08-07-2019 07:23 AM - edited 02-21-2020 09:43 PM
I build recently some lab that contain 5 routers:
R1
R2
R3
R4
R5 = ISP router
the topology is sort of Hub and Spoke which my R1 is the hub,
I setup on R1 IKEv2 Policy which use some proposal that contain the following:
encryption aes-cbc-256
integrity sha1
group 5
On IKEv2 Profile I match some certificate map that contain issuer name
I configured virtual-template 1 type tunnel and try to make IPSEC connectivity to R2, but I have some issue to bring that connection up, if I use interface tunnel instade of virtual-template everything work grate but I specifically need to use virtual-template. If I run dome debug I get the following error:
IPSEC(ipsec_process_proposal): invalid local address
I google it and found cases of misconfigured or bug report (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud69442/?rfs=iqvred)
I use version 15.2(4)S7
I working on it tree friking days so I decided to use the community...
If someone can tell me what went failed in my case I really appreciate it
I attach file of R1, R2 and R5
Thanks in advance
08-07-2019 08:25 AM
Hi,
On R1 which is acting as the Hub you need to reference the Virtual-Template under the IKEv2 Profile. e.g.
crypto ikev2 profile IKEv2-Profile
match certificate CMAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint Trusted-CA
virtual-template 1
You also don't need to reference the tunnel destination
interface Virtual-Template1 type tunnel
no tunnel destination dynamic
HTH
08-07-2019 11:11 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide