11-15-2012 08:35 AM
Spent quite some time last night trying to figure out how to configure a site to site tunnel using IKEv2 between our offices using an ASA 5515-X and a Cisco 3925 router running IOS 15.2
Connecting ASA to ASA and ASA to Router via IKEv1 works fine. Want to take advantage of the improvements in IKEv2 but I'm having difficulty with the ikev2 setup on the router. Here is the pertinent ASA side config--
ASA IP: 5.5.5.5
Router IP: 10.10.10.10
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.10.10.10
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
group-policy GroupPolicy_10.10.10.10 internal
group-policy GroupPolicy_10.10.10.10 attributes
vpn-tunnel-protocol ikev2
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 general-attributes
default-group-policy GroupPolicy_10.10.10.10
tunnel-group 10.10.10.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key mykey1
ikev2 local-authentication pre-shared-key mykey1
access-list outside_cryptomap extended permit ip object NET_192.168.1.0_24 object NET_192.168.5.0_24
nat (inside,outside) source static NET_192.168.1.0_24 NET_192.168.1.0_24 destination static object NET_192.168.5.0_24 NET_192.168.5.0_24 no-proxy-arp route-lookup
Now, as for the router side, I tried my best and this is what I ended with up with. The ASA logging just showed tunnel failure
crypto ikev2 proposal MyProposal
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 keyring key1
peer Office1
address 5.5.5.5
identity address 5.5.5.5
pre-shared-key local mykey1
pre-shared-key remote mykey1
crypto ikev2 profile Office1
match address local 10.10.10.10
match identity remote address 5.5.5.5
identity local address 10.10.10.10
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto map CMAP1 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set AES256 AES192 AES128
set ikev2-profile Office1
match address 160
access-list 160 remark Office1 ACL for Site2Site
access-list 160 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
I am sure there is a simple oversight here on my part (or a lack of understanding of ikev2 for routers), but please help!
03-10-2013 09:33 AM
Here is a working config between a router and an ASA that is very similar from what you posted; I'm only including the relevant configs to avoid confusion. I hope it helps.
Router configuration:
hostname RTR1
!
crypto ikev2 proposal AES256-192-128-PROPOSAL
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy IKEv2-Policy
proposal AES256-192-128-PROPOSAL
!
crypto ikev2 keyring VPN-KEYS
peer ASA1
address 10.0.0.2
pre-shared-key local MyKey1
pre-shared-key remote MyKey1
!
!
!
crypto ikev2 profile ASA1
match identity remote address 10.0.0.2 255.255.255.255
identity local address 10.0.0.1
authentication remote pre-share
authentication local pre-share
keyring local VPN-KEYS
!
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map RTR1-ASA1 10 ipsec-isakmp
set peer 10.0.0.2
set transform-set ESP-AES256-SHA
set ikev2-profile ASA1
match address VPN-TRAFFIC
!
!
!
!
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.252
speed auto
duplex auto
crypto map RTR1-ASA1
!
interface FastEthernet0/1
ip address 192.168.5.1 255.255.255.0
speed auto
duplex auto
!
ip route 192.168.1.0 255.255.255.0 10.0.0.2
!
ip access-list extended VPN-TRAFFIC
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
!
ASA configuration:
hostname ASA1
!
interface GigabitEthernet0
nameif OUTSIDE
security-level 0
ip address 10.0.0.2 255.255.255.252
!
interface GigabitEthernet1
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
access-list VPN-TRAFFIC extended permit ip 192.168.1.0 255.255.255.0 192.168.5.0 255.255.255.0
route OUTSIDE 192.168.5.0 255.255.255.0 10.0.0.1 1
crypto ipsec ikev2 ipsec-proposal AES256-192-128-PROPOSAL
protocol esp encryption aes-256 aes-192 aes
protocol esp integrity sha-1
crypto map ASA1-RTR1 10 match address VPN-TRAFFIC
crypto map ASA1-RTR1 10 set peer 10.0.0.1
crypto map ASA1-RTR1 10 set ikev2 ipsec-proposal AES256-192-128-PROPOSAL
crypto map ASA1-RTR1 interface OUTSIDE
crypto ikev2 policy 10
encryption aes-256 aes-192 aes
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable OUTSIDE
tunnel-group 10.0.0.1 type ipsec-l2l
tunnel-group 10.0.0.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key MyKey1
ikev2 local-authentication pre-shared-key MyKey1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide