Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1515
Views
0
Helpful
3
Replies

Issue with Site-to-Site VPN using Ikev2 on a P2P Circuit

Go to solution
PacketPaul
Level 1
Level 1

‎11-26-2021 09:38 AM

Hello all,

 

I have a point to point circuit connected between my test router and asa.  I need the traffic on this circuit to be encrypted even though it is P2P.  

 

I have configured a S2S VPN using Ikev2 IPSec but I am having issues with it not connecting.  For some reason the SA keeps deleting itself and the VPN never comes up.   A show crypto session confirms the VPN is DOWN.  I am attaching the relevant configurations of both the test router and ASA as well as the debug crypto ikev2 results from each device.

 

If anyone could assist with this I would appreciate it.  I feel like everything is configured correctly but obviously I am missing something and i've spent a week trying to troubleshoot this.

 

Thank you

Labels:
TestRouter_config_abbv.txt
Preview file
2 KB
TestRouter_ikev2_debug_1.txt
Preview file
10 KB
ASA_config_abbv.txt
Preview file
3 KB
ASA_ikev2_debug_1.txt
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PacketPaul
Level 1
Level 1

‎11-29-2021 08:05 AM

For anyone interested, I was able to resolve the issue on my own.  The transform set proposal on the router did not match the asa.  

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎11-26-2021 10:10 AM - edited ‎11-26-2021 10:17 AM

@PacketPaul you've got PFS configured on the ASA crypto map, but not on the router. Either configure both with PFS or both without PFS. If it's a PSP link you should be fine by not using PFS.

 

You could also add "no config-exchange request" to the router's ikev2 profile, as the ASA does not support config-exchange.

 

1.PNG

0 Helpful

Go to solution
PacketPaul
Level 1
Level 1
In response to Rob Ingram

‎11-26-2021 11:42 AM

I have added set pfs group24 to my routers crypto map but I still have the same issue.  Any additional thoughts?

0 Helpful

Go to solution
PacketPaul
Level 1
Level 1

‎11-29-2021 08:05 AM

For anyone interested, I was able to resolve the issue on my own.  The transform set proposal on the router did not match the asa.  

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.

0 Helpful
Top