Solved: IPSEC tunnel not generating SA

CiscoPurpleBelt · ‎03-16-2019

So I have a lab - see attached.

Below are my applicable configs for the IPSEC Ikev2 tunnel. All IP interfaces in the diagram are up and all device can ping each other. Router is just passing traffic - no acls.

I don't know if I can't just generate interesting traffic from the switches as I have not configured any host machines or something in the 192.168 subnets that are to use the tunnel - my VPN ACL shows zero hits.

Also, my ASAv image could be flaky or something as I could only get it working using a VNC console so I can't even cut and paste configs from it.

ASA1:
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal PH-2
protocol esp encryption aes-256
protocol esp integrity sha-1

tunnel-group 20.20.20.20 type ipsec-l2l
tunnel-group 20.20.20.20 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123

access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 log info
crypto map ASA1-MAP 1 match address VPN
crypto map ASA1-MAP 1 set peer 20.20.20.20
crypto map ASA1-MAP 1 set ikev2 ipsec-proposal PH-2
crypto map ASA1-MAP interface OUTSIDE
crypto ikev2 enable OUTSIDE
route OUTSIDE 192.168.20.0 255.255.255.0 10.10.10.1

ASA2:
ASA1:
crypto ikev2 policy 2
encryption aes
integrity sha
group 5
lifetime seconds 86400

crypto ipsec ikev2 ipsec-proposal PH
protocol esp encryption aes-256
protocol esp integrity sha-1

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
ikev2 local-authentication pre-shared-key ccdp*123
ikev2 remote-authentication pre-shared-key ccdp*123

access-list VPN extended permit ip 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0 log in
crypto map ASA2-MAP 2 match address VPN
crypto map ASA2-MAP 2 set peer 10.10.10.10
crypto map ASA2-MAP 2 set ikev2 ipsec-proposal PH
crypto map ASA2-MAP interface OUTSIDE
crypto ikev2 enable OUTSIDE
route OUTSIDE 192.168.10.0 255.255.255.0 20.20.20.1

Rob Ingram · ‎03-16-2019

Hi,
You should be able to generate traffic from the switches, assuming the interface IP address is within the range defined in the crypto ACL. If you have multiple IP addresses defined on the switch, then you will need to define the source interface when you run the ping. I assume you have a default route on the switch to route via the next hop ASA?

Enable debug "debug crypto ikev2 protocol" and "debug crypto ikev2 platform" and upload the output here.

HTH

View solution in original post

Dennis Mink · ‎03-16-2019

Without generating interestin traffic. Therr is no reason to invoke the crypto map statements. So you will need to put something in the interesting traffic ranges to get this to work.

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

Deepak Kumar · ‎03-16-2019

Hi,

Then what is the issue? If you didn't generate traffic then this is normal behavior for IPSec VPN. Generate Traffic using the Ping and don't forget to select the Source interface or IP address in the Ping command.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

CiscoPurpleBelt · ‎03-17-2019

Thanks everyone. I'm sure you guys would have caught it but I actually left out the "crypto map ASA1-MAP interface OUTSIDE" on both ASA devices. Entered that and viola! Like I said, I could not cut and past configs of ASA here because I am using then via VNC console type if any of you guys are familiar with that in GNS3. I usually use VIRL but needed to get my GNS3 setup working.

View solution in original post

Rob Ingram · ‎03-16-2019

Hi,
You should be able to generate traffic from the switches, assuming the interface IP address is within the range defined in the crypto ACL. If you have multiple IP addresses defined on the switch, then you will need to define the source interface when you run the ping. I assume you have a default route on the switch to route via the next hop ASA?

Enable debug "debug crypto ikev2 protocol" and "debug crypto ikev2 platform" and upload the output here.

HTH

Dennis Mink · ‎03-16-2019

Without generating interestin traffic. Therr is no reason to invoke the crypto map statements. So you will need to put something in the interesting traffic ranges to get this to work.

Please remember to rate useful posts, by clicking on the stars below.

Deepak Kumar · ‎03-16-2019

Hi,

Then what is the issue? If you didn't generate traffic then this is normal behavior for IPSec VPN. Generate Traffic using the Ping and don't forget to select the Source interface or IP address in the Ping command.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

CiscoPurpleBelt · ‎03-17-2019

Yes that is what I was doing. I was source pining from the 192.168.10 and .20 interfaces but traffic is not hitting the ACL from some reason. I have to look at things to see why as I just have very basic 0.0.0.0 0.0.0.0 DG on both switches.

Rob Ingram · ‎03-17-2019

What about the configuration you've not uploaded...
- Do you have NAT configured? this could cause issues unless you define a no-nat rule for the VPN networks
- Is IKEv2 configured as a vpn-tunnel-protocol in the Group Policy?

When you generate interesting traffic by pinging the remote end, with IKEv2 debugs enabled does it even generate any output? If it does please upload the debugs

CiscoPurpleBelt · ‎03-17-2019

Trying to just understand something. Based on my configs above, I know the ikev2 policy 1 is tied to the OUTSIDSE interface via "crypto ikev2 enable OUTSIDE". What if a device has multiple ikev2 policies? Are they typically tied to something else besides a physical interface?

Rob Ingram · ‎03-18-2019

The IKEv2 Policies aren't technically tied (referenced within the configuration) to anything, the command "crypto ikev2 enable OUTSIDE" enables IKEv2 on that interface (could be any named interface). You can define multiple IKEv2 Policies, they do not need to be referenced anywhere else within the configuration, unlike the IPSec Proposal which is referenced in the crypto map.

CiscoPurpleBelt · ‎03-17-2019

Thanks everyone. I'm sure you guys would have caught it but I actually left out the "crypto map ASA1-MAP interface OUTSIDE" on both ASA devices. Entered that and viola! Like I said, I could not cut and past configs of ASA here because I am using then via VNC console type if any of you guys are familiar with that in GNS3. I usually use VIRL but needed to get my GNS3 setup working.

Rob Ingram · ‎03-17-2019

No problem. I use telnet as the console type when using the ASA image in GNS3, I am using the .qcow2 image file. This works without issue.

CiscoPurpleBelt · ‎03-28-2019

Yes I had to delete the templates I had installed and re-install using those images.