Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
2
Helpful
2
Replies

IPSec IKEv2 between 2 cisco routers

Juni
Level 1
Level 1

‎07-12-2023 07:13 AM - last edited on ‎07-12-2023 08:26 AM by Community Manager

Hi Everyone,
I am trying to configure IKEv2 between 2 Cisco Routers but I am having some challenge if you can guide me the mistake in my configuration I am posting here:

Router 11:

R11#sh run | s crypto  
crypto ikev2 proposal PROP 
 encryption aes-cbc-128 3des des
 integrity sha256 sha1 md5
 group 15 14 5 2
crypto ikev2 policy POL 
 proposal PROP
crypto ikev2 keyring CCIE
 peer R-12
  address 2.2.2.2
  hostname r12
  identity fqdn xxx.cisco.com
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
crypto ikev2 profile PROF
 match identity remote fqdn domain xx.cisco.com
 identity local email xxx@cisco.com 
 authentication remote pre-share
 authentication local pre-share
 keyring local CCIE
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel
crypto map CMAP 10 ipsec-isakmp 
 set peer 2.2.2.2
 set transform-set TS 
 set ikev2-profile PROF
 match address 101
 crypto map CMAP

int fa 0/0
ip add 3.3.3.3 255.255.255.252

int lo1
ip add 10.1.1.1 255.255.255.0

Router-12:

R12#sh run | s crypto
crypto ikev2 proposal PROP 
 encryption aes-cbc-128 3des des
 integrity sha256 sha1 md5
 group 15 14 5 2
crypto ikev2 policy POL 
 proposal PROP
crypto ikev2 keyring CCIE
 peer R-11
  address 3.3.3.3
  hostname r11
  identity email xxx@cisco.com 
  pre-shared-key local cisco
  pre-shared-key remote cisco
 !
crypto ikev2 profile PROF
 match identity remote email xxx@cisco.com 
 identity local fqdn xxx.cisco.com
 authentication remote pre-share
 authentication local pre-share
 keyring local CCIE
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel
crypto map CMAP 10 ipsec-isakmp 
 set peer 3.3.3.3
 set transform-set TS 
 set ikev2-profile PROF
 match address 101
 crypto map CMAP

int fa 0/0
ip add 2.2.2.2 255.255.255.252

int lo1
ip add 10.2.2.2 255.255.255.0

I had debug on R11 and here are the results

JunaidM_0-1689171114071.png

 

Labels:
2 Replies 2

Pavan Gundu
Cisco Employee
Cisco Employee

‎07-12-2023 10:21 AM - edited ‎07-12-2023 10:24 AM

Try "match identity remote fqdn xx.cisco.com" instead of "match identity remote fqdn domain xx.cisco.com" on Router 11, IKEv2 profile PROF

 

If you want to use fqdn with domain then you would need to give the root domain name which in here is "cisco.com"; one more way to fix your config is to change "match identity remote fqdn domain xx.cisco.com" to "match identity remote fqdn domain cisco.com"

0 Helpful

Juni
Level 1
Level 1

‎07-13-2023 12:35 AM

Thank you Pavan, it was solved.

Customers Also Viewed These Support Documents