ASA and ASA to Router via IKEv1 works fine. Want to take advantage of the improvements in IKEv2 but I'm having difficulty with the ikev2 setup on the router. Here is the pertinent ASA side config--

ASA IP: 5.5.5.5
Router IP: 10.10.10.10

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.10.10.10
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

group-policy GroupPolicy_10.10.10.10 internal
group-policy GroupPolicy_10.10.10.10 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 general-attributes
 default-group-policy GroupPolicy_10.10.10.10
tunnel-group 10.10.10.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key mykey1
 ikev2 local-authentication pre-shared-key mykey1

access-list outside_cryptomap extended permit ip object NET_192.168.1.0_24 object NET_192.168.5.0_24
nat (inside,outside) source static NET_192.168.1.0_24 NET_192.168.1.0_24 destination static object NET_192.168.5.0_24 NET_192.168.5.0_24 no-proxy-arp route-lookup

Now, as for the router side, I tried my best and this is what I ended with up with. The ASA logging just showed tunnel failure

crypto ikev2 proposal MyProposal
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 keyring key1
 peer Office1
  address 5.5.5.5
  identity address 5.5.5.5
  pre-shared-key local mykey1
  pre-shared-key remote mykey1

crypto ikev2 profile Office1
 match address local 10.10.10.10
 match identity remote address 5.5.5.5
 identity local address 10.10.10.10
 authentication remote pre-share
 authentication local pre-share
 keyring local key1

crypto map CMAP1 1 ipsec-isakmp
 set peer 5.5.5.5
 set transform-set AES256 AES192 AES128
 set ikev2-profile Office1
 match address 160

access-list 160 remark Office1 ACL for Site2Site
access-list 160 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

I am sure there is a simple oversight here on my part (or a lack of understanding of ikev2 for routers), but please help!

1 person had this problem
Labels:
0 Helpful
1 Reply 1

jorgeramos78
Level 1
Level 1

‎03-10-2013 09:33 AM

Here is a working config between a router and an ASA that is very similar from what you posted; I'm only including the relevant configs to avoid confusion. I hope it helps.

Router configuration:

hostname RTR1

!

crypto ikev2 proposal AES256-192-128-PROPOSAL

encryption aes-cbc-256 aes-cbc-192 aes-cbc-128

integrity sha1

group 2

!

crypto ikev2 policy IKEv2-Policy

proposal AES256-192-128-PROPOSAL

!

crypto ikev2 keyring VPN-KEYS

peer ASA1

  address 10.0.0.2

  pre-shared-key local MyKey1

  pre-shared-key remote MyKey1

!

!

!

crypto ikev2 profile ASA1

match identity remote address 10.0.0.2 255.255.255.255

identity local address 10.0.0.1

authentication remote pre-share

authentication local pre-share

keyring local VPN-KEYS

!

!

!

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac

mode tunnel

!

!

!

crypto map RTR1-ASA1 10 ipsec-isakmp

set peer 10.0.0.2

set transform-set ESP-AES256-SHA

set ikev2-profile ASA1

match address VPN-TRAFFIC

!

!

!

!

!

interface FastEthernet0/0

ip address 10.0.0.1 255.255.255.252

speed auto

duplex auto

crypto map RTR1-ASA1

!

interface FastEthernet0/1

ip address 192.168.5.1 255.255.255.0

speed auto

duplex auto

!

ip route 192.168.1.0 255.255.255.0 10.0.0.2

!

ip access-list extended VPN-TRAFFIC

permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

!

ASA configuration:

hostname ASA1

!

interface GigabitEthernet0

nameif OUTSIDE

security-level 0

ip address 10.0.0.2 255.255.255.252

!

interface GigabitEthernet1

nameif INSIDE

security-level 100

ip address 192.168.1.1 255.255.255.0

!

access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0

route OUTSIDE 192.168.5.0 255.255.255.0 10.0.0.1 1

crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL

protocol esp encryption aes-256 aes-192 aes

protocol esp integrity sha-1

crypto map ASA1-RTR1 10 match address VPN-TRAFFIC

crypto map ASA1-RTR1 10 set peer 10.0.0.1

crypto map ASA1-RTR1 10 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL

crypto map ASA1-RTR1 interface OUTSIDE

crypto ikev2 policy 10

encryption aes-256 aes-192 aes

integrity sha

group 2

prf sha

lifetime seconds 86400

crypto ikev2 enable OUTSIDE

tunnel-group 10.0.0.1 type ipsec-l2l

tunnel-group 10.0.0.1 ipsec-attributes

ikev2 remote-authentication pre-shared-key MyKey1

ikev2 local-authentication pre-shared-key MyKey1

Customers Also Viewed These Support Documents