Solved: Re: No logs for ikev2 on router

cisco-ninja · ‎07-24-2022

Hi. I was hoping to see ikev2 logs after entering "debug crypto ikev2" on a cisco router (C891FJ-K9) but nothing shows up on the router log. What could I be missing here?

Rob Ingram · ‎07-27-2022

@cisco-ninja you are using a policy based VPN (crypto map) you will need to generate interesting traffic before the tunnel will even attempt to establish, and only then will it generate logs. Run a ping to a destination from the VLAN10 network - from the router "ping <dest ip> source vlan 10"

You've got NAT configured. What is the configuration of list "1"? Are you unintentially translating the internal traffic behind VLAN20 - this would cause a problem with the VPN as the crypto ACL is configured to use zz.zz.zz.zz (VLAN10) as the source.

Why do you even need NAT if you are tunnelling all traffic over the VPN?

What the configuration of the ACLs on the VLAN20 interface?

View solution in original post

Kasun Bandara · ‎07-24-2022

is your router have access to IPsec peer? is it pingable if ping enabled on peer side? did you configured default route towards internet (to connect with IPSec peer)?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

cisco-ninja · ‎07-24-2022

@Kasun Bandara
Thank you.

is your router have access to IPsec peer? --> sorry not sure what you mean...

is it pingable if ping enabled on peer side? --> yes

did you configured default route towards internet (to connect with IPSec peer)? --> yes

Actually, there is another crypto map using IKEv1 I believe which is working normally.

Kasun Bandara · ‎07-24-2022

if it pingable both sides, i can guess that you have access between 2 IPsec peers. is that IKEv1 configured for same peer?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

cisco-ninja · ‎07-24-2022

@Kasun Bandara
sorry i meant it was pingable using the global Ip addresses on both sides. Not able to ping LAN IPs.
IKEv1 is configured for a different router.

Kasun Bandara · ‎07-25-2022

what is the exact debug command you are using? also are you connected to router via Console or SSH/Telnet?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

MHM Cisco World · ‎07-25-2022

Share config I will check

cisco-ninja · ‎07-26-2022

@Kasun Bandara
debug crypto ikev2
this is the exact debug command nothing special i hope

@MHM Cisco World
please see the attached file that i have posed in the beginning.

cisco-ninja · ‎07-26-2022

@Kasun Bandara
i was accessing via ssh but i went to the office today and connected via console but same output.

Rob Ingram · ‎07-27-2022

@cisco-ninja you are using a policy based VPN (crypto map) you will need to generate interesting traffic before the tunnel will even attempt to establish, and only then will it generate logs. Run a ping to a destination from the VLAN10 network - from the router "ping <dest ip> source vlan 10"

You've got NAT configured. What is the configuration of list "1"? Are you unintentially translating the internal traffic behind VLAN20 - this would cause a problem with the VPN as the crypto ACL is configured to use zz.zz.zz.zz (VLAN10) as the source.

Why do you even need NAT if you are tunnelling all traffic over the VPN?

What the configuration of the ACLs on the VLAN20 interface?

cisco-ninja · ‎07-28-2022

Thank you all for your help!
@Rob Ingram It worked! Thank you so much. Your advice cleared the issue!

MHM Cisco World · ‎07-27-2022

ip nat insde source list 100 interface vlan 20 overload
!
ip access-list NAT-ACL extended
deny ip <LAN your site> <LAN other site>

permit ip <LAN your side> <any>
!
ip access-list IKEv2-ACL extended
permit ip <LAN your site> <LAN other site>