Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
205
Views
0
Helpful
0
Replies

Unable to start ipsec tunnel on C921-4p

CK-One
Level 1
Level 1

‎02-13-2025 05:49 AM

Hello,
I'm quite new to the cisco IOS terminal and struggling with bringing up an ipsec ikev2 tunnel. I read a lot of doucmentation, enabled the securityk9 license etc. but I still cannot figure out how to get the tunnel up. I'm hoping someone can help me to get an exe opening moment

First a short environment description:
This new cisco c921-4p is a replacement router for an broken cisco rv340 device. Only two interface are used, LAN is connected to GigabitEthernet0, WAN ist connected GigabitEthernet5. LAN will service connected client via dhcp with an IP address from Range 10.100.1.0/24, router ip address ist 10.100.1.254. WAN receives its ip address via dhcp from isp and has no fixed ip address.

As this branch router has periodically changing WAN ip adresses by the ISP the tunnel may only be initiated by the branch cisco device, not the counterpart in the datacenter. The ipsec endpoint at the datacenter is configured to allow any endpoint to connect and negotiate - this setup is unchanged and worked quite well with the older rv340 branch device.

Once the client is connected to the LAN port and gets an IP address from the dhcp pool (VLAN1000_Pool) all connection to WAN/Internet are working fine - I can successfully ping internet ip adresse like 8.8.8.8 etc.

Crypto map VPN_CRYPTO_MAP defines a matching ip address access list defining 10.0.0.0/9 and 172.16.0.0/16 to go through the tunnel. Crypto map VPN_CRYPTO_MAP is assigned to interface GigabitEthernet5 (WAN interface).

When I try to ping for eg. 172.16.100.1 on my PC, which should go through the tunnel, I get a timeout and the cisco c921 device doesn't seem to bother initiating the tunnel. I cann't figure out why the device is not starting to initate a connection to the datacenter ipsec endpoint to build up the ipsec tunnel, it's always down.

Current router config:

Spoiler
Current configuration : 6149 bytes
!
! Last configuration change at 14:18:15 CET Thu Feb 13 2025 by cisco
! NVRAM config last updated at 14:18:26 CET Thu Feb 13 2025 by cisco
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway-k-0001
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
enable secret 9 XXXXXXXXXXXXXXXX
!
no aaa new-model
no process cpu extended history
no process cpu autoprofile hog
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
no ip source-route
no ip gratuitous-arps
!
!
!
ip dhcp excluded-address 10.100.1.254
!
ip dhcp pool VLAN1000_Pool
import all
network 10.100.1.0 255.255.255.0
default-router 10.100.1.254
dns-server 10.15.10.1 8.8.8.8
domain-name ts.cloud
!
!
!
ip domain lookup source-interface GigabitEthernet5
ip domain name ts.cloud
ip name-server 8.8.8.8
ip cef
login block-for 120 attempts 3 within 15
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3571247799
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3571247799
revocation-check none
rsakeypair TP-self-signed-3571247799
!
!
crypto pki certificate chain TP-self-signed-3571247799
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33353731 32343737 3939301E 170D3235 30323132 31313034
33395A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373132
34373739 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A89D 624E3507 E5927BB8 0F6DF4EA FA147211 EC90E454 611CC04F 54CE0B4F
62A7B8DF 44890543 641642CB C6098610 036100B0 4481D93E 4C5FD5F7 D8718A62
80CFB544 22FB4672 6BCD19FE 797A06F7 161D5B01 FBBF7C63 359CB5F7 083AAAB2
B4AF5AF6 B5638E5F CC75E5B5 965D0DCA 0BB46E51 930BE4CE C0BE6BA0 E6CC81E5
A29D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E52176 97E328D6 10E66B02 C2E67837 637D470A BA301D06
03551D0E 04160414 E5217697 E328D610 E66B02C2 E6783763 7D470ABA 300D0609
2A864886 F70D0101 05050003 81810007 39E78521 3D881A14 77DF5461 55D697D9
C1419082 A1C8062F 0186DE1D 013106AA 87FED900 AA67598C 6E27DA58 B4AADC97
F15A5317 BE25F7D1 9BE94C9F 1A62A2D3 979F4A3F 19DEEDE0 D4494EF2 DC584C3A
2A26D055 75ACFD43 5EF1B111 365CD61B 33420FFD EFC7655A 42599439 1E70D759
8DD40739 CCE984AE 8B22A720 DD5B8A
quit
license udi pid C921-4P sn PVN2xxxxxxxxx
license accept end user agreement
license boot module c900 technology-package securityk9
!
!
username cisco privilege 15 secret 9 XXXXXXXXXXXXXXXX
!
redundancy
!
crypto ikev2 proposal IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha1
group 5
!
crypto ikev2 policy IKEV2_POLICY
proposal IKEV2_PROPOSAL
!
crypto ikev2 keyring IKEV2_KEYRING
peer vpn.tscloud.online
address 185.132.45.104
pre-shared-key XXXXXXXXXXXXXXXX
!
!
!
crypto ikev2 profile VPN_PROFILE
match identity remote fqdn vpn.tscloud.online
identity local fqdn k.gateway.tscloud.online
authentication remote pre-share
authentication local pre-share
keyring local IKEV2_KEYRING
lifetime 28800
!
crypto ikev2 nat keepalive 20
crypto ikev2 diagnose error 1
!
lldp run
no cdp run
!
!
crypto logging ikev2
!
!
crypto ipsec transform-set VPN_TRANSFORM_SET esp-aes 256 esp-sha-hmac
mode tunnel
!
!
!
crypto map VPN_CRYPTO_MAP 10 ipsec-isakmp
set peer 185.132.45.104
set transform-set VPN_TRANSFORM_SET
set pfs group5
set ikev2-profile VPN_PROFILE
match address VPN_ACL
!
!
!
!
!
interface GigabitEthernet0
description Produktionsnetzwerk
switchport access vlan 1000
switchport mode access
no ip address
no cdp enable
no mop enabled
!
interface GigabitEthernet1
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet2
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet3
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet4
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet5
description ISP WAN Connection
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no lldp transmit
crypto map VPN_CRYPTO_MAP
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
no autostate
no mop enabled
!
interface Vlan1000
description L3 Produktionsnetzwerk
ip address 10.100.1.254 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly in
no autostate
no mop enabled
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list ACL_WAN interface GigabitEthernet5 overload
ip route 0.0.0.0 0.0.0.0 dhcp
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ip access-list extended ACL_WAN
deny ip 10.100.1.0 0.0.0.255 10.0.0.0 0.127.255.255
deny ip 10.100.1.0 0.0.0.255 172.16.0.0 0.0.255.255
permit ip 10.100.1.0 0.0.0.255 any
ip access-list extended VPN_ACL
permit ip 10.100.1.0 0.0.0.255 10.0.0.0 0.127.255.255
permit ip 10.100.1.0 0.0.0.255 172.16.0.0 0.0.255.255
!
!
!
snmp-server community public RO
!
control-plane
!
!
line con 0
exec-timeout 0 0
password XXXXXXXXXXXXXXXX
logging synchronous
login
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server de.pool.ntp.org source GigabitEthernet5
!
end


Thank you very much for your support!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents