cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
894
Views
0
Helpful
3
Replies

Issue with Site-to-Site VPN using Ikev2 on a P2P Circuit

PacketPaul
Level 1
Level 1

Hello all,

 

I have a point to point circuit connected between my test router and asa.  I need the traffic on this circuit to be encrypted even though it is P2P.  

 

I have configured a S2S VPN using Ikev2 IPSec but I am having issues with it not connecting.  For some reason the SA keeps deleting itself and the VPN never comes up.   A show crypto session confirms the VPN is DOWN.  I am attaching the relevant configurations of both the test router and ASA as well as the debug crypto ikev2 results from each device.

 

If anyone could assist with this I would appreciate it.  I feel like everything is configured correctly but obviously I am missing something and i've spent a week trying to troubleshoot this.

 

Thank you

1 Accepted Solution

Accepted Solutions

PacketPaul
Level 1
Level 1

For anyone interested, I was able to resolve the issue on my own.  The transform set proposal on the router did not match the asa.  

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.

View solution in original post

3 Replies 3

@PacketPaul you've got PFS configured on the ASA crypto map, but not on the router. Either configure both with PFS or both without PFS. If it's a PSP link you should be fine by not using PFS.

 

You could also add "no config-exchange request" to the router's ikev2 profile, as the ASA does not support config-exchange.

 

1.PNG

I have added set pfs group24 to my routers crypto map but I still have the same issue.  Any additional thoughts?

PacketPaul
Level 1
Level 1

For anyone interested, I was able to resolve the issue on my own.  The transform set proposal on the router did not match the asa.  

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: