10-28-2020 07:36 PM
Has anyone here successfully get Site-2-Site VPN between a Cisco IOS router and PaloAlto working with IKEv2? I am at a loss here. Cisco TAC support is not very helpful. The TAC guy who help me is not very good with VPN. After going back and forth with him, I essentially give up. Cisco TAC support is not very good these days. Here we go:
The configuration is very straight forward, nothing mystery about it. The thing is that if I replace the Cisco IOS router with an ASA device with the same EXACT configurationi, VPN IKEv2 will work fine between ASA and PaloAlto so I know the configuration on the PaloAlto is good.
Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin. The configuration is below:
crypto ikev2 proposal PaloAlto
encryption aes-cbc-256
integrity sha512
group 20
!
crypto ikev2 policy PaloAlto
proposal PaloAlto
!
crypto ikev2 keyring PaloAlto
peer PaloAlto
address 1.1.1.1
pre-shared-key 123456
!
crypto ikev2 profile PaloAlto
match identity remote address 1.1.1.1 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring PaloAlto
crypto ipsec transform-set PaloAlto esp-aes 256 esp-sha-hmac
!
crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1
set transform-set PaloAlto
set pfs group20
set ikev2-profile PaloAlto
match address PaloAlto
ip access-list extended PaloAlto
permit ip host 192.168.1.1 192.168.246.0 0.0.0.255
permit ip host 192.168.1.2 192.168.246.0 0.0.0.255
interface GigabitEthernet0/0
ip address 4.2.2.251 255.255.255.248
duplex auto
speed auto
crypto map vpn
ip route 0.0.0.0 0.0.0.0 4.2.2.254
Platform is Cisco 2921 running version c2900-universalk9-mz.SPA.151-4.M10.bin
Any ideas?
10-30-2020 07:13 AM - edited 10-30-2020 11:28 AM
.....
10-30-2020 07:29 AM
What you have does NOT apply in my situation because I have ONLY 1 VPN termination on that Cisco router with the Paloalto VPN and nothing else. DMVPN is a cisco "only" solution and has nothing to do with my situation here. Yes, I am very well aware of the DMVPN because I had to do that in my CCIE lab many years ago and passed
Look more like a bug with Cisco IOS to me, unless I upgrade to 16.x which I can not because platform 2921 does not run 16.x. But thank you.
10-30-2020 09:00 AM
Please read this doc.,
Especially about router vs asa local address
10-30-2020 12:31 PM
I don't see any issue with your router configuration that would prevent the tunnel from working. The only thing I see on the output you posted that doesn't look right is the keyring PaloAlto command under the crypto ikev2 profile, that should read keyring local PaloAlto, but I think that is simply a typo. I would suggest to enable crypto debug on the router, as well as on the Palo Alto firewall.
On the router use the command debug crypto ikev2, and on the Palo Alto use:
debug ike gateway <the VPN gateway name> on
debug ike tunnel <the VPN IPsec Tunnel name> on
tail follow yes mp-log keymgr.log
Clear the tunnel and watch the debugs on both ends, hopefully you will see what is wrong and trying to fix it.
To see the tunnel status on Cisco:
show crypto ikev2 sa det
On Palo Alto:
show vpn ike-sa and show vpn ipsec-sa
Once you finish troubleshooting the issue, turn off the debugs. On Palo Alto repeat those debug commands replacing on with off.
If you don't spot any issue, please share the Palo Alto sanitized screenshots of the tunnel configuration, including the IKE Crypto profile, IPSec Crypto profile, IKE Gateway, IPSec Tunnel, and virtual router and security policies related configuration.
11-01-2020 02:51 PM
@Aref Alsouqi: Are you working for Cisco, LOL? There is NO such command "keyring local PaloAlto" you mentioned? The Cisco TAC engineer kept fighting with me on this until I showed him that there is NO "local". I don't even have AAA enable on the router:
c2921(config)#crypto ikev2 profile PaloAlto
c2921(config-ikev2-profile)#keyring ?
WORD Keyring name
aaa AAA based pre-shared keys
c2921(config-ikev2-profile)#keyring
I know how to troubleshoot on both the router and the PaloAlto side. As a matter of fact, I had both PaloAlto and Cisco on the phone at the same time, PaloAlto blamed the issue on the Cisco side and vice versa. PaloAlso support stated that Cisco sent them the wrong data but the cisco TAC engineer had no clue. After a few weeks of back and forth with Cisco, I finally gave up, until @marce1000 showed me the bug ID. It could have saved me a lot of times. The TAC engineer from Cisco was pretty much useless.
11-04-2020 11:28 AM - edited 11-04-2020 11:28 AM
I unfortunately don't lol. This is interesting, I tried it on my lab and I got the local option:
VPN-ROUTER(config)#crypto ikev2 profile PaloAlto VPN-ROUTER(config-ikev2-profile)#keyring ? aaa AAA based keyring local Local keyring
Regarding the troubleshooting, I would rely on debugs on both ends and try to parse any error that would help suggesting what the root cause is.
11-05-2020 01:15 PM
@Aref Alsouqi wrote:I unfortunately don't lol. This is interesting, I tried it on my lab and I got the local option:
VPN-ROUTER(config)#crypto ikev2 profile PaloAlto VPN-ROUTER(config-ikev2-profile)#keyring ? aaa AAA based keyring local Local keyringRegarding the troubleshooting, I would rely on debugs on both ends and try to parse any error that would help suggesting what the root cause is.
Which version of IOS are you running?
11-09-2020 03:20 PM
That was on 15.7(3)M3 on my lab, however, I remember always seeing that option on hardware as well.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide