Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4159
Views
10
Helpful
16
Replies

Route based IKEv2 VPN between ASA and IOS router help

Go to solution
Aquatera
Level 1
Level 1

‎11-09-2020 06:57 AM

Afternoon All,

 

I am hoping for a bit of help setting up a route based IKEv2 VPN between an ASA & IOS router.  I have setup route based IKEv1 VPN's between ASA's & IOS routers with no problem but am really struggling doing the same with IKEv2. The ASA does not show an SA but the router does but looks like there maybe an auth issue?

 

IKEV2_RTR#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 21.0.0.2/500 212.0.0.1/500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec

The VTI tunnel on the router show as line up protocol down but on the ASA side the tunnel interface shows as down down.

 

I have attached the configurations from both the router, ASA and also some debugs from the ASA of debug platform & protocol.

 

Any help would be much appreciated because for the life of me I can't see where I am going wrong?

 

Many thanks,

Labels:
Preview file
3 KB
Preview file
4 KB
Preview file
126 KB
0 Helpful
16 Replies 16

Go to solution
Aquatera
Level 1
Level 1
In response to MHM Cisco World

‎11-11-2020 01:01 AM

Morning All,

 

I have managed to resolve this by upgrading the ASA image to 9.8(4)29, it looks like route based IKEV2 VPN's are not supported on ASA until  9.8(1) or later and I was on 9.7(1) 4 which was ok for IKEV1 route based VPN's but not IKEV2.

 

Thank you to all that helped with this

0 Helpful
Customers Also Viewed These Support Documents