10-28-2020 07:36 PM
Has anyone here successfully get Site-2-Site VPN between a Cisco IOS router and PaloAlto working with IKEv2? I am at a loss here. Cisco TAC support is not very helpful. The TAC guy who help me is not very good with VPN. After going back and forth with him, I essentially give up. Cisco TAC support is not very good these days. Here we go:
The configuration is very straight forward, nothing mystery about it. The thing is that if I replace the Cisco IOS router with an ASA device with the same EXACT configurationi, VPN IKEv2 will work fine between ASA and PaloAlto so I know the configuration on the PaloAlto is good.
Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin. The configuration is below:
crypto ikev2 proposal PaloAlto
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy PaloAlto
proposal PaloAlto
!
crypto ikev2 keyring PaloAlto
peer PaloAlto
address 1.1.1.1
pre-shared-key 123456
!
crypto ikev2 profile PaloAlto
match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring PaloAlto
crypto ipsec transform-set PaloAlto esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set PaloAlto
set pfs group20
set ikev2-profile PaloAlto
match address PaloAlto
ip access-list extended PaloAlto
permit ip host 192.168.1.1 192.168.246.0 0.0.0.255
permit ip host 192.168.1.2 192.168.246.0 0.0.0.255
interface GigabitEthernet0/0
ip address 4.2.2.251 255.255.255.248
duplex auto
speed auto
crypto map vpn
ip route 0.0.0.0 0.0.0.0 4.2.2.254
Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin
Any ideas?
10-29-2020 12:35 AM
- You could be hitting this bug :
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCtq08784
M.
10-29-2020 05:31 AM - edited 10-30-2020 11:23 AM
....
10-29-2020 12:13 PM
yes, the router supports IKEv2. there is another VPN tunnel from this router to another Cisco router in IKEv2 and it works without any issues.
@marce1000: It means I am F! because the platform 2921 can not run 16.x
10-29-2020 05:30 PM - edited 10-30-2020 11:24 AM
....
10-30-2020 03:40 AM
@MHM Cisco World: Please elaborate on "Please config local identification of router that can validate from palo FW." and provide the command you're referring to. Are you referring to "crypto isakmp identity address"? That command is already there.
10-30-2020 03:49 AM - edited 10-30-2020 11:24 AM
......
10-30-2020 05:56 AM
You mean this? Yes, it is already in there and not working
crypto ikev2 profile PaloAlto
match identity remote address x.x.x.x 255.255.255.255
identity local address y.y.y.y (where y.y.y.y is the interface that terminates the VPN)
authentication local pre-share
authentication remote pre-share
keyring PaloAlto
10-30-2020 05:58 AM - edited 10-30-2020 11:25 AM
......
10-30-2020 06:20 AM
@MHM Cisco World: What are you referring to by "and if not work, please change the idea with ip after NAT."? i am not NAT'ing anything on the Cisco IOS side or PaloAlto
10-30-2020 06:38 AM - edited 10-30-2020 11:25 AM
.....
10-30-2020 06:39 AM
NO NAT between Cisco IOS router and PaloAlto VPN device
10-30-2020 06:52 AM - edited 10-30-2020 11:26 AM
......
10-30-2020 06:56 AM
I already tried that and it does not work.
If I replace the PaloAlto with another Cisco IOS router, same VPN termination and interesting traffic, it works without any issues with IKEv2.
10-30-2020 06:57 AM
@MHM Cisco World: Have you actually had experiences with VPN between Cisco IOS router and PaloAlto firewalls in IKEv2?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide