Spent quite some time last night trying to figure out how to configure a site to site tunnel using IKEv2 between our offices using an ASA 5515-X and a Cisco 3925 router running IOS 15.2
Connecting ASA to ASA and ASA to Router via IKEv1 works fine. Want to take advantage of the improvements in IKEv2 but I'm having difficulty with the ikev2 setup on the router. Here is the pertinent ASA side config--
ASA IP: 5.5.5.5
Router IP: 10.10.10.10
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 10.10.10.10
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 2
prf sha
lifetime seconds 86400
group-policy GroupPolicy_10.10.10.10 internal
group-policy GroupPolicy_10.10.10.10 attributes
vpn-tunnel-protocol ikev2
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 general-attributes
default-group-policy GroupPolicy_10.10.10.10
tunnel-group 10.10.10.10 ipsec-attributes
ikev2 remote-authentication pre-shared-key mykey1
ikev2 local-authentication pre-shared-key mykey1
access-list outside_cryptomap extended permit ip object NET_192.168.1.0_24 object NET_192.168.5.0_24
nat (inside,outside) source static NET_192.168.1.0_24 NET_192.168.1.0_24 destination static object NET_192.168.5.0_24 NET_192.168.5.0_24 no-proxy-arp route-lookup
Now, as for the router side, I tried my best and this is what I ended with up with. The ASA logging just showed tunnel failure
crypto ikev2 proposal MyProposal
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha1
group 2
crypto ikev2 keyring key1
peer Office1
address 5.5.5.5
identity address 5.5.5.5
pre-shared-key local mykey1
pre-shared-key remote mykey1
crypto ikev2 profile Office1
match address local 10.10.10.10
match identity remote address 5.5.5.5
identity local address 10.10.10.10
authentication remote pre-share
authentication local pre-share
keyring local key1
crypto map CMAP1 1 ipsec-isakmp
set peer 5.5.5.5
set transform-set AES256 AES192 AES128
set ikev2-profile Office1
match address 160
access-list 160 remark Office1 ACL for Site2Site
access-list 160 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
I am sure there is a simple oversight here on my part (or a lack of understanding of ikev2 for routers), but please help!