Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
72
Views
0
Helpful
4
Replies

Partial tunnel, ikev2

djmarkey
Level 1
Level 1

‎01-17-2025 12:59 PM

I'm trying to get a single tunnel up between an ASA, v9.12(2) and AWS.  I have ike working but can't get IPsec to come up.  Local tunnel end is 130.108.109 and remote is 3.244.244.33.  I think I have the basic settings correct since ike is working:

crypto ikev2 policy 2
encryption aes 3des
integrity sha
group 2
prf sha256 sha
lifetime seconds 28800

tunnel-group 3.224.224.33 type ipsec-l2l
tunnel-group 3.224.224.33 ipsec-attributes
isakmp keepalive threshold 10 retry 10
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

crypto ipsec ikev2 ipsec-proposal uAchieve
protocol esp encryption aes
protocol esp integrity sha-1

crypto map eth1-1-outside 6 match address UACHIEVE-INTERESTING-TRAFFIC
crypto map eth1-1-outside 6 set pfs
crypto map eth1-1-outside 6 set peer 3.224.224.33
crypto map eth1-1-outside 6 set ikev2 ipsec-proposal uAchieve
crypto map eth1-1-outside 6 set security-association lifetime seconds 3600

I can provide more info if needed.

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎01-17-2025 01:13 PM

@djmarkey what have you configured in your crypto ACL - UACHIEVE-INTERESTING-TRAFFIC? FYI, you are limited to one unique security association (SA) pair per tunnel (one inbound and one outbound) when establishing a VPN to AWS

Can you provide the output of "show crypto ikev2 sa" and "show crypto ipsec sa"

Enable debugs (as below), generate some traffic to establish the tunnel and provide the debugs.

debug crypto condition peer X.X.X.X
debug crypto ikev2 platform 100
debug crypto ikev2 protocol 100
debug crypto ipsec

https://docs.aws.amazon.com/vpn/latest/s2svpn/CGRequirements.html

 

0 Helpful

djmarkey
Level 1
Level 1
In response to Rob Ingram

‎01-17-2025 01:24 PM

Here you go Rob.  Traffic generation might take me a bit since I don't have any access to the servers on my side I'm trying to link.

mc-fpr-asa# show crypto ikev2 sa

IKEv2 SAs:

Session-id:316, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
482342113 130.108.1.109/4500 3.224.224.33/4500 READY RESPONDER
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/2379 sec

mc-fpr-asa# show crypto ipsec sa peer 3.224.224.33

There are no ipsec sas for peer 3.224.224.33

Thanks, David

0 Helpful

MHM Cisco World
VIP
VIP

‎01-17-2025 01:15 PM 

crypto ikev2 enable outside

this need also

MHM 

0 Helpful

djmarkey
Level 1
Level 1
In response to MHM Cisco World

‎01-17-2025 01:17 PM

Hi MHM,

Yes I have ikev2 enabled on the outside interface.

David

0 Helpful
Customers Also Viewed These Support Documents