Solved: Re: IPsec/IKEv2 error - Page 2

fcardoso · ‎01-25-2024

Hello everyone, I have an ipsec/ikev2 Lan-to-Lan VPN working between an ASA and router A (Cisco), with this router behind a public router that is performing NAT, However, it keeps giving the following errors in the ASA side (i do not have information off router A, it is a client side):

30 in 30 seconds:

Local:203.0.113.45:4500 Remote:185.60.218.35:4500 Username:185.60.218.35 IKEv2 Negotiation aborted due to ERROR: There was no IPSEC policy found for received TS

Local:203.0.113.45:4500 Remote:185.60.218.35:4500 Username:185.60.218.35 IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.200.0/192.168.200.255/0/65535/0 local traffic selector 10.230.184.0/10.230.184.255/0/65535/0!

55 in 55 minutes:

IPSEC _ An inbound LAN-to-lAN SA (SPI - 0x12CPCSEO) between 185.60.218.35 and 203.0.113.45 (user- 185.60.218.35) has been deleted.
PSEC - An outbourd LAN-to-LAN SA (SPI- 0x69660748) between 203.0.113.45 and 185.60.218.35 (user- 185.60.218.35) has beer deleted
IPSEC - An inbound LAN-to-LAN SA (SPI- OKFBAE7961) between 203.0.113.45 and 185.60.218.35 (user_ 185.60.218.35) has been created
IPSEC - An outbound laN-to-LAN SA (SPI" 0¥72053486) between 203.0.113.45 and 185.60.218.35 (user- 185.60.218.35) has been created

PS: the router A have a SLA to keep the tunnel up ...

Despite no complaints from the client, the tunnel isn't functioning normally as can be seen in the logs. Any ideas?

Best regards

Fernando

balaji.bandi · ‎01-25-2024

IKEv2 Tunnel rejected: Crypto Map Policy not found for remote traffic selector 192.168.200.0/192.168.200.255/0/65535/0 local traffic selector 10.230.184.0/10.230.184.255/0/65535/0!

as per this logs - looks for me subnet miss match both ends, make sure both the side agree same subnet mask. depends what group you using.

can you post relevant configuration or run the debug on ASA. show crypto ikev2 sa also help as asked before.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

fcardoso · ‎01-26-2024

Hi BB,

Relevant conf:

access-list LOCAL_NET_to_REMOTE_NET extended permit ip host 192.168.200.25 host 10.230.184.1 (hitcnt=438)

group-policy 185.60.218.35 internal

group-policy 185.60.218.35 attributes

vpn-tunnel-protocol ikev2

re-xauth disable

group-lock value 185.60.218.35

pfs enable

tunnel-group 185.60.218.35 type ipsec-l2l

tunnel-group 185.60.218.35 general-attributes

default-group-policy 185.60.218.35

tunnel-group 185.60.218.35 ipsec-attributes

isakmp keepalive threshold infinite

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

crypto map outside_map 10 match address LOCAL_NET_to_REMOTE_NET

crypto map outside_map 10 set pfs group21

crypto map outside_map 10 set peer 185.60.218.35

crypto map outside_map 10 set ikev2 ipsec-proposal IKEv2-ESP-AES256-SHA1-HASH-SHA512-PFS-DH21

Thanks

Fernando

Marius Gunnerud · ‎01-27-2024

I dont think postponing the discussion until next week is a solution to this discussion. Please select a proper solution so that people searching for similar issues can find exactly what solved this for you.

--
Please remember to select a correct answer and rate helpful posts

fcardoso · ‎01-27-2024

In fact, the logs that i post indicate that is a mismatch in the proxy acl on both sides... so i will acept the solution...

Thank you Marius, MHM and Balaji for the help....