Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11545
Views
20
Helpful
4
Replies

Unable to create VPN L2L between 819 and ASA using ikev2

Richard Bradfield
Level 6
Level 6

‎04-27-2016 07:14 PM

Just got an 819 to try and setup a ikev2 vpn tunnel from a site with Dynamic Public IP been following this blog

ASA running 9.1.6(6) ,819 running 15.3.(3)M3

https://supportforums.cisco.com/blog/12960641/ikev2-central-spoke-asa-multiple-ios-hubsclients-dynamic-ip

get this error on the ASA

IKEv2-PROTO-1: (64): Failed to find a matching policy
IKEv2-PROTO-1: (64): Received Policies:
ESP: Proposal 1: AES-CBC-128 SHA96 Don't use ESN

IKEv2-PROTO-1: (64): Failed to find a matching policy
IKEv2-PROTO-1: (64): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN

IKEv2-PROTO-1: (64): Failed to find a matching policy
IKEv2-PROTO-1: (64):
IKEv2-PROTO-1: (65): Failed to find a matching policy
IKEv2-PROTO-1: (65): Received Policies:
ESP: Proposal 1: AES-CBC-128 SHA96 Don't use ESN

IKEv2-PROTO-1: (65): Failed to find a matching policy
IKEv2-PROTO-1: (65): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN

IKEv2-PROTO-1: (65): Failed to find a matching policy
IKEv2-PROTO-1: (65):
IKEv2-PROTO-1: (66): Failed to find a matching policy
IKEv2-PROTO-1: (66): Received Policies:
ESP: Proposal 1: AES-CBC-128 SHA96 Don't use ESN

IKEv2-PROTO-1: (66): Failed to find a matching policy
IKEv2-PROTO-1: (66): Expected Policies:
ESP: Proposal 0: AES-CBC-256 SHA96 Don't use ESN

IKEv2-PROTO-1: (66): Failed to find a matching policy
IKEv2-PROTO-1: (66):

 now I changed the proposal on the 819 but still seems to be using the default one.

see below,  the default proposal does not display in a show run

crypto ikev2 proposal proposal-3des
encryption 3des
integrity sha1
group 5 2

!
crypto ikev2 policy policy2
proposal proposal-3des

What am I missing?

Labels:
0 Helpful
4 Replies 4

Richard Bradfield
Level 6
Level 6

‎07-27-2016 05:26 AM

I have this problem again with a 4g 819

went to reconfigure a new 819 get this error on the ASA

deb crypto ikev2 protocol 2

IKEv2-PROTO-1: (417): Failed to find a matching policy
IKEv2-PROTO-1: (417): Expected Policies:
IKEv2-PROTO-1: (417): Failed to find a matching policy
IKEv2-PROTO-1: (417):
IKEv2-PROTO-1: (503): Failed to find a matching policy
IKEv2-PROTO-1: (503): Received Policies:
AH: Proposal 1:  MD596 Don't use ESN

ESP: Proposal 1:  AES-CBC-128 Don't use ESN

AH: Proposal 2:  MD596 Don't use ESN

ESP: Proposal 2:  AES-CBC-256 Don't use ESN

ESP: Proposal 3:  AES-CBC-192 SHA96 Don't use ESN

ESP: Proposal 4:  AES-CBC-256 SHA256 Don't use ESN

ESP: Proposal 5:  AES-CBC-256 SHA96 Don't use ESN

ESP: Proposal 6:  AES-CBC-128 SHA96 Don't use ESN

IKEv2-PROTO-1: (503): Failed to find a matching policy
IKEv2-PROTO-1: (503): Expected Policies:
IKEv2-PROTO-1: (503): Failed to find a matching policy
IKEv2-PROTO-1: (503):

IPSEC policies on the ASA are

crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-192
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES-128
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256-SHA1-256
 protocol esp encryption aes-256
 protocol esp integrity sha-1

IPSEC transform sets on 819 are

crypto ipsec transform-set trans esp-aes esp-sha-hmac
 mode tunnel
crypto ipsec transform-set aes256 esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set aes192 esp-aes 192 esp-sha-hmac
 mode tunnel
crypto ipsec transform-set aesmd5 ah-md5-hmac esp-aes
 mode tunnel
crypto ipsec transform-set aes256md5 ah-md5-hmac esp-aes 256
 mode tunnel
!
What am I missing?!

0 Helpful

Richard Bradfield
Level 6
Level 6

‎07-27-2016 03:41 PM

Fixed it again!

The debug led me astray thinking the problem was to do with different crypto IPSEC transforms.

But in fact it was to do with the Interesting traffic ACL, The ACL on the ASA had a wrong subnet mask, so did not mirror the ACL on the 819G

as soon as this was fixed up all started working

sishivas
Cisco Employee
Cisco Employee
In response to Richard Bradfield

‎08-02-2020 10:59 PM

Thanks. even i hit same error and changed to correct subnet mask on both primary and remote site then it is started working.
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎08-02-2020 11:56 PM

Hi,

Have you verified your ACL configuration at both ends? 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents