cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18975
Views
10
Helpful
22
Replies

Site-2-Site IKEv2 VPN between Cisco IOS router and PaloAlto firewall

cciesec2011
Level 3
Level 3

Has anyone here successfully get Site-2-Site VPN between a Cisco IOS router and PaloAlto working with IKEv2?  I am at a loss here.  Cisco TAC support is not very helpful.  The TAC guy who help me is not very good with VPN.  After going back and forth with him, I essentially give up.  Cisco TAC support is not very good these days.  Here we go:

 

The configuration is very straight forward, nothing mystery about it.  The thing is that if I replace the Cisco IOS router with an ASA device with the same EXACT configurationi, VPN IKEv2 will work fine between ASA and PaloAlto so I know the configuration on the PaloAlto is good.

 

Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin.  The configuration is below:

 

crypto ikev2 proposal PaloAlto
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy PaloAlto
proposal PaloAlto
!
crypto ikev2 keyring PaloAlto
peer PaloAlto
address 1.1.1.1
pre-shared-key 123456
!

crypto ikev2 profile PaloAlto
match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring PaloAlto

crypto ipsec transform-set PaloAlto esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set PaloAlto
set pfs group20
set ikev2-profile PaloAlto
match address PaloAlto

 

ip access-list extended PaloAlto

permit ip host 192.168.1.1 192.168.246.0 0.0.0.255
permit ip host 192.168.1.2 192.168.246.0 0.0.0.255


interface GigabitEthernet0/0
ip address 4.2.2.251 255.255.255.248
duplex auto
speed auto
crypto map vpn

ip route 0.0.0.0 0.0.0.0 4.2.2.254


Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin

 

Any ideas?

22 Replies 22

marce1000
VIP
VIP

 

                             - You could be hitting this bug :

            https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtq08784

 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

....

yes, the router supports IKEv2.  there is another VPN tunnel from this router to another Cisco router in IKEv2 and it works without any issues.

 

@marce1000:  It means I am F! because the platform 2921 can not run 16.x

....

 

@MHM Cisco World:  Please elaborate on "Please config local identification of router that can validate from palo FW." and provide the command you're referring to. Are you referring to "crypto isakmp identity address"?  That command is already there.

......

 

You mean this?  Yes, it is already in there and not working

 

crypto ikev2 profile PaloAlto
match identity remote address x.x.x.x 255.255.255.255
identity local address y.y.y.y (where y.y.y.y is the interface that terminates the VPN)
authentication local pre-share
authentication remote pre-share
keyring PaloAlto

......

@MHM Cisco World:  What are you referring to by "and if not work, please change the idea with ip after NAT."?  i am not NAT'ing anything on the Cisco IOS side or PaloAlto

.....

NO NAT between Cisco IOS router and PaloAlto VPN device

......

I already tried that and it does not work. 

 

If I replace the PaloAlto with another Cisco IOS router, same VPN termination and interesting traffic, it works without any issues with IKEv2.

@MHM Cisco World:  Have you actually had experiences with VPN between Cisco IOS router and PaloAlto firewalls in IKEv2?