Solved: Issue with Site-to-Site VPN using Ikev2 on a P2P Circuit

PacketPaul · ‎11-26-2021

Hello all,

I have a point to point circuit connected between my test router and asa. I need the traffic on this circuit to be encrypted even though it is P2P.

I have configured a S2S VPN using Ikev2 IPSec but I am having issues with it not connecting. For some reason the SA keeps deleting itself and the VPN never comes up. A show crypto session confirms the VPN is DOWN. I am attaching the relevant configurations of both the test router and ASA as well as the debug crypto ikev2 results from each device.

If anyone could assist with this I would appreciate it. I feel like everything is configured correctly but obviously I am missing something and i've spent a week trying to troubleshoot this.

Thank you

PacketPaul · ‎11-29-2021

For anyone interested, I was able to resolve the issue on my own. The transform set proposal on the router did not match the asa.

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.

View solution in original post

Rob Ingram · ‎11-26-2021

@PacketPaul you've got PFS configured on the ASA crypto map, but not on the router. Either configure both with PFS or both without PFS. If it's a PSP link you should be fine by not using PFS.

You could also add "no config-exchange request" to the router's ikev2 profile, as the ASA does not support config-exchange.

PacketPaul · ‎11-26-2021

I have added set pfs group24 to my routers crypto map but I still have the same issue. Any additional thoughts?

PacketPaul · ‎11-29-2021

For anyone interested, I was able to resolve the issue on my own. The transform set proposal on the router did not match the asa.

I changed from crypto ipsec transform-set Test esp-aes 256 esp-sha-hmac to crypto ipsec transform-set Test esp-gcm 256 and the VPN is now connected and routing correctly.