Showing results for 
Search instead for 
Did you mean: 

vpn configuration depends on the provided parameters from head office


i need help to check from the below parameters which i were received from H.O ( they are using firewall) to deploy it on my local router ( remote location - using isr 2911 router) - need help to check if my configurations are fine and i didnt miss any . also if i did any mistake please help to correct this 


KE Phase 1
IKE version 2
Diffie-Hellman group 14
Encryption algorithm AES256
Authentication algorithm SHA256
Authentication method Pre-shared key
Pre-shared key ++++++++
Key lifetime 86400
Dead peer detection Enabled

IKE Phase 2
IPsec protocol ESP (Tunnel mode)
Encryption algorithm AE
Authentication algorithm S
Key lifetime 28800
Perfect Forward Secrecy Enabled, Diffie-Hellman group 5
Replay Protection Enabled
Keep Alive Disabled






amr alrazzaz

Here is the full configuration for the VPN. You should be able to test this and establish a VPN tunnel.


## VPN Configuration ##

# IKEv2 Keyring #
crypto ikev2 keyring KR-1
peer NLAMS02E
address 19x.2x7.1xx.1xx
pre-shared-key xxxxxxxx

# IKEv2 Proposal #
crypto ikev2 proposal PROP-NLAMS02E
encryption aes-cbc-256
integrity sha256
group 14

# IKEv2 Policy #
crypto ikev2 policy POL-NLAMS02E
proposal PROP-NLAMS02E

# IPSec Transform Set #
crypto ipsec transform-set NLAMS02E-TS esp-aes 256 esp-sha256-hmac
mode tunnel

# IKEv2 Profile #
crypto ikev2 profile NLAMS02E-PROFILE
match identity remote address 19x.2x7.1xx.1xx
match address local interface GigabitEthernet0/1.328
authentication local pre-share
authentication remote pre-share
keyring local KR-1
lifetime 86400

# Crypto ACL (to represent the traffic to be encrypted over the VPN tunnel to HQ) #
ip access-list extended VPN_ACL
remark VPN from to the EGCAI01-NLAMS02E-Fortigate3951
permit ip
permit ip
permit ip

# Crypto Map #
crypto map CMAP-NLAMS02E 10 ipsec-isakmp
set peer 19x.2x7.1xx.1xx
set pfs group5
set security-association lifetime seconds 28800
set transform-set NLAMS02E-TS
set ikev2-profile NLAMS02E-PROFILE
match address VPN_ACL

# Enable crypto map on the outside interface #
interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
crypto map CMAP-NLAMS02E

Don't use an object-group for the crypto ACL - there is a bug


I'll look at writing something in regard to an ACL to filter the traffic over the VPN, but you should be able to test the VPN with what I have already provided.



ill install the demo license and configure it until getting the permanent license 


So, now with this acl u modified and provided to me i can access all ?!

- sap server hosts - dns server host - wipro networks and others which i shared to u in excel sheet  ?

so no need to added them one by one like :


permit ip host 10.xx.0.xx1
permit ip 10.xx.0.0
permit ip host 10.x30.x2.1xx

and so on .... shall i add all hosts and networks which is too much or just enough with the
networks I.D thay u were added on ACL >?

permit TCp host 10.x30.x2.1xx eq 53
and so on

amr alrazzaz

The ACL in configuration I provided above does not need to be modified, it must mirror the configuration on the HQ firewall. If you modify this ACL you may have issues establishing the VPN.

I will look at writing the Zone Based Firewall configuration using the information you provided, this will be used to restrict what can be accessed over the VPN tunnel.

hello dear 


i do configured the ikev2 as per what u provided ?


now how can i check ?

show crypto ikev2 sa detailed
show crypto ipsec sa
show crypto session

amr alrazzaz

Those commands are correct, do you see any output from either?
You will need to generate some traffic for the VPN to establish. Can you ping from a computer behind the router to a server at the HQ.

If the VPN has not established, if you enable debugs "debug crypto ikev2 protocol" and "debug crypto ikev2 platform".

I assume the configuration has been applied on the HQ firewall?
Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad