Solved: Re: Ikev2 tunnel-Need help with Configuration- - Page 2

ipo.peniel · ‎06-02-2025

Hi Folks,

I need Urgent help. I am trying to configure ikev2 tunnel between two CISCO Routers. However, the problem is that my router is behind a firewall and not able to properly route traffic to the other router. However, when i connect straight to the ISP end the ikev2 tunnel works. I am not sure where i am wrong.

ipo.peniel · ‎07-01-2025

Hi All, I have tried everything possible but due to the time constraints i could not further configure from behind the firewall, hence, i applied for a public IP and connected it straight to the cisco c1121 router-My router is c1121. I am now faced with another challenge again. Now the tunnel is up, however, i cannot be able to pass traffic. Please help. find below the configs:

crypto ikev2 proposal ikev2-proposal1
encryption aes-cbc-128 aes-cbc-256
integrity sha256 sha384 sha512
group 14 19 20 21 24
!
crypto ikev2 policy ikev2-policy1
proposal ikev2-proposal1
!
crypto ikev2 keyring KR
peer Test
address 202.165.*.*
pre-shared-key *****
!
!
!
crypto ikev2 profile Profile_POM
match identity remote fqdn 202.165.*.*
match identity remote address 202.165.*.* 255.255.255.252
authentication remote pre-share
authentication local pre-share
keyring local KR
dpd 10 2 on-demand

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set aes-256-sha-512 esp-aes 256 esp-sha512-hmac
mode tunnel
!
!
!
crypto map crymap 3420 ipsec-isakmp
description VPN to POM
set peer 202.165.*.*
set transform-set aes-256-sha-512
set pfs group20
set ikev2-profile Profile_POM
match address RT

ip access-list extended RT
50 permit ip 10.27.52.0 0.0.0.255 192.168.60.0 0.0.0.255
60 permit esp any any
70 permit udp any eq isakmp any
80 permit udp any eq non500-isakmp any

int gi0/0/1

crypto map crymap

MHM Cisco World · ‎07-01-2025

ip access-list extended RT
50 permit ip 10.27.52.0 0.0.0.255 192.168.60.0 0.0.0.255 <<- are you sure 10.27.52.0 is your local LAN ??
60 permit esp any any <<- no need this
70 permit udp any eq isakmp any <<- no need this
80 permit udp any eq non500-isakmp any <<- no need this

ipo.peniel · ‎07-01-2025

Hello Sir, removed the lists advised. still the same. Yes, my local LAN is 10.27.52.0/24

MHM Cisco World · ‎07-01-2025

Share below

Show crypto sa detail

Show ikev2 sa

Debug crypto ipsec

MHM

ipo.peniel · ‎07-01-2025

Show crypto ike sa detailed
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 203.83.*.*/4500 202.*.*118/4500 none/none READY
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:21, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/123 sec
CE id: 1789, Session-id: 734
Local spi: E87E893B0C01520C Remote spi: FD7F395D654E6C0F
Status Description: Negotiation done
Local id: 203.83.*.*
Remote id: 202.165.*.*
Local req msg id: 0 Remote req msg id: 3
Local next msg id: 0 Remote next msg id: 3
Local req queued: 0 Remote req queued: 3
Local window: 5 Remote window: 1
DPD configured for 10 seconds, retry 2
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
PEER TYPE: Other

IPv6 Crypto IKEv2 SA

debug output

*Jul 2 00:40:56.305: IPSEC:(SESSION ID = 912) (delete_sa) deleting SA,
(sa) sa_dest= 203.83.*.*, sa_proto= 50,
sa_spi= 0xC497F339(3298292537),
sa_trans= esp-aes 256 esp-sha512-hmac , sa_conn_id= 3469
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 203.83.*.*:0, remote= 202.165.*.*:0,
local_proxy= 10.27.52.0/255.255.255.0/256/0,
remote_proxy= 192.168.60.0/255.255.255.0/256/0
*Jul 2 00:40:56.305: IPSEC:(SESSION ID = 912) (delete_sa) SA found saving DEL kmi
*Jul 2 00:40:56.306: IPSEC:(SESSION ID = 912) (delete_sa) deleting SA,
(sa) sa_dest= 202.165.*.*, sa_proto= 50,
sa_spi= 0xDF249438(3743716408),
sa_trans= esp-aes 256 esp-sha512-hmac , sa_conn_id= 3470
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 203.83.*.*:0, remote= 202.165.*.*:0,
local_proxy= 10.27.52.0/255.255.255.0/256/0,
remote_proxy= 192.168.60.0/255.255.255.0/256/0
*Jul 2 00:40:56.306: ipsec_out_sa_hash_idx: sa=0xFFFF61221508, hash_idx=950, port=500/500, addr=0xCB531336/0xCAA5CD76
*Jul 2 00:40:56.308: IPSEC:(SESSION ID = 912) (ident_update_final_flow_stats) Collect Final Stats and update MIB
IPSEC get IKMP peer index from peer 0xFFFF6121D018 ikmp handle 0x0
[ident_update_final_flow_stats] : Flow delete complete event received for flow id 0x240005BD,peer index 0

*Jul 2 00:40:56.309: IKEv2:(SESSION ID = 912,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xC497F339]
*Jul 2 00:40:56.309: IKEv2:(SESSION ID = 912,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Jul 2 00:40:56.309: IKEv2:(SESSION ID = 912,SA ID = 1):Checking if request will fit in peer window

*Jul 2 00:40:56.310: IKEv2:(SESSION ID = 912,SA ID = 1):Sending Packet [To 202.165.*.*:500/From 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0F2A7B39EB42FB3F - Responder SPI : 5CCEE2E3FE7F0628 Message id: 0
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Check for existing IPSEC SA
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Delete all IKE SAs
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x0F2A7B39EB42FB3F RSPI: 0x5CCEE2E3FE7F0628]
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Checking if request will fit in peer window
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Check for existing active SA
*Jul 2 00:40:56.311: IKEv2:(SESSION ID = 912,SA ID = 1):Delete all IKE SAs
*Jul 2 00:40:56.312: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:56.312: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6338
*Jul 2 00:40:56.312: IPSEC:(SESSION ID = 912) (key_engine_delete_sas) rec'd delete notify from ISAKMP
*Jul 2 00:40:56.312: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:56.312: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6338
*Jul 2 00:40:56.312: IPSEC:(SESSION ID = 912) (key_engine_delete_sas) rec'd delete notify from ISAKMP

*Jul 2 00:40:56.417: IKEv2:(SESSION ID = 912,SA ID = 1):Received Packet [From 202.165.*.*:500/To 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0F2A7B39EB42FB3F - Responder SPI : 5CCEE2E3FE7F0628 Message id: 0
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Jul 2 00:40:56.417: IKEv2:(SESSION ID = 912,SA ID = 1):parsing ENCR payload
*Jul 2 00:40:56.417: IKEv2:(SESSION ID = 912,SA ID = 1):parsing DELETE payload DELETE

*Jul 2 00:40:56.417: IKEv2:(SESSION ID = 912,SA ID = 1):Processing ACK to informational exchange
*Jul 2 00:40:56.417: IKEv2:(SESSION ID = 912,SA ID = 1):Check for existing IPSEC SA
*Jul 2 00:40:56.418: IKEv2:(SESSION ID = 912,SA ID = 1):Delete all IKE SAs

*Jul 2 00:40:56.418: IKEv2:(SESSION ID = 912,SA ID = 1):Sending Packet [To 202.165.*.*:500/From 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0F2A7B39EB42
KRONE_PBL_Dataline#FB3F - Responder SPI : 5CCEE2E3FE7F0628 Message id: 1
IKEv2 INFORMATIONAL Exchange REQUEST
Payload contents:
ENCR

*Jul 2 00:40:56.418: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:56.418: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6338
*Jul 2 00:40:56.418: IPSEC:(SESSION ID = 912) (key_engine_delete_sas) rec'd delete notify from ISAKMP
*Jul 2 00:40:56.419: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:56.419: IDB is NULL : in crypto_ipsec_key_engine_delete_sas (), 6338
*Jul 2 00:40:56.419: IPSEC:(SESSION ID = 912) (key_engine_delete_sas) rec'd delete notify from ISAKMP

*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):Received Packet [From 202.165.*.*:500/To 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0F2A7B39EB42FB3F - Responder SPI : 5CCEE2E3FE7F0628 Message id: 2
IKEv2 CREATE_CHILD_SA Exchange REQUEST
Payload contents:

*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing ENCR payload
*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing SA payload SA
*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing N payload N
*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing KE payload KE
*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing TSi payload TSi
*Jul 2 00:40:56.427: IKEv2:(SESSION ID = 912,SA ID = 1):parsing TSr payload TSr

*Jul 2 00:40:56.428: IKEv2:(SESSION ID = 912,SA ID = 1):Received a message while waiting for a delete-ACK; dropping message
*Jul 2 00:40:56.428: IKEv2:(SESSION ID = 912,SA ID = 1):Abort exchange

*Jul 2 00:40:56.527: IKEv2:(SESSION ID = 912,SA ID = 1):Received Packet [From 202.165.*.*:500/To 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0F2A7B39EB42FB3F - Responder SPI : 5CCEE2E3FE7F0628 Message id: 1
IKEv2 INFORMATIONAL Exchange RESPONSE
Payload contents:

*Jul 2 00:40:56.527: IKEv2:(SESSION ID = 912,SA ID = 1):parsing ENCR payload

*Jul 2 00:40:56.527: IKEv2:(SESSION ID = 912,SA ID = 1):Processing ACK to informational exchange
*Jul 2 00:40:56.527: IKEv2:(SESSION ID = 912,SA ID = 1):Deleting SA
*Jul 2 00:40:56.528: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is DOWN. Peer 202.165.*.*:500 Id: 202.165.*.*

*Jul 2 00:40:57.532: IKEv2:Received Packet [From 202.165.*.*:500/To 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0B3805AF2FBAF088 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:

*Jul 2 00:40:57.532: IKEv2:parsing SA payload SA
*Jul 2 00:40:57.532: IKEv2:parsing KE payload KE
*Jul 2 00:40:57.532: IKEv2:parsing N payload N
*Jul 2 00:40:57.532: IKEv2:parsing NOTIFY payload NOTIFY(IKEV2_FRAGMENTATION_SUPPORTED)

*Jul 2 00:40:57.532: IKEv2:(SESSION ID = 913,SA ID = 1):Verify SA init message
*Jul 2 00:40:57.532: IKEv2:(SESSION ID = 913,SA ID = 1):Insert SA
*Jul 2 00:40:57.533: IKEv2:Searching Policy with fvrf 0, local address 203.83.*.*
*Jul 2 00:40:57.533: IKEv2:Found Policy 'ikev2-policy1'
*Jul 2 00:40:57.533: IKEv2:(SESSION ID = 913,SA ID = 1):Processing IKE_SA_INIT message
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'SLA-TrustPoint' 'TP-self-signed-3611556877'
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Start PKI Session
*Jul 2 00:40:57.533: IKEv2:(SA ID = 1):[PKI -> IKEv2] Starting of PKI Session PASSED
*Jul 2 00:40:57.534: IKEv2:(SESSION ID = 913,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21
*Jul 2 00:40:57.554: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jul 2 00:40:57.554: IKEv2:(SESSION ID = 913,SA ID = 1):Request queued for computation of DH key
*J
KRONE_PBL_Dataline#ul 2 00:40:57.554: IKEv2:(SESSION ID = 913,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 21
*Jul 2 00:40:57.682: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Jul 2 00:40:57.682: IKEv2:(SESSION ID = 913,SA ID = 1):Request queued for computation of DH secret
*Jul 2 00:40:57.684: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
*Jul 2 00:40:57.684: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
*Jul 2 00:40:57.684: IKEv2:IKEv2 responder - no config data to send in IKE_SA_INIT exch
*Jul 2 00:40:57.684: IKEv2:(SESSION ID = 913,SA ID = 1):Generating IKE_SA_INIT message
*Jul 2 00:40:57.684: IKEv2:(SESSION ID = 913,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. trans
KRONE_PBL_Dataline#forms: 4
AES-CBC SHA256 SHA256 DH_GROUP_521_ECP/Group 21
*Jul 2 00:40:57.684: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Retrieve configured trustpoint(s)
*Jul 2 00:40:57.684: IKEv2:(SA ID = 1):[PKI -> IKEv2] Retrieved trustpoint(s): 'SLA-TrustPoint' 'TP-self-signed-3611556877'
*Jul 2 00:40:57.685: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Get Public Key Hashes of trustpoints
*Jul 2 00:40:57.685: IKEv2:(SA ID = 1):[PKI -> IKEv2] Getting of Public Key Hashes of trustpoints PASSED

*Jul 2 00:40:57.685: IKEv2:(SESSION ID = 913,SA ID = 1):Sending Packet [To 202.165.*.*:500/From 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0B3805AF2FBAF088 - Responder SPI : 1FB2D341ABB47A98 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
SA KE N VID VID VID VID CERTREQ NOTIFY(HTTP_CERT_LOOKUP_SUPPORTED)

*Jul 2 00:40:57.686: IKEv2:(SESSION ID = 913,SA ID = 1):Completed SA init exchange
*Jul 2 00:40:57.6
KRONE_PBL_Dataline#86: IKEv2:(SESSION ID = 913,SA ID = 1):Starting timer (30 sec) to wait for auth message

*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):Received Packet [From 202.165.*.*:500/To 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0B3805AF2FBAF088 - Responder SPI : 1FB2D341ABB47A98 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing ENCR payload
*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing IDi payload IDi
*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing NOTIFY payload NOTIFY(INITIAL_CONTACT)
*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing AUTH payload AUTH
*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing NOTIFY payload NOTIFY(Unknown - 16420)
*Jul 2 00:40:57.797: IKEv2:(SESSION ID = 913,SA ID = 1):parsing SA payload SA
*Jul 2 00:40:57.798: IKEv2:(SESSION ID =
KRONE_PBL_Dataline# 913,SA ID = 1):parsing TSi payload TSi
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):parsing TSr payload TSr

*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):Stopping timer to wait for auth message
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):Checking NAT discovery
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):NAT not found
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):Searching policy based on peer's identity '202.165.*.*' of type 'IPv4 address'
*Jul 2 00:40:57.798: IKEv2-ERROR:% IKEv2 profile not found
*Jul 2 00:40:57.798: IKEv2:% Getting preshared key from profile keyring KeyRing_Paradise_Breweries_Ltd_Moresby_PG
*Jul 2 00:40:57.798: IKEv2:% Matched peer block 'Paradise_Breweries_Ltd_Moresby_PG'
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 913,SA ID = 1):Searching Policy with fvrf 0, local address 203.83.*.*
*Jul 2 00:40:57.798: IKEv2:(SESSION ID = 9
KRONE_PBL_Dataline#13,SA ID = 1):Found Policy 'ikev2-policy1'
*Jul 2 00:40:57.799: IKEv2:not a VPN-SIP session
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Verify peer's policy
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Peer's policy verified
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Get peer's authentication method
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Peer's authentication method is 'PSK'
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Get peer's preshared key for 202.165.*.*
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Verify peer's authentication data
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):Use preshared key for id 202.165.*.*, key len 14
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jul 2 00:40:57.799: IKEv2:(SESSION ID = 913,SA ID = 1):[Crypto Engine -
KRONE_PBL_Dataline#> IKEv2] IKEv2 authentication data generation PASSED
*Jul 2 00:40:57.800: IKEv2:(SESSION ID = 913,SA ID = 1):Verification of peer's authentication data PASSED
*Jul 2 00:40:57.800: IKEv2:(SESSION ID = 913,SA ID = 1):Processing INITIAL_CONTACT
*Jul 2 00:40:57.800: IKEv2:(SESSION ID = 913,SA ID = 1):Processing IKE_AUTH message
*Jul 2 00:40:57.800: IKEv2:Requesting IPsec policy verification by ikev2 osal engine

*Jul 2 00:40:57.801: IKEv2:(SESSION ID = 913,SA ID = 1):IPSec policy validate request sent for profile Profile_Paradise_Breweries_Ltd_Moresby_PG with psh index 1.

*Jul 2 00:40:57.801: IKEv2:(SESSION ID = 913,SA ID = 1):
*Jul 2 00:40:57.801: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:57.801: IPSEC(validate_proposal_request): proposal part #1
*Jul 2 00:40:57.801: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 203.83.*.*:0, remote= 202
KRONE_PBL_Dataline#.165.*.*:0,
local_proxy= 10.27.52.0/255.255.255.0/256/0,
remote_proxy= 192.168.60.0/255.255.255.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha512-hmac (Tunnel), esn= FALSE,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
*Jul 2 00:40:57.801: Crypto mapdb : proxy_match
src addr : 10.27.52.0
dst addr : 192.168.60.0
protocol : 0
src port : 0
dst port : 0
*Jul 2 00:40:57.801: Session ID: 913 Proposal Accepted:
Map:crymap, Dualstack: N
loc: 203.83.*.*, rem: 202.165.*.*
l_proxy: 10.27.52.0/0/0//24, r_proxy: 192.168.60.0/0/0//24
*Jul 2 00:40:57.801: (ipsec_process_proposal)Map Accepted: crymap, 3420
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):PSH: 1 validate proposal callba
KRONE_PBL_Dataline#ck setting vti_idb GigabitEthernet0/0/1 and ivrf in psh route_info
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):Get my authentication method
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):My authentication method is 'PSK'
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):Get peer's preshared key for 202.165.*.*
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):Generate my authentication data
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):Use preshared key for id 203.83.*.*, key len 14
*Jul 2 00:40:57.802: IKEv2:(SESSION ID = 913,SA ID = 1):[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):Get my authentication method
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):M
KRONE_PBL_Dataline#y authentication method is 'PSK'
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):Generating IKE_AUTH message
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):Constructing IDr payload: '203.83.*.*' of type 'IPv4 address'
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA512 Don't use ESN
*Jul 2 00:40:57.803: IKEv2:(SESSION ID = 913,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)

*Jul 2 00:40:57.804: IKEv2:(SESSION ID = 913,SA ID = 1):Sending Packet [To 202.165.*.*:500/From 203.83.*.*:500/VRF i0:f0]
Initiator SPI : 0B3805AF2FBAF088 - Responder SPI : 1FB2D341ABB47A98 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR

*Jul 2 00:40:57.804: IKEv2:(SA ID =
KRONE_PBL_Dataline# 1):[IKEv2 -> PKI] Close PKI Session
*Jul 2 00:40:57.804: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
*Jul 2 00:40:57.804: IKEv2:(SESSION ID = 913,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Jul 2 00:40:57.805: %CRYPTO-5-IKEV2_SESSION_STATUS: Crypto tunnel v2 is UP. Peer 202.165.*.*:500 Id: 202.165.*.*
*Jul 2 00:40:57.805: IKEv2:(SESSION ID = 913,SA ID = 1):Session with IKE ID PAIR (202.165.*.*, 203.83.*.*) is UP
*Jul 2 00:40:57.806: IKEv2:(SESSION ID = 913,SA ID = 1):Initializing DPD, configured for 0 seconds
*Jul 2 00:40:57.806: IKEv2:(SESSION ID = 0,SA ID = 0):IKEv2 MIB tunnel started, tunnel index 1
*Jul 2 00:40:57.807: IKEv2:(SESSION ID = 913,SA ID = 1):Load IPSEC key material
*Jul 2 00:40:57.807: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Jul 2 00:40:57.8
KRONE_PBL_Dataline#07: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Jul 2 00:40:57.807: Crypto mapdb : proxy_match
src addr : 10.27.52.0
dst addr : 192.168.60.0
protocol : 256
src port : 0
dst port : 0
*Jul 2 00:40:57.807: IPSEC:(SESSION ID = 913) (crypto_ipsec_create_ipsec_sas) Map found crymap, 3420
*Jul 2 00:40:57.808: IPSEC:(SESSION ID = 913) (get_old_outbound_sa_for_peer) No outbound SA found for peer FFFF6121D018
*Jul 2 00:40:57.808: IPSEC:(SESSION ID = 913) (create_sa) sa created,
(sa) sa_dest= 203.83.*.*, sa_proto= 50,
sa_spi= 0x7B9F5128(2074038568),
sa_trans= esp-aes 256 esp-sha512-hmac , sa_conn_id= 3471
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 203.83.*.*:0, remote= 202.165.*.*:0,
local_proxy= 10.27.52.0/255.255.255.0/256/0,
remote_proxy= 192.168.60.0/255.255.255.0/256/0
*Jul 2 00:40:57.808: ipsec_out_sa_hash_idx: sa=0xFFFF6122
KRONE_PBL_Dataline#1618, hash_idx=950, port=500/500, addr=0xCB531336/0xCAA5CD76
*Jul 2 00:40:57.809: crypto_ipsec_hook_out_sa: ipsec_out_sa_hash_array[950]=0xFFFF61221618
*Jul 2 00:40:57.809: IPSEC:(SESSION ID = 913) (create_sa) sa created,
(sa) sa_dest= 202.165.*.*, sa_proto= 50,
sa_spi= 0xDF24943A(3743716410),
sa_trans= esp-aes 256 esp-sha512-hmac , sa_conn_id= 3472
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 203.83.*.*:0, remote= 202.165.*.*:0,
local_proxy= 10.27.52.0/255.255.255.0/256/0,
remote_proxy= 192.168.60.0/255.255.255.0/256/0
*Jul 2 00:40:57.835: IKEv2:(SESSION ID = 913,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Jul 2 00:40:57.835: IKEv2:(SESSION ID = 913,SA ID = 1):Checking for duplicate IKEv2 SA
*Jul 2 00:40:57.836: IKEv2:(SESSION ID = 913,SA ID = 1):No duplicate IKEv2 SA found
*Jul 2 00:40:57.836: IKEv2:(SESSION ID = 913
KRONE_PBL_Dataline#,SA ID = 1):Starting timer (8 sec) to delete negotiation context

MHM Cisco World · ‎07-01-2025

The port is 4500 one peer behind NAT

Are g0/0/1 have any NAT command ?

If yes you need to exclude ipwec traffic from NAT

MHM

ipo.peniel · ‎07-01-2025

Below is the config on the router interface facing the ISP:

interface GigabitEthernet0/0/1
description Internet
ip address 203.83.*.* 255.255.255.252
ip nat outside
negotiation auto
crypto map crymap
end

MHM Cisco World · ‎07-01-2025

You need to exclude ipsec from NAT'

MHM

ipo.peniel · ‎07-01-2025

how i do that?

MHM Cisco World · ‎07-01-2025

I need to see how you config NAT in router

MHM

ipo.peniel · ‎07-01-2025

I have not done much natting on the router except the ip nat outside on the interface facing ISP and inside on the internal lan. Then i did the overload int LAN internet access. And also the ACL for the VPN. Find them below. thats all.

interface GigabitEthernet0/0/0
description Dataline
ip address 10.27.52.2 255.255.255.0
ip nat inside
negotiation auto
end

#sh run int gi0/0/1
Building configuration...

Current configuration : 154 bytes
!
interface GigabitEthernet0/0/1
description Internet
ip address 203.83.*.* 255.255.255.252
ip nat outside
negotiation auto
crypto map crymap
end

ip nat inside source list PBL interface GigabitEthernet0/0/1 overload

p access-list extended RT
50 permit ip 10.27.52.0 0.0.0.255 192.168.60.0 0.0.0.255

MHM Cisco World · ‎07-01-2025

In PBL acl

Xx deny ip 10.27.52.0 0.0.0.255 192.168.60.0 0.0.0.255 <<- make sure this line add at top of ACL

MHM

ipo.peniel · ‎07-01-2025

This solved the problem. Thank you soo much

MHM Cisco World · ‎07-01-2025

you are welcome

have a nice day

MHM