Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6051
Views
23
Helpful
47
Replies

VPN IKev2 with NAT Config Help

m.s.rees1
Level 1
Level 1

‎07-27-2023 02:13 AM - edited ‎07-27-2023 02:14 AM

Hi, I am trying to establish a VPN connection with Ikev2 and just wanted to check if my config is looking correct. I don't have access to the other side of the VPN unfortunaly so just want to check this side is at least not missing anything important, there is also a NAT in place:

name 1.1.1.1 test

object-group network test
network-object host test

object network test_nat
host 192.168.2.1

Object network test_local
Subnet 0.0.0.0 0.0.0.0

Object network test_remote
Subnet 192.168.1.0 255.255.255.224

access-list acl_test extended permit tcp any host 192.168.1.10 eq ssh
access-list acl_test extended permit tcp any host 192.168.1.2 eq https

access-group acl_test interface outside control-plane

route outside 192.168.1.0 255.255.255.252 180.180.180.126

crypto ipsec ikev2 ipsec-proposal p1
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 14
prf sha256
lifetime seconds 86400
Crypto ikev2 enable outside

crypto map outside_tunnels 141 match address acl_test
crypto map outside_tunnels 141 set peer test
crypto map outside_tunnels 141 set ikev2 ipsec-proposal p1
crypto map outside_tunnels 141 set pfs group14

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxxx
ikev2 local-authentication pre-shared-key xxxxxxx

nat (inside,outside) source static test_local test_nat destination static test_remote test_remote

Labels:
0 Helpful
47 Replies 47

MHM Cisco World
VIP
VIP
In response to m.s.rees1

‎07-27-2023 07:54 AM

Did you make peer change it ACL to be mirror what you config in your side ?

0 Helpful

Flavio Miranda
VIP
VIP
In response to m.s.rees1

‎07-27-2023 03:19 AM

If you change that but not changed on the other side, the tunnel will not come up. Any change you do on your side, must be replicated to the other side.

 And I do believe you should use a network on that object and not ANY, even for Interesting traffic or NAT

Rob Ingram
VIP
VIP
In response to Flavio Miranda

‎07-27-2023 02:48 AM

@Flavio Miranda the traffic is being NAT translated to a host object "test_nat", so the source of the encrypted (interesting) traffic is the NAT address not the real address, so using "test_local" object makes no difference.

Customers Also Viewed These Support Documents