11-26-2021 09:38 AM
Hello all,
I have a point to point circuit connected between my test router and asa. I need the traffic on this circuit to be encrypted even though it is P2P.
I have configured a S2S VPN using Ikev2 IPSec but I am having issues with it not connecting. For some reason the SA keeps deleting itself and the VPN never comes up. A show crypto session confirms the VPN is DOWN. I am attaching the relevant configurations of both the test router and ASA as well as the debug crypto ikev2 results from each device.
If anyone could assist with this I would appreciate it. I feel like everything is configured correctly but obviously I am missing something and i've spent a week trying to troubleshoot this.
Thank you
Solved! Go to Solution.
11-29-2021 08:05 AM
For anyone interested, I was able to resolve the issue on my own. The transform set proposal on the router did not match the asa.
I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.
11-26-2021 10:10 AM - edited 11-26-2021 10:17 AM
@PacketPaul you've got PFS configured on the ASA crypto map, but not on the router. Either configure both with PFS or both without PFS. If it's a PSP link you should be fine by not using PFS.
You could also add "no config-exchange request" to the router's ikev2 profile, as the ASA does not support config-exchange.
11-26-2021 11:42 AM
I have added set pfs group24 to my routers crypto map but I still have the same issue. Any additional thoughts?
11-29-2021 08:05 AM
For anyone interested, I was able to resolve the issue on my own. The transform set proposal on the router did not match the asa.
I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: