Solved: Re: Issue getting a IKEv2 P2P VPN between Sonicwall and IR1101 IOS XE

cadamwil · ‎06-21-2023

I have been having an issue getting a IKEv2 Point-to-Point VPN between my Sonicwall and an IR1101.
I was able to get IKEv1 working, but wasn't passing traffic, likely a NAT rule needed or a route. However, I decided I would rather just get IKEv2 working out of the gate as I know IKEv2 is preferred moving forward. I have got it configured best I could, based off of

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-cfg-vpn-ipsec.html

&

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html#GUID-3D906CA9-B533-49A0-9374-BB354BF3277F

I can't seem to get it to connect, but on the sonicwall side I see

"IKEv2 Initiator: Remote Party Timeout - Retransmitting IKEv2 Request."

and then "SENDING>>>> ISAKMP OAK IKE_SA_INIT (InitCookie:0x281598a8d0529cf5 RespCookie:0x0000000000000000, MsgID: 0x0) (SA, KE, NONCE, NOTIFY: NATD Source IPNOTIFY: NATD Destination IP, VID)"

I attempted to turn on IKEv2 debug logging on the IR1101, but don't see anything in the log.

My goal is to connect

my sonicwall to the IR1101 using PSK, with IP as the IKE IDs and the following settings on the Sonicwall Side

Phase 1
IKEv2
DH Group 14
Encryption AES-256
Authentication SHA256
Lifetime 28800

Phase 2
ESP Protocol
Encryption AES-256
Authentication SHA256
Lifetime 28800

The Sonicwall side's network is 10.10.55.0/24

The IR1101's side network is 10.75.55.0/24

Edited config attached

MHM Cisco World · ‎06-22-2023

There are two phase of issue'

Vti which we solve

Now zone security issue

Add two zone named it Local and Remote

Local will inlcude lan of router

Remote will include vti interface of router

Allow traffic between these two zone and that it.

View solution in original post

MHM Cisco World · ‎06-21-2023

Need Alot of work here

First you config ipsec profile where you don't have any tunnel protect by this profile

You need crypto map under it set transform and set ikev2 profile and match add (traffic that must encryption)

Second zone firewall from self to Out,

First check crypto map and then we will talk about zone

Rob Ingram · ‎06-21-2023

@cadamwil you haven't included a crypto map or VTI configuration, so hard to tell what you are attempting to use.

Crypto map (static and dynamic) is depreciated on your IOS-XE version, you should ensure you are using a VTI (routed based VPN). https://www.cisco.com/c/en/us/td/docs/routers/ios/config/17-x/sec-vpn/b-security-vpn/m_sec-intro-ikev2-flex.html

MHM Cisco World · ‎06-21-2023

@cadamwil answer of @Rob Ingram is more details than my.

He is totally correct.

Thanks

MHM

cadamwil · ‎06-21-2023

do you guys know if there is any issues using a VTI with Sonicwalls? I have added the crypto map, before I saw the VTI comments.

On the sonicwall side, I am now seeing "Traffic Selectors Unacceptable" and "Negotiations Failed. Extra Payloads Present."

MHM Cisco World · ‎06-21-2023

https://www.sonicwall.com/support/knowledge-base/site-to-site-vpn-between-a-sonicwall-firewall-and-a-cisco-ios-device/170503782801223/

cadamwil · ‎06-21-2023

That's the guide that I used to get IKEv1 working, but It seems to be missing things for IKEv2, especially on the Cisco IOS side. The Sonicwall, it's a drop down selection to go from IKEv1 to IKEv2, in fact the screenshots show IKEv2, but looking at the cisco IOS side, they meant IKEv1, or that was my interpretation.

cadamwil · ‎06-21-2023

OK, so I nuked the previous VPN configuration to attempt to create an IKEv2 VTI VPN between the sonicwall and my IR1101.

Loosely basing it on this document from sonicwall, where they do it with IKEv1. I swapped the sonicwall side for IKEv2. Here is what I have done so far.

https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-a-route-based-vpn-between-sonicwall-and-cisco/171010141517388/

As I understand it on the Cisco side, I create part of the Phase 1 IKEv2 by creating the ikev2 proposal which I did by running the following

crypto ikev2 proposal CH-Sonicwall-Ikev2-prop
encr aes-cbc-256
group 14
integrity sha256

The issue I am running into is in the crypto map, in assigning the transform set. I need to create a transform set for the IPsec / Phase 2 part of the VPN tunnel.

I attempt to run the following

crypto ipsec transform-set CH-SW-TSet esp-aes 256 esp-sha-hmac or crypto ipsec transform-set CH-SW-TSet esp-des esp-sha384-hmac

but I get the warning weaker transform set is deprecated. Fine, which transform set should I use.

can someone point me to the non-weaker transforms. Everything I can find says these should be sufficient.

MHM Cisco World · ‎06-21-2023

crypto ipsec transform-set CH-SW-TSet esp-aes 256 esp-sha384-hmac

This must be fine

cadamwil · ‎06-22-2023

That helped with the transform. After that, I was able to get the VPN using IKEv2 across a VTI tunnel. The steps I used are below. However now I seem to be missing something on the firewall side. I have pings running from my server on the sonicwall side pinging a device on the VLAN 1 lan on the Cisco IR side. I see the packets on the IR side, but they don't seem to be forwarded to the device as I don't see the return packets. I have attached my config, I am sure it's an easy fix I am missing.

These config steps are what worked for me from an IR1101 running IOS XE 17.8 to a Sonicwall NSA 3700 running 7.0.1-5080.

The tunnel is 172.16.75.0/30 with .1 being the sonicwall and .2 being the Cisco IR 1101.

LAN on the Sonicwall is 10.10.55.0/24 and on the Cisco IR 10.75.55.0/24

crypto ikev2 proposal CH-SW-Ikev2-prop
encr aes-cbc-256
group 14
integrity sha256
exit

crypto ikev2 policy CH-SW-Policy
proposal CH-SW-Ikev2-prop
exit

crypto ikev2 keyring CH-SW-keyr
peer SW.SW.SW.SW
address SW.SW.SW.SW 255.255.255.255
identity address SW.SW.SW.SW
pre-shared-key local blahblahblahVerySecurePW
pre-shared-key remote blahblahblahVerySecurePW
exit
exit

crypto ikev2 profile CH-SW-Prof
match identity remote address SW.SW.SW.SW
identity local address CI.SC.O.IR
authentication local pre-share
authentication remote pre-share
keyring local CH-SW-keyr
exit

crypto ipsec transform-set CH-SW-TSet esp-aes 256 esp-sha384-hmac

crypto ipsec profile CH-SW-IPSec-Prof
set transform-set CH-SW-TSet
set ikev2-profile CH-SW-Prof
exit

interface tunnel 0
ip address 172.16.75.2 255.255.255.252
tunnel source GigabitEthernet0/0/0
tunnel mode ipsec ipv4
tunnel destination SW.SW.SW.SW
tunnel protection ipsec profile CH-SW-IPSec-Prof
exit

ip route 10.10.55.0 255.255.255.0 172.16.75.1

cadamwil · ‎06-22-2023

FYI, I can ping the IR 1101's lan from the Sonicwall side, but not the devices on the lan. So 10.10.55.21 can ping 10.75.55.1, but not 10.75.55.51. However, those devices are up and responding on the Cisco side.

MHM Cisco World · ‎06-22-2023

..

MHM Cisco World · ‎06-22-2023