07-12-2023 08:32 AM - last edited on 07-12-2023 09:46 AM by rupeshah
Hi,
I am having an issue in the IPSec IKEv2 tunnel is not getting up looks like some mistake in my configuration if anyone can assist me.
R11#sh run | s crypto
crypto ikev2 proposal PROP
encryption aes-cbc-128 3des des
integrity sha256 sha1 md5
group 15 14 5 2
crypto ikev2 policy POL
proposal PROP
crypto ikev2 keyring CCIE
peer R-12
address 2.2.2.2
hostname xxx
identity fqdn xxx.cisco.com
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile PROF
match identity remote fqdn domain xxx.cisco.com
identity local email xxx@cisco.com
authentication remote pre-share
authentication local pre-share
keyring local CCIE
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map CMAP 10 ipsec-isakmp
set peer 2.2.2.2
set transform-set TS
set ikev2-profile PROF
match address 101
crypto map CMAP
R12#sh run | s crypto
crypto ikev2 proposal PROP
encryption aes-cbc-128 3des des
integrity sha256 sha1 md5
group 15 14 5 2
crypto ikev2 policy POL
proposal PROP
crypto ikev2 keyring CCIE
peer R-11
address 3.3.3.3
hostname xxx
identity email xxx@cisco.com
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile PROF
match identity remote email xxx@cisco.com
identity local fqdn xxx.cisco.com
authentication remote pre-share
authentication local pre-share
keyring local CCIE
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map CMAP 10 ipsec-isakmp
set peer 3.3.3.3
set transform-set TS
set ikev2-profile PROF
match address 101
crypto map CMAP
Solved! Go to Solution.
07-12-2023 09:44 AM
you config keyring
then you config hostname
then FQDN is domain only not full as you already config the host name above
identity fqdn domain domain-name <<- cisco.com
please share crypto ikev2 sa detail
after correct FQDN
07-12-2023 08:42 AM
deb crypto ikev2 packet
deb crypto ikev2 internal
Share this
Thanks
07-12-2023 08:51 AM
R12#ping 10.1.1.1 so lo1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.2.2.2
*Jul 12 19:51:01.990: IKEv2:% Getting preshared key by address 3.3.3.3
*Jul 12 19:51:01.994: IKEv2:Adding Proposal PROP to toolkit policy
*Jul 12 19:51:02.006: IKEv2:(1): Choosing IKE profile PROF
*Jul 12 19:51:02.010: IKEv2:New ikev2 sa request admitted
*Jul 12 19:51:02.010: IKEv2:Incrementing outgoing negotiating sa count by one
*Jul 12 19:51:02.018: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
*Jul 12 19:51:02.022: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
*Jul 12 19:51:02.026: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
*Jul 12 19:51:02.026: IKEv2:(SA ID = 1):Setting configured policies
*Jul 12 19:51:02.030: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
*Jul 12 19:51:02.034: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
*Jul 12 19:51:02.042: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
*Jul 12 19:51:02.046: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
*Jul 12 19:51:02.046: IKEv2:(SA ID = 1):Action: Action_Null
*Jul 12 19:51:02.050: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
*Jul 12 19:51:02.054: IKEv2:No config data to send to toolkit:
*Jul 12 19:51:02.058: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: .
Success rate is 0 percent (0/1)
R12#I_BLD_INIT Event: EV_BLD_MSG
*Jul 12 19:51:02.062: IKEv2:Construct Vendor Specific Payload: DELETE-REASON
*Jul 12 19:51:02.066: IKEv2:Construct Vendor Specific Payload: (CUSTOM)
*Jul 12 19:51:02.066: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP
*Jul 12 19:51:02.070: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
*Jul 12 19:51:02.074: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 664
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 120
last proposal: 0x0, reserved: 0x0, length: 116
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 13 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: 3DES
last transform: 0x3, reserved: 0x0: length: 8
type: 1, reserved: 0x0, id: DES
last transform: 0x3, reserved: 0x0: length: 8
type: 2,
R12# reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: MD5
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: MD596
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2
KE Next payload: N, reserved: 0x0, length: 392
DH group: 15, Reserved:
R12# 0x0
N Next payload: VID, reserved: 0x0, length: 24
VID Next payload: VID, reserved: 0x0, length: 23
VID Next payload: NOTIFY, reserved: 0x0, length: 21
NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Jul 12 19:51:02.118: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_INSERT_SA
*Jul 12 19:51:02.122: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_NO_EVENT
*Jul 12 19:51:02.490: IKEv2:Got a packet from dispatcher
*Jul 12 19:51:02.494: IKEv2:Processing an item off the pak queue
*Jul 12 19:51:02.498: IKEv2:(SA ID = 1):Next payload:
R12#SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 592
Payload contents:
SA Next payload: KE, reserved: 0x0, length: 48
last proposal: 0x0, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_3072_MODP/Group 15
KE Next payload: N, reserved: 0x0, length: 392
DH group: 15, Reserved: 0x0
N Next payload: VID, reserved: 0x0, length: 24
*Jul 12 19:51:02.522: IKEv2:Parse Vendor Specific Payload: CISCO-DELETE-REASON VID Next payload: VID, reserved: 0x0, length: 23
*Jul 12 19:51:02.526: IKEv2:Parse Vendor Specific Payload: (CUSTOM)
R12# VID Next payload: NOTIFY, reserved: 0x0, length: 21
*Jul 12 19:51:02.530: IKEv2:Parse Notify Payload: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP
*Jul 12 19:51:02.534: IKEv2:Parse Notify Payload: NAT_DETECTION_DESTINATION_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28
Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP
*Jul 12 19:51:02.542: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT
*Jul 12 19:51:02.546: IKEv2:(SA ID = 1):Processing IKE_SA_INIT message
*Jul 12 19:51:02.550: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK4_NOTIFY
*Jul 12 19:51:02.554: IKEv2:(SA ID = 1):SM Trace-> SA: I_SP
R12#I=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_VERIFY_MSG
*Jul 12 19:51:02.554: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_PROC_MSG
*Jul 12 19:51:02.562: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_DETECT_NAT
*Jul 12 19:51:02.562: IKEv2:(SA ID = 1):Process NAT discovery notify
*Jul 12 19:51:02.566: IKEv2:(SA ID = 1):Processing nat detect src notify
*Jul 12 19:51:02.570: IKEv2:(SA ID = 1):Remote address matched
*Jul 12 19:51:02.570: IKEv2:(SA ID = 1):Processing nat detect dst notify
*Jul 12 19:51:02.574: IKEv2:(SA ID = 1):Local address matched
*Jul 12 19:51:02.574: IKEv2:(SA ID = 1):No NAT found
*Jul 12 19:51:02.578: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_NAT_T
R12#
*Jul 12 19:51:02.582: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_PROC_INIT Event: EV_CHK_CONFIG_MODE
*Jul 12 19:51:02.586: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_DH_SECRET
*Jul 12 19:51:02.842: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_NO_EVENT
*Jul 12 19:51:02.846: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_OK_RECD_DH_SECRET_RESP
*Jul 12 19:51:02.846: IKEv2:(SA ID = 1):Action: Action_Null
*Jul 12 19:51:02.846: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_GEN_SKEYID
*Jul 12 19:51:02.846: IKEv2:(SA ID = 1):Generate skeyid
*Jul 12 19:51:02.854: IKEv2:(SA ID = 1)
R12#:SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE
*Jul 12 19:51:02.854: IKEv2:(SA ID = 1):Cisco DeleteReason Notify is enabled
*Jul 12 19:51:02.858: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: INIT_DONE Event: EV_CHK4_ROLE
*Jul 12 19:51:02.862: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GET_CONFIG_MODE
*Jul 12 19:51:02.866: IKEv2:Config-request is not supported for crypto maps
*Jul 12 19:51:02.866: IKEv2:No config data to send to toolkit:
*Jul 12 19:51:02.870: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_EAP
*Jul 12 19:51:02.874: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_GEN_AUTH
*Ju
R12#l 12 19:51:02.882: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_CHK_AUTH_TYPE
*Jul 12 19:51:02.882: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_OK_AUTH_GEN
*Jul 12 19:51:02.886: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event: EV_SEND_AUTH
*Jul 12 19:51:02.890: IKEv2:Construct Vendor Specific Payload: CISCO-GRANITE
*Jul 12 19:51:02.894: IKEv2:Construct Notify Payload: INITIAL_CONTACT
*Jul 12 19:51:02.898: IKEv2:Construct Notify Payload: SET_WINDOW_SIZE
*Jul 12 19:51:02.898: IKEv2:Construct Notify Payload: ESP_TFC_NO_SUPPORT
*Jul 12 19:51:02.902: IKEv2:Construct Notify Payload: NON_FIRST_FRAGS
Payload contents:
VID Next payload: IDi, reserved: 0x0, length: 20
IDi Next payload: AUTH, reserved: 0x0, length: 21
Id type:
R12#FQDN, Reserved: 0x0 0x0
AUTH Next payload: SA, reserved: 0x0, length: 40
Auth method PSK, reserved: 0x0, reserved 0x0
SA Next payload: TSi, reserved: 0x0, length: 44
last proposal: 0x0, reserved: 0x0, length: 40
Proposal: 1, Protocol id: ESP, SPI size: 4, #trans: 3 last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
last transform: 0x0, reserved: 0x0: length: 8
type: 5, reserved: 0x0, id: Don't use ESN
TSi Next payload: TSr, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
start port: 0, end port: 65535
start addr: 10.2.2.0, end addr: 10.2.2.255
TSr Next payload: NOTIFY, reserved: 0x0, length: 24
Num of TSs: 1, reserved 0x0, reserved 0x0
TS type: TS_IPV4_ADDR_RANGE, proto id: 0, length: 16
R12#start port: 0, end port: 65535
start addr: 10.1.1.0, end addr: 10.1.1.255
NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: INITIAL_CONTACT
NOTIFY(SET_WINDOW_SIZE) Next payload: NOTIFY, reserved: 0x0, length: 12
Security protocol id: IKE, spi size: 0, type: SET_WINDOW_SIZE
NOTIFY(ESP_TFC_NO_SUPPORT) Next payload: NOTIFY, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: ESP_TFC_NO_SUPPORT
NOTIFY(NON_FIRST_FRAGS) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: NON_FIRST_FRAGS
*Jul 12 19:51:02.950: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: INITIATOR Message id: 1, length: 288
Payload contents:
ENCR Next payload: VID, reserved: 0x0, length: 260
*Jul 12 19:51:02.962: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_NO_E
R12#VENT
*Jul 12 19:51:02.978: IKEv2:Got a packet from dispatcher
*Jul 12 19:51:02.986: IKEv2:Processing an item off the pak queue
*Jul 12 19:51:02.990: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 80
Payload contents:
*Jul 12 19:51:02.998: IKEv2:Parse Notify Payload: AUTHENTICATION_FAILED NOTIFY(AUTHENTICATION_FAILED) Next payload: NONE, reserved: 0x0, length: 8
Security protocol id: IKE, spi size: 0, type: AUTHENTICATION_FAILED
*Jul 12 19:51:03.006: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: I_WAIT_AUTH Event: EV_RECV_AUTH
*Jul 12 19:51:03.006: IKEv2:(SA ID = 1):Action: Action_Null
*Jul 12 19:51:03.010: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: I_PROC_AUTH Event: EV_CHK4_NOTIFY
*Jul 12 19:51:03.014: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6
R12#E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: AUTH_DONE Event: EV_FAIL
*Jul 12 19:51:03.018: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: EXIT Event: EV_ABORT
*Jul 12 19:51:03.022: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: EXIT Event: EV_CHK_PENDING_ABORT
*Jul 12 19:51:03.022: IKEv2:Negotiating SA request deleted
*Jul 12 19:51:03.022: IKEv2:Decrement count for outgoing negotiating
*Jul 12 19:51:03.026: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=0EA1485B6E20AD6F R_SPI=E867DB2019935007 (I) MsgID = 00000001 CurState: EXIT Event: EV_UPDATE_CAC_STATS
07-12-2023 09:05 AM
Router2#show crypto ikev2 sa detailed
please share this
07-12-2023 09:15 AM
It is giving me no output on both routers
07-12-2023 09:18 AM - edited 07-12-2023 09:19 AM
set peer 3.3.3.3 <<- this LO you config IKEV2 map under it ?
07-12-2023 09:22 AM
Here is the topology
07-12-2023 09:24 AM
public ip 2.2.2.2 is IP for f0/0 which you config under it IKEv2 ?
07-12-2023 09:24 AM
Yes right
07-12-2023 09:44 AM
you config keyring
then you config hostname
then FQDN is domain only not full as you already config the host name above
identity fqdn domain domain-name <<- cisco.com
please share crypto ikev2 sa detail
after correct FQDN
07-12-2023 10:03 AM
After updating the configuration like this
crypto ikev2 keyring CCIE
peer R-12
address 2.2.2.2
hostname r12
identity fqdn r12.r12.cisco.com
pre-shared-key local cisco
pre-shared-key remote cisco
!
Ping started working to remote gateway but I think is not going through the VPN
R11(config-if)#do ping 10.2.2.2 so lo1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.1.1.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/100/108 ms
R11(config-if)#
R11(config-if)#do show crypto ikev2 sa detail
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 3.3.3.3/500 2.2.2.2/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:15, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/360 sec
CE id: 1037, Session-id: 1
Status Description: Negotiation done
Local spi: 454D82442CC4C098 Remote spi: 59E688C190CDEBED
Local id: r11@cisco.com
Remote id: r12.r12.cisco.com
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
IPv6 Crypto IKEv2 SA
R11(config-if)#
07-12-2023 10:08 AM
Show crypto ipsec sa <<- check this encrypt decryp count is increasing or not after ping?
07-12-2023 10:12 AM
This time I sucess solve your lab issue..lol
Have a nice day
MHM
07-12-2023 10:13 AM
I was checking wrongly on "show crypto isakmp sa" this is I believe only for IPSec ISAKMP v1 for IKEv2 it's "show crypto ikev2 sa" I can see this
R12#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 2.2.2.2/500 3.3.3.3/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA256, DH Grp:15, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/862 sec
IPv6 Crypto IKEv2 SA
Yes packet counts also increasing for increase/decrease, problem was the domain which was not correctly entered where I defined the hostname but did not define the hostname in the domain after correcting it, solved the problem, thank you so much brother.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide