02-19-2019 06:29 PM - edited 02-21-2020 09:34 PM
Dear All,
Let me know which one is the best practice of below two type of configuration for IPSec profile .
I saw this message (Each policy has a unique priority number assigned to it.The peers must share at least one common policy to allow for successful secure communication. ) in cisco ebook.That mean i need to use unique policy for all tunnels(DMVPN,PtP)? that mean for remote site ?
crypto ikev2 policy IPSec
proposal proposal
!
crypto ikev2 profile profile
description IKEv2 profile
match certificate CERT-MAP
identity local dn
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
OR
crypto ikev2 policy IPSec
match address local x.x.x.x
proposal proposal
crypto ikev2 profile profile
description IKEv2 profile
match identity remote address x.x.x.x
identity local address x.x.x.x
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
Solved! Go to Solution.
02-19-2019 10:54 PM
Hi,
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
This is offering local and remote identity authentication, which is adding additional level authentication and profile verifications. If you have multiple VPN with multiple Vendors then it uses to recommend. You may add one more command for verifying two-way Identity "match identity remote fqdn ....."
And
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
This is a simple profile without a remote or local identity.
Regards,
Deepak Kumar
02-19-2019 08:00 PM
02-19-2019 09:41 PM - edited 02-19-2019 10:08 PM
Hi,
Let me know if i have one router with two wan link,i need to run two different tunnel.do i need to create one policy and two different profile or can i use shared profile ?
do you want me to change as below ?
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
02-19-2019 10:32 PM
Hi,
I love Cisco VPN Technology because If you have multiple VPN connections then you can share Phase 1 with all VPN connections means you need only one Phase1 policy.
IKEV2 is also offering Phase2 as a shared profile. You can use a single phase2 policy for all VPN Connections.
Regards,
Deepak Kumar
02-19-2019 10:40 PM
02-19-2019 10:54 PM
Hi,
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
identity local fqdn cbtme-hub.crypto.local
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
This is offering local and remote identity authentication, which is adding additional level authentication and profile verifications. If you have multiple VPN with multiple Vendors then it uses to recommend. You may add one more command for verifying two-way Identity "match identity remote fqdn ....."
And
crypto ikev2 profile DMVPN-PROF
match certificate CERT-MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
This is a simple profile without a remote or local identity.
Regards,
Deepak Kumar
02-19-2019 11:03 PM
02-19-2019 11:05 PM
Hi,
Have you enabled the identity on remote site as well?
Please share the configuration from both end and error msg.
Regards,
Deepak Kumar
02-19-2019 11:31 PM - edited 02-19-2019 11:35 PM
Hi,
please see below attachment and error message. can i use match identity remote command in DMVPN ?
and i always saw "insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb"
*Feb 20 15:16:56.803: %CRYPTO-6-IKMP_NO_ID_CERT_FQDN_MATCH: ID of cbtme-hub.crypto.local (type 2) and certificate fqdn with cbtme-spoke1.crypto.local
02-19-2019 11:09 PM
02-19-2019 11:38 PM
Hi,
fqdn, the fully qualified domain name, provided by the vpn peer doesn't match the one stated on the digital certificate.
Regards,
Deepak Kumar
02-19-2019 11:36 PM
02-20-2019 12:44 AM - edited 02-20-2019 12:45 AM
hi ,
Please see below attachment for debug.
Feb 20 16:44:31.927: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.100.2 (Tunnel1) is down: holding time expired
Cbtme-Hub#
*Feb 20 16:44:35.315: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=110.110.110.1, prot=50, spi=0x88D51ED5(2295668437), srcaddr=120.120.120.1, input interface=FastEthernet0/0
Cbtme-Hub#
*Feb 20 16:44:36.735: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.100.2 (Tunnel1) is up: new adjacency
02-19-2019 11:07 PM
02-20-2019 12:19 AM - edited 02-20-2019 12:23 AM
if i will use loopback interface, i need to use lookback every site ? my sites didn't have NAT. We don't need to use internet.I use static route. Can I use lookback interface in hub site only ? lookback interface for one tunnel ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide