cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7795
Views
5
Helpful
1
Replies

IKEv2 Site to Site between ASA5515 and 3925 Router. Need help!

cradivonyk
Beginner
Beginner

Spent quite some time last night trying to figure out how to configure a site to site tunnel using IKEv2 between our offices using an ASA 5515-X and a Cisco 3925 router running IOS 15.2

Connecting ASA to ASA and ASA to Router via IKEv1 works fine. Want to take advantage of the improvements in IKEv2 but I'm having difficulty with the ikev2 setup on the router. Here is the pertinent ASA side config--

ASA IP: 5.5.5.5
Router IP: 10.10.10.10

crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1

crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.10.10.10
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map interface outside

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

group-policy GroupPolicy_10.10.10.10 internal
group-policy GroupPolicy_10.10.10.10 attributes
 vpn-tunnel-protocol ikev2

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 general-attributes
 default-group-policy GroupPolicy_10.10.10.10
tunnel-group 10.10.10.10 ipsec-attributes
 ikev2 remote-authentication pre-shared-key mykey1
 ikev2 local-authentication pre-shared-key mykey1

access-list outside_cryptomap extended permit ip object NET_192.168.1.0_24 object NET_192.168.5.0_24
nat (inside,outside) source static NET_192.168.1.0_24 NET_192.168.1.0_24 destination static object NET_192.168.5.0_24 NET_192.168.5.0_24 no-proxy-arp route-lookup

Now, as for the router side, I tried my best and this is what I ended with up with. The ASA logging just showed tunnel failure

crypto ikev2 proposal MyProposal
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha1
 group 2

crypto ikev2 keyring key1
 peer Office1
  address 5.5.5.5
  identity address 5.5.5.5
  pre-shared-key local mykey1
  pre-shared-key remote mykey1

crypto ikev2 profile Office1
 match address local 10.10.10.10
 match identity remote address 5.5.5.5
 identity local address 10.10.10.10
 authentication remote pre-share
 authentication local pre-share
 keyring local key1

crypto map CMAP1 1 ipsec-isakmp
 set peer 5.5.5.5
 set transform-set AES256 AES192 AES128
 set ikev2-profile Office1
 match address 160

access-list 160 remark Office1 ACL for Site2Site
access-list 160 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

I am sure there is a simple oversight here on my part (or a lack of understanding of ikev2 for routers), but please help!

1 Reply 1