Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6048
Views
23
Helpful
47
Replies

VPN IKev2 with NAT Config Help

m.s.rees1
Level 1
Level 1

‎07-27-2023 02:13 AM - edited ‎07-27-2023 02:14 AM

Hi, I am trying to establish a VPN connection with Ikev2 and just wanted to check if my config is looking correct. I don't have access to the other side of the VPN unfortunaly so just want to check this side is at least not missing anything important, there is also a NAT in place:

name 1.1.1.1 test

object-group network test
network-object host test

object network test_nat
host 192.168.2.1

Object network test_local
Subnet 0.0.0.0 0.0.0.0

Object network test_remote
Subnet 192.168.1.0 255.255.255.224

access-list acl_test extended permit tcp any host 192.168.1.10 eq ssh
access-list acl_test extended permit tcp any host 192.168.1.2 eq https

access-group acl_test interface outside control-plane

route outside 192.168.1.0 255.255.255.252 180.180.180.126

crypto ipsec ikev2 ipsec-proposal p1
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha256
lifetime seconds 86400
Crypto ikev2 enable outside

crypto map outside_tunnels 141 match address acl_test
crypto map outside_tunnels 141 set peer test
crypto map outside_tunnels 141 set ikev2 ipsec-proposal p1
crypto map outside_tunnels 141 set pfs group14

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx

nat (inside,outside) source static test_local test_nat destination static test_remote test_remote

Labels:
0 Helpful
47 Replies 47

m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎07-27-2023 03:51 AM

Here is the debug info. Config matches @MHM Cisco World above.

 

Preview file
14 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to m.s.rees1

‎07-27-2023 03:54 AM

@m.s.rees1 "no proposal chosen notify" check your IKEv2 settings with the peer device match.

m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎07-27-2023 03:57 AM

Just spotted that myself, thanks for the help here. Appreciate it. This is where I wanted to get to, just to make sure my side isn't causing the problem. I will have to clarify the details with the 3rd party and hopefully get somewhere. Looks like a mismatch.

MHM Cisco World
VIP
VIP
In response to m.s.rees1

‎07-27-2023 03:59 AM

crypto ikev2 policy 1
encryption aes-256 <<- add more algorithm
integrity sha <<- add more  algorithm 
group 14 <<- add more group 
prf sha256
lifetime seconds 86400

0 Helpful

m.s.rees1
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2023 05:52 AM

Could you explain this? - would this not work as it is, if it was correct both sides...?

Thanks.

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎07-27-2023 06:02 AM 

type: 1, reserved: 0x0, id: AES-CBC
(47):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
(47):     last transform: 0x3, reserved: 0x0: length: 8
    type: 3, reserved: 0x0, id: SHA96
(47):     last transform: 0x0, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
(47):  KE(47):   Next payload: N, reserved: 0x0, length: 264
(47):     DH group: 14, Reserved: 0x0
(47):

The answer here 

This what peer use 

Dh group 14 

Prf sha 256

Integrity sha256

Encrypt aes-cbs <<- this 128 not 256 

0 Helpful

m.s.rees1
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2023 06:19 AM

so like this?
crypto ikev2 policy 1
encryption aes
integrity sha256 sha
group 14  (they specified this as the group)
prf sha256
lifetime seconds 86400

MHM Cisco World
VIP
VIP
In response to m.s.rees1

‎07-27-2023 06:22 AM

crypto ikev2 policy 1
encryption aes-cbs
integrity sha256 sha
group 14  (they specified this as the group)
prf sha256
lifetime seconds 86400

m.s.rees1
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2023 06:25 AM

ah I only the get the following options:

msrees1_0-1690464299999.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to m.s.rees1

‎07-27-2023 06:27 AM

OK, 
select aes and aes-192 
hope it work. 
thanks 

0 Helpful

m.s.rees1
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2023 06:43 AM

Thanks, unfortnuately not I did notive this is the debug though:

IKEv2-PLAT-2: (110): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-2: (110): Connection is not authorized based on configured attributes

Rob Ingram
VIP
VIP
In response to m.s.rees1

‎07-27-2023 06:56 AM

@m.s.rees1

IKEv2-PLAT-2: (110): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol

...that implies IKEv2 is not an allowed protocol, as mentioned before - Is IKEv2 protocol enabled under the group-policy (possibly DfltGrpPolicy if you do not have a specific policy)

Check:-

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2

m.s.rees1
Level 1
Level 1
In response to Rob Ingram

‎07-27-2023 06:59 AM

I managed to create a new policy and this error has gone away now an no longer in the debug, so I assume it fixed it. I feel like I am nearly there! I am now getting the following in the debug:

IKEv2-PLAT-4: (92): IKEv2 session deregistered from session manager. Reason: 8
IKEv2-PLAT-4: (92): session manager killed ikev2 tunnel. Reason: Internal Error

0 Helpful

MHM Cisco World
VIP
VIP
In response to m.s.rees1

‎07-27-2023 07:02 AM

crypto isakmp identity address

Add above 

Clear crypto isakmp 

Clear crypto sa 

And check again 

0 Helpful

m.s.rees1
Level 1
Level 1
In response to MHM Cisco World

‎07-27-2023 07:09 AM

Looks like the same log:

This is the latest.

Preview file
28 KB
0 Helpful
Customers Also Viewed These Support Documents