IR800 EZVPN to Flexvpn?

KGrev · ‎08-10-2023

Hi,

I've been troubleshooting my way into a hole here.

We have a few IR809G routers using EZVPN over cellular. They work fine but they are using ikev2. We are trying to upgrade them to ikev2. I see plenty of ways to enable ikev2 and configure it but we are using EZVPN.

Will ezvpn do ikev2? I'm not seeing an option to configure flexvpn.

KGrev · ‎08-10-2023

As a side note, i just stumbled onto this link and noticed the section near the bottom about setting up the flexvpn client on the router. I'm working through that now. The router does appear to have to commands for this.

https://www.cisco.com/c/en/us/support/docs/security/flexvpn/115950-ezvpn-nem-to-flexvpn.html

Rob Ingram · ‎08-10-2023

@KGrev I assume you already have the required security license otherwise EZVPN would not work. What firmware version are you running and does it support NGE (Next Generation Encryption)?

What IKEv2 commands does it support? Run crypto ikev2 ? and provide the output for reference.

KGrev · ‎08-11-2023

@Rob IngramThanks for your response. Here is the information you asked for. And then there is some configuration I have so far. I left some of the old EZVPN settings in there also. As a side note, on EZVPN we have these routers to authenticate with a user name and pre-shared key. We would like to continue that for now.

Router(config)#crypto ikev2 ?
authorization IKEv2 authorization
certificate-cache Cache for storing certs fetched from HTTP URLs
client IKEv2 client configuration
cluster Cluster load-balancer settings
cookie-challenge Set Cookie-challenge watermark
cts Cisco Trust Security
diagnose IKEV2 diagnose
disconnect-revoked-peers Disconnect Crypto Session with Cert Revoked Peer
dpd Enable IKE liveness check for peers
fragmentation Enable fragmentation of ikev2 packets
http-url Enable http URL lookup
keyring Define IKEv2 Keyring
limit Limit the number of maximum and negotiating sa
name-mangler Name mangler
nat NAT-transparency
policy Define IKEV2 policies
profile Define IKEv2 Profiles
proposal Define IKEV2 proposals
reconnect Cluster Reconnect
redirect IKEv2 Redirect Mechanism for load-balancing
route IKEv2 Route Redistribute
window IKEV2 window size

Cisco IOS Software, ir800 Software (ir800-UNIVERSALK9-M), Version 15.9(3)M7a, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2023 by Cisco Systems, Inc.
Compiled Thu 23-Mar-23 11:15 by mcpre

ROM: Bootstrap program is IR800

LTE_35 uptime is 35 minutes
System returned to ROM by Power-on at 13:54:38 UTC Thu Aug 10 2023
System image file is "flash:ir800-universalk9-mz.SPA.159-3.M7a"
Last reload reason: Power-on

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco IR809G-LTE-NA-K9 (revision 0.0) with 365568K/60416K bytes of memory.
Processor board ID FCW22110025
Last reset from Power-on

FPGA version: 2.B.0
FPGA date[YYYY/MM/DD] :[2020/4/8]

BIOS: version 29 Production
BIOS: date[YYYY/MM/DD] :[2022/9/29]

2 Serial(sync/async) interfaces
3 Gigabit Ethernet interfaces
8 terminal lines
2 Cellular interfaces
DRAM configuration is 72 bits wide with parity disabled.
256K bytes of non-volatile configuration memory.
976562K bytes of ATA System Flash (Read/Write)
250000K bytes of ATA Bootstrap Flash (Read/Write)

License Info:

License UDI:

-------------------------------------------------
Device# PID SN
-------------------------------------------------
*1 IR809G-LTE-NA-K9 FCW22110025

Suite License Information for Module:'ir800'

--------------------------------------------------------------------------------
Suite Suite Current Type Suite Next reboot
--------------------------------------------------------------------------------

Technology Package License Information for Module:'ir800'

------------------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Permanent securityk9
data datak9 Permanent datak9

Configuration register is 0x102

----------------------------------------------------------------------------------

!
crypto pki trustpoint TEST_NET_Trust
enrollment terminal
serial-number
ip-address loopback0
revocation-check crl
!
!
username TESTprobe-sec password 6 xxxxxxxxxxxxxxxxxxxx
!
!
crypto ikev2 proposal IKEV2
encryption aes-gcm-256
prf sha256
group 19
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha256
group 19
!
crypto ikev2 policy IKEV2
match fvrf any
proposal IKEV2
!
!
crypto ikev2 profile IKEV2
match address local 10.2.9.54
match identity remote address 10.2.0.114 255.255.255.255
identity local address 10.2.9.54
authentication remote pre-share key 6 xxxxxxxxxxxxxx
authentication local pre-share key 6 xxxxxxxxxxxxxxxx
dpd 30 4 periodic
virtual-template 2 mode auto
!
crypto ikev2 limit max-sa 5
crypto ikev2 client flexvpn FLEXVPN
peer 1 10.2.0.114
client connect Tunnel0
!
!
!
controller Cellular 0
lte sim fast-switchover enable
lte failovertimer 5
no cdp run
!

!
!
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 19
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set IKEV2 ah-sha256-hmac esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FLEX_PROFILE
set transform-set IKEV2
set ikev2-profile IKEV2
!
!
!
crypto ipsec client ezvpn TESTPROBE
connect auto
group TEST_BitProbe key 6 xxxxxxxxxxxxxxxxxxx
mode network-extension
peer 10.2.0.114
username TESTprobe-sec password 6 xxxxxxxxxxxxxxxx
xauth userid mode local
!
!
crypto map IKEV2 63000 ipsec-isakmp
set peer 10.2.0.114
set transform-set IKEV2
set pfs group19
set ikev2-profile IKEV2
match address 100
!
!
!
!
!
interface Loopback0
ip address 10.2.9.54 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
!
interface Tunnel0
no ip address
!
!
interface Cellular0
ip address negotiated
ip access-group CELLULAR-PORT-IN in
ip access-group CELLULAR-PORT-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip tcp adjust-mss 1390
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
async mode interactive
!
interface Cellular1
no ip address
encapsulation slip
shutdown
!
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4
!
interface Async0
no ip address
encapsulation scada
!
interface Async1
no ip address
encapsulation scada
!

Rob Ingram · ‎08-11-2023

@KGrev If you wish to authenticate the spoke router using username/password, you can use EAP but the hub (remote authentication) must use a certificate. See the end of this section - https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16-6/sec-flex-vpn-xe-16-6-book/sec-cfg-flex-clnt.html

KGrev · ‎08-11-2023

@Rob Ingramthanks for that link. It was very helpful. I updated a section of my configuration as I had not applied any ipsec to start on an interface. Updated Tunnel 0.

int tunnel 0
ip address 10.2.9.61 255.255.255.252
tunnel source loopback 0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile FLEX_PROFILE ikev2-profile IKEV2

I just used a temporary unused ip for this.

Here is the rest of the config for this.

username testprobe-sec password 6 xxxxxxxxxxxxxxxxx
!
redundancy
notification-timer 120000

!
crypto ikev2 proposal IKEV2
encryption aes-gcm-256
prf sha256
group 19
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha256
group 19
!
crypto ikev2 policy IKEV2
match fvrf any
proposal IKEV2
!
!
crypto ikev2 profile IKEV2
match address local 10.2.9.54
match identity remote address 10.2.0.114 255.255.255.255
identity local address 10.2.9.54
authentication remote pre-share key 6 xxxxxxxxxxxxxxxxx
authentication local pre-share key 6 xxxxxxxxxxxxxxxxxxxx
dpd 30 4 periodic
virtual-template 2 mode auto
!
crypto ikev2 limit max-sa 5
crypto ikev2 client flexvpn FLEXVPN
peer 1 10.2.0.114
client connect Tunnel0
!
!
!
controller Cellular 0
lte sim fast-switchover enable
lte failovertimer 5
no cdp run
!
ip tcp synwait-time 10
!
!
!
crypto isakmp policy 1
encr aes 256
hash sha256
authentication pre-share
group 19
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set IKEV2 ah-sha256-hmac esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto ipsec profile FLEX_PROFILE
set transform-set IKEV2
set ikev2-profile IKEV2
!
!
!
crypto ipsec client ezvpn TESTPROBE
connect auto
group RMCS_BitProbe key 6 xxxxxxxxxxxxxxxxx
mode network-extension
peer 10.2.0.114
username testprobe-sec password 6 xxxxxxxxxxxxxxxxxxxx
xauth userid mode local
!
!
crypto map IKEV2 63000 ipsec-isakmp
set peer 10.2.0.114
set transform-set IKEV2
set pfs group19
set ikev2-profile IKEV2
match address 100
!
!
!
!
!
interface Loopback0
ip address 10.2.9.54 255.255.255.254
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
!
interface Tunnel0
ip address 10.2.9.61 255.255.255.252
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel destination dynamic
tunnel protection ipsec profile FLEX_PROFILE ikev2-profile IKEV2
!
interface Cellular0
ip address negotiated
ip access-group CELLULAR-PORT-IN in
ip access-group CELLULAR-PORT-OUT out
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip tcp adjust-mss 1390
dialer in-band
dialer idle-timeout 0
dialer string lte
dialer watch-group 1
async mode interactive
!
interface Cellular1
no ip address
encapsulation slip
shutdown
!
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4

-------------------------------------------------------------

I have the following Debug information but I'm not sure what is causing a failure currently:

000288: *Aug 11 15:10:05.415: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
000289: *Aug 11 15:10:05.417: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
000290: *Aug 11 15:10:05.417: IPSEC: Expand action denied, discard or forward packet.
000291: *Aug 11 15:10:05.417: IPSEC: Expand action denied, notify RP
000292: *Aug 11 15:10:05.417: IPSEC: Expand action denied, discard or forward packet.
000293: *Aug 11 15:10:05.417: IPSEC: Expand action denied, discard or forward packet.
000294: *Aug 11 15:10:05.417: IPSEC(recalculate_mtu): reset sadb_root 14998500 mtu to 1500
000295: *Aug 11 15:10:05.417: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= AH, transform= ah-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4000
000296: *Aug 11 15:10:05.417: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
000297: *Aug 11 15:10:05.417: IKEv2:Searching Policy with fvrf 0, local address 10.2.9.54
000298: *Aug 11 15:10:05.417: IKEv2:Found Policy 'IKEV2'
000299: *Aug 11 15:10:05.419: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 19
000300: *Aug 11 15:10:05.421: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
000301: *Aug 11 15:10:05.421: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
000302: *Aug 11 15:10:05.42
LTE_35(config-1: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
000303: *Aug 11 15:10:05.421: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
000304: *Aug 11 15:10:05.421: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 3
AES-GCM SHA256 DH_GROUP_256_ECP/Group 19

000305: *Aug 11 15:10:05.421: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

000306: *Aug 11 15:10:05.423: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA
000307: *Aug 11 15:10:05.423: %FLEXVPN-6-FLEXVPN_CONNECTION_DOWN: FlexVPN(FLEXVPN) Client_public_addr = 10.2.9.54 Server_public_addr = 10.2.0.114
000308: *Aug 11 15:10:05.423: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
000309: *Aug 11 15:10:05.423: ISAKMP-ERROR: (0):ignoring request to send delete notify (no ISAKMP sa) src 10.2.9.54 dst 10.2.0.114 for SPI 0x0
000310: *Aug 11 15:10:05.423: IPSEC: Expand action denied, discard or forward packet.
000311: *Aug 11 15:10:05.423: IPSEC: Expand action denied, notify RP
000312: *Aug 11 15:10:05.423: IPSEC: Expand action denied, discard or forward packet.
000313: *Aug 11 15:10:05.423: IPSEC: Expand action denied, discard or forward packet.
000314: *Aug 11 15:10:05.423: IPSEC:(SESSION ID = 1) (recalculate_mtu) reset sadb_root 14998500 mtu to 1500
000315: *Aug 11 15:10:05.425: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= AH, transform= ah-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4000
000316: *Aug 11 15:10:05.425: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
000317: *Aug 11 15:10:05.425: IKEv2:Searching Policy with fvrf 0, local address 10.2.9.54
000318: *Aug 11 15:10:05.425: IKEv2:Found Policy 'IKEV2'
000319: *Aug 11 15:10:05.425: IKEv2:SA is already in negotiation, hence not negotiating again
000320: *Aug 11 15:10:07.331: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000321: *Aug 11 15:10:07.331: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)
if)#
LTE_35(config-if)#
000322: *Aug 11 15:10:11.166: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000323: *Aug 11 15:10:11.166: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

LTE_35(config-if)#
000324: *Aug 11 15:10:18.470: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000325: *Aug 11 15:10:18.470: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

LTE_35(config-if)#
000326: *Aug 11 15:10:33.571: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000327: *Aug 11 15:10:33.571: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

LTE_35(config-if)#
000328: *Aug 11 15:10:35.432: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
(identity) local= 10.2.9.54:0, remote= 10.2.0.114:0,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0
000329: *Aug 11 15:10:35.432: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= AH, transform= ah-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4000
000330: *Aug 11 15:10:35.432: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND
LTE_35(config-if)#local= 10.2.9.54:500, remote= 10.2.0.114:500,
local_proxy= 0.0.0.0/0.0.0.0/256/0,
remote_proxy= 0.0.0.0/0.0.0.0/256/0,
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
000331: *Aug 11 15:10:35.432: IKEv2:Searching Policy with fvrf 0, local address 10.2.9.54
000332: *Aug 11 15:10:35.432: IKEv2:Found Policy 'IKEV2'
000333: *Aug 11 15:10:35.432: IKEv2:SA is already in negotiation, hence not negotiating again

Rob Ingram · ‎08-11-2023

@KGrev retransmitting packets are repeating, communication issues?

000322: *Aug 11 15:10:11.166: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000323: *Aug 11 15:10:11.166: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

LTE_35(config-if)#
000324: *Aug 11 15:10:18.470: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000325: *Aug 11 15:10:18.470: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

LTE_35(config-if)#
000326: *Aug 11 15:10:33.571: IKEv2:(SESSION ID = 1,SA ID = 1):Retransmitting packet

000327: *Aug 11 15:10:33.571: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.2.0.114:500/From 10.2.9.54:500/VRF i0:f0]
Initiator SPI : C441085A7BE2851E - Responder SPI : 0000000000000000 Message id: 0

What are these ACLs doing?

interface Cellular0
ip address negotiated
ip access-group CELLULAR-PORT-IN in
ip access-group CELLULAR-PORT-OUT out

KGrev · ‎09-14-2023

Hi @Rob Ingram , sheesh its been some time since I've been able to come back to this project. Very sorry about that. To update, I took the acl's off the cellular interface but there doesn't seem to be a change. Attached is the current config and some debug.

Thank you for your help.

Rob Ingram · ‎09-15-2023

@KGrev you've still got a crypto map and ezvpn configuration defined, please can you provide the full configuration so we can confirm the legacy configuration is not acutally in use and conflicting with the tunnel interface you are using.

Do you have the debugs from the other router for comparison?

KGrev · ‎09-15-2023

@Rob Ingramthanks for your response and sorry for the confusion on my end. I assumed the ezvpn was not in use as I had not added a statement to an interface to use it. Here is a full config with only passwords and ip's changed. Note that the ACL's arent applied and aren't properly configured yet also.

Rob Ingram · ‎09-15-2023

@KGrev Is this configuration the hub or the spoke? You've got a partially configured virtual-template configured that is referenced under the IKEv2 profile that is used by the sVTI. Remove the legacy configuration (the virtual template ec) that is not explictly required.

KGrev · ‎09-15-2023

@Rob IngramThis would be a spoke LTE Router.

Are you saying to remove this part here?
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
ip access-group ACL-INFRASTRUCTURE-IN in
ip access-group ACL-INFRASTRUCTURE-OUT out
tunnel mode ipsec ipv4

Rob Ingram · ‎09-15-2023

@KGrev yes, you would only have a virtual-template on the spoke if requiring spoke-to-spoke connectivity, but your virtual-template is incomplete and would not work. So yes remove from the IKEv2 profile and delete.

KGrev · ‎09-15-2023

@Rob IngramThanks for you help. Sorry i'm going to try to break this down. Trying to figure all this out. You're very helpful.

So I'm going to use "no interface Virtual-Template2 type tunnel"

Then you mentioned to remove it from the IKEv2 Profile,

So referring to this section here:
crypto ikev2 profile IKEV2
match address local 50.10.9.54
match identity remote address 50.10.0.114 255.255.255.255
identity local address 50.10.9.54
authentication remote pre-share key 6 xxxxxxxxxxxxxxxxxxxxxxx
authentication local pre-share key 6 xxxxxxxxxxxxxxxxxxxxx
dpd 30 4 periodic
virtual-template 2 mode auto <------remove this

Rob Ingram · ‎09-15-2023

@KGrev you'll have to remove it from the IKEv2 profile first, as it would not allow you to delete the VT because it's in use.