03-16-2019 10:11 AM - edited 02-21-2020 09:35 PM
So I have a lab - see attached.
Below are my applicable configs for the IPSEC Ikev2 tunnel. All IP interfaces in the diagram are up and all device can ping each other. Router is just passing traffic - no acls.
I don't know if I can't just generate interesting traffic from the switches as I have not configured any host machines or something in the 192.168 subnets that are to use the tunnel - my VPN ACL shows zero hits.
Also, my ASAv image could be flaky or something as I could only get it working using a VNC console so I can't even cut and paste configs from it.
ASA1:
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal PH-2
protocol esp encryption aes-256
protocol esp integrity sha-1
tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123
access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log info
crypto map ASA1-MAP 1 match address VPN
crypto map ASA1-MAP 1 set peer 20.20.20.20
crypto map ASA1-MAP 1 set ikev2 ipsec-proposal PH-2
crypto map ASA1-MAP interface OUTSIDE
crypto ikev2 enable OUTSIDE
route OUTSIDE 192.168.20.0 255.255.255.0 10.10.10.1
ASA2:
ASA1:
crypto ikev2 policy 2
encryption aes
integrity sha
group 5
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal PH
protocol esp encryption aes-256
protocol esp integrity sha-1
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123
access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 log in
crypto map ASA2-MAP 2 match address VPN
crypto map ASA2-MAP 2 set peer 10.10.10.10
crypto map ASA2-MAP 2 set ikev2 ipsec-proposal PH
crypto map ASA2-MAP interface OUTSIDE
crypto ikev2 enable OUTSIDE
route OUTSIDE 192.168.10.0 255.255.255.0 20.20.20.1
Solved! Go to Solution.
03-16-2019 10:21 AM
03-16-2019 04:23 PM
Without generating interestin traffic. Therr is no reason to invoke the crypto map statements. So you will need to put something in the interesting traffic ranges to get this to work.
03-16-2019 10:11 PM
Hi,
Then what is the issue? If you didn't generate traffic then this is normal behavior for IPSec VPN. Generate Traffic using the Ping and don't forget to select the Source interface or IP address in the Ping command.
Regards,
Deepak Kumar
03-17-2019 05:14 PM
03-16-2019 10:21 AM
03-16-2019 04:23 PM
Without generating interestin traffic. Therr is no reason to invoke the crypto map statements. So you will need to put something in the interesting traffic ranges to get this to work.
03-16-2019 10:11 PM
Hi,
Then what is the issue? If you didn't generate traffic then this is normal behavior for IPSec VPN. Generate Traffic using the Ping and don't forget to select the Source interface or IP address in the Ping command.
Regards,
Deepak Kumar
03-17-2019 03:54 PM
03-17-2019 04:43 PM
03-17-2019 06:33 PM
03-18-2019 02:58 AM
03-17-2019 05:14 PM
03-17-2019 05:27 PM
03-28-2019 06:28 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide