Net Worker World

Supported from 9.7.1 1. Create Phase I policy crypto ikev2 policy 10  encryption aes-256  integrity sha256  group 14  prf sha256  lifetime seconds 86400 2. Enable IKEv2 on outside interface crypto ikev2 enable outside 3. Create Phase II proposal crypto ipsec ikev2 ipsec-proposal AES256-SHA256  protocol esp encryption aes-256  protocol esp integrity sha-256 4. Create ipsec profile crypto ipsec profile P2- AES256-SHA256-G14  set ikev2 ipsec-proposal AES256-SHA256  set pfs group14 5.Create tunnel interface interface Tunnel1  nameif vpn1  ip address 169.254.254.253 255.255.255.252  tunnel source interface outside  tunnel destination 203.0.113.2  tunnel mode ipsec ipv4  tunnel protection ipsec profile  P2- AES256-SHA256-G14 6. Create tunnel-group tunnel-group 203.0.113.2 type ipsec-l2l tunnel-group 203.0.113.2 ipsec-attributes  ikev2 remote-authentication pre-shared-key Cisco123  ikev2 local-authentication pre-shared-key Cisco123 7. Add static route

1. Create Phase I policy crypto ikev2 policy 10  encryption aes-256  integrity sha256  group 14  prf sha256  lifetime seconds 86400 2. Enable IKEv2 on outside interface crypto ikev2 enable outside 3. Create objects for local and remote protected networks. object network LOCAL-NET-192.168.1.0_24  subnet 192.168.1.0 255.255.255.0 object network REMOTE-NET-192.168.2.0_24  subnet 192.168.2.0 255.255.255.0 4. Create VPN-ACL access-list VPN-ACL extended permit ip object LOCAL-NET-192.168.1.0_24 object REMOTE-NET-192.168.2.0_24 5. Create NAT exemption nat (inside,outside) source static LOCAL-NET-192.168.1.0_24 LOCAL-NET-192.168.1.0_24 destination static REMOTE-NET-192.168.2.0_24 REMOTE-NET-192.168.2.0_24 no-proxy-arp route-lookup 5. Create Phase II proposal crypto ipsec ikev2 ipsec-proposal AES256-SHA256  protocol esp encryption aes-256  protocol esp integrity sha-256 6. Create crypto map, pfs is optional, new version life time is 28800 s

IKEv1 Dead Peer Detection ( DPD ) is a method that allows detection of unreachable Internet Key Exchange (IKE) peers. RFC describes DPD negotiation procedure and two new ISAKMP NOTIFY messages. Specifically, DPD is negotiated via an exchange of the DPD ISAKMP Vendor ID payload, which is sent in the ISAKMP MM messages 3 and 4 or ISAKMP AM messages 1 and 2. DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses are sent as ISAKMP R-U-THERE-ACK messages. ASA support "semi-periodic" DPD only. I.e. they send R-U-THERE message to a peer if the peer was idle for    seconds. ASA may have nothing to send to the peer, but DPD is still sent if the peer is idle. If the VPN session is comletely idle the R-U-THERE messages are sent every    seconds. If there is a traffic coming from the peer the R-U-THERE messages are not sent. If the peer doesn't respond with the R-U-THERE-ACK the ASA starts retransmitting R-U-THERE messages every seconds with a maximum of th

with NAT-T,  When peers detect NAT device in between, from phase1 packet 5, communication switches to UDP/4500, this includes Phase1 packet 5&6, PhaseII Quick mode 3 packets and ESP. ESP can traverse NAT device if NAT is static. In the following setup, NAT-T need be disabled even NAT device exists in between: R10 has the following NAT configuration, note it has NAT for ESP ip nat inside source static esp 10.0.0.2 interface Ethernet0/1 ip nat inside source static udp 10.0.0.2 500 interface Ethernet0/1 500 in this case, NAT-T won't work because UDP/4500 has no NAT configured on the router. So we need disable NAT-T on ASAv1 to ignore NAT detection for the peer.  NAT-T setting on ASAv2 doesn't matter because ASAv1 is not behind NAT device. ASAv1# sh run crypto map crypto map MAP 10 match address VPN crypto map MAP 10 set pfs crypto map MAP 10 set peer 203.0.113.2 crypto map MAP 10 set ikev1 transform-set TRANSFORM crypto map MAP 10 set nat-t-disable

Phase2 parameter (encryption, hash or pfs) mismatch Initiator : Buffer log :  a few other mismatch have same log error messages at initiator side . Jan 20 2020 15:57:07: %ASA-3-713902: Group = 10.0.0.2, IP = 10.0.0.2, Removing peer from correlator table failed, no match! Jan 20 2020 15:57:07: %ASA-4-113019: Group = 10.0.0.2, Username = 10.0.0.2, IP = 10.0.0.2, Session disconnected. Session Type: LAN-to-LAN, Duration: 0h:00m:00s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested Jan 20 2020 15:57:07: %ASA-4-752012: IKEv1 was unsuccessful at setting up a tunnel.  Map Tag = MAP.  Map Sequence Number = 10. Jan 20 2020 15:57:07: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= MAP.  Map Sequence Number = 10. ISAKMP status: ASAv1# sh crypto isakmp sa There are no IKEv1 SAs There are no IKEv2 SAs Debug: ASAv1# debug crypto ikev1 200 ASAv1# Jan 20 16:05:12 [IKEv1 DEBUG]Pitch