Hi guys,
I'm getting crazy - looks like I'm to stupid to get a working IKEv2 VPN tunnel, between a Cisco ASR and a Cisco ASA.
Maybe someone out there has an idea...I've to problems:
- I'm not able initiate the Tunnel from my ASR backend (ACL on ASR get hits..)
- The tunnel won't come up successfully when initiating it from the ASA site (due to a NO_PROPOSAL_CHOSEN error)
Ofc, I double checked my encryption/algorithm settings for this setup - but it looks fine for me. Atm, I allowed EVERY encryption/algorithm defined on my ASR / ASA for testing - but still no matches.
I found a bug for my second problem in the Cisco Bug Search tool - but I updated the devide to the suggested release which is not affected (or not detected :D)..
The config of my ASR (IP 9.9.9.9):
vrf definition ASRK001 description IKEV2-TEST ! address-family ipv4 exit-address-family ! crypto ikev2 proposal IKEV2-AES256-CBC-SHA256 encryption aes-cbc-256 integrity sha256 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-CBC-SHA512 encryption aes-cbc-256 integrity sha512 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-GCM-SHA256 encryption aes-gcm-256 prf sha256 group 14 15 16 19 20 21 24 crypto ikev2 proposal IKEV2-AES256-GCM-SHA512 encryption aes-gcm-256 prf sha512 group 14 15 16 19 20 21 24 ! crypto ikev2 policy ASR-DEFAULT match fvrf FDVRF match address local 9.9.9.9 proposal IKEV2-AES256-GCM-SHA256 proposal IKEV2-AES256-CBC-SHA256 proposal IKEV2-AES256-CBC-SHA512 proposal IKEV2-AES256-GCM-SHA512 ! crypto ikev2 keyring ASRK001 peer ASRK001 address 1.1.1.1 identity address 1.1.1.1 pre-shared-key local 1234567890 pre-shared-key remote 1234567890 ! ! crypto ikev2 profile ASRK001 match fvrf FDVRF match identity remote address 1.1.1.1 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local ASRK001 ivrf ASRK001 ! crypto map CM 1 ipsec-isakmp set peer 1.1.1.1 set security-association lifetime seconds 8600 set transform-set ESP-AES256-SHA1 ESP-AES256-SHA512 ESP-AES256-SHA384 ESP-AES256-SHA256 test TESTER set pfs group14 set ikev2-profile ASRK001 match address ASRK001 reverse-route crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA384 esp-aes 256 esp-sha384-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac mode tunnel crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256 esp-sha256-hmac mode tunnel crypto ipsec transform-set test esp-gcm 256 mode tunnel crypto ipsec transform-set TESTER esp-gmac 256 mode tunnel ip access-list extended ASRK001 permit ip 192.168.0.32 0.0.0.31 host 192.168.178.1
The config of my ASA (IP 1.1.1.1):
crypto map outside_map 2 match address outside_cryptomap_7 crypto map outside_map 2 set pfs group14 crypto map outside_map 2 set peer 9.9.9.9 crypto map outside_map 2 set ikev2 ipsec-proposal TESTER crypto map outside_map 2 set ikev2 pre-shared-key 1234567890 crypto map outside_map 2 set nat-t-disable access-list outside_cryptomap_7 extended permit ip host 192.168.178.1 192.168.0.32 255.255.255.224 crypto ipsec ikev2 ipsec-proposal TESTER protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm aes-256 aes-192 aes 3des des aes-gmac-256 aes-gmac-192 aes-gmac protocol esp integrity sha-512 sha-384 sha-256 sha-1 md5 tunnel-group 9.9.9.9 type ipsec-l2l tunnel-group 9.9.9.9 general-attributes default-group-policy VPN_ASR tunnel-group 9.9.9.9 ipsec-attributes ikev2 remote-authentication pre-shared-key 1234567890 ikev2 local-authentication pre-shared-key 1234567890 group-policy VPN_ASR internal group-policy VPN_ASR attributes vpn-filter value VPN_Any_Any vpn-tunnel-protocol ikev2 access-list VPN_Any_Any extended permit ip any any crypto ikev2 policy 5 encryption aes-gcm-256 integrity null group 14 prf sha512 lifetime seconds 86400
And finally the logging while I'm trying to establish the tunnel..
Both had a debug on IKEv2 and IPSEC.
ASR:
ASA:
No comments:
Post a Comment