07-06-2021 06:12 AM - edited 10-20-2021 07:15 AM
I'm facing a problem when connecting a VPN between site to site between an ASA to a Cisco Router RV160
07-06-2021 06:20 AM
Is the RV160 configured to answer/respond only? Therefore it can never establish a tunnel, rather just be the responder if initiated by another device (your ASA).
Is PFS configured on both deivces? If yes, are they the same DH group value?
07-06-2021 06:55 AM
Hello,
yes PFS is configured in both sides and DH group value is the same in both sides
07-06-2021 08:02 AM - edited 10-20-2021 07:16 AM
@JA Molins wrote:Hello,
yes PFS is configured in both sides and DH group value is the same in both sides
@JA Molins wrote:Hello,
yes PFS is configured in both sides and DH group value is the same in both sides
here's the log of teh RV160
07-06-2021 08:39 AM - edited 10-20-2021 07:16 AM
Hello,
please find below the RV160 log
07-06-2021 07:50 AM - edited 10-20-2021 10:07 AM
Hello,
checking the logs of the RV106:
07-16-2021 02:57 PM
Hi
1. have you configured multiple-subnets (using ipgroups on RV160) for this IKEv2 tunnel to ASA?
2. If yes, then assuming that the ASA is running some older image/firmware, there is a bug in ASA specifically for "Ipsec tunnel with multiple tunnels using IKEv2". So it will not be able to support multiple subnets with a IKEv2-based Ipsec site-to-site tunnel, becos the ikev2 implementation on ASA does not support child-SA payloads with more than 1-pair of traffic selectors(subnet pair)
3. So i beleive and i dont know any confirmation about it, but i have read/heard somewhere that Cisco has fixed this issue with IKEv2 and multiple-subnets as of April 2021, and the fixes have been applied to ALL images/firmware for Cisco-ASA, Cisco-ISR/IOS routers,
etc
- So find out if there is a "new" latest image dated in say June2021 or July2021 and find out if the fix is present in it and update your Cisco-ASA. It should then solve your present issue with RV160
4. Else the only alternate solution is to use IKEV1 for the ipsec tunnel using multiple-subnets. There are no issues with IKEv1 on Cisco-ASA or other Cisco-ISR routers
5. If no, there are NO multiple subnets and only 1 pair of traffic-selector configured for the ikev2 tunnel between RV160 and Cisco-ASA, then please post the configs applied on RV160 (and maybe also the config on ASA too). we will need to check if any issues due to configs applied
07-28-2021 09:09 AM
Hello,
thanks for your comment, we will check the firmware upgrade for the cisco-ASA.
In case you consider that any other small business cisco router will have the same issue with Cisco-Asa?
07-28-2021 02:21 PM
>>>In case you consider that any other small business cisco router will have the same issue with Cisco-Asa?
Its actually the other way round.
1. The IKEv2 implementation on Cisco-ASA and Cisco-ISR/IOS routers is having the Bug. When multiple-subnets are configured for "IKEv2-based" tunnels, the ASA/ISR/IOS routers dont support multiple-traffic-selectors being received from the remote IKEv2-peer (in this case RV340/345 and RV160/260 Cisco-SBR-Routers) in the Child-SA-Payload during the IKEV2 protocol negotiation for establishing the tunnel. They support ONLY 1-pair of Traffic-selectors at a time in the child-SA payload
2. This is the same case with Fortinet-VPN-Gateways too and some other VPN gateways that have not implemented the complete IKEV2 features as per RFC standards
3. The Cisco SBR RV340/345/340W/345P routers are running Strongswan opensource application for the IPSec VPN features, so they are all supporting the complete RFC standards for IPSec/IKEV2 (and IKEv1 also).
a) So whenever you are configuring specifically IKEV2 S2S tunnels with multiple-subnets (using IPGroups) on these SBR-Routers AND if the peergw is any of the Cisco-ASA/ISR/IOS routers (running older firmware before April-2020 i guess) OR FortinetGw, then you will need to enable one additional option on the SBR Routers in the Advanced settings of S2S tunnel config "Non-RFC" option
- its as shown in the attached screenshot
b) As for the same IKEV2 S2S tunnel configs using multiple subnets with FortinetGw and other such VPN-Peers that have problems establishing the ikev2- tunnels with multiple-subnets, you will need to
- check by enabling the "Non-RFC" option and see whether it solves the problem
- else additionally on the said remote peergws, you will need to ensure that when configuring the S2S tunnel, the multiple-subnets are not grouped together into single groups. Instead on FortinetGw (and ESX-Edge-Gw, etc) you will need to configure the traffic-selectors as separate pairs under ONE IKEv2/IKEv1 Tunnel Profile
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide