Issue
A VTI (Virtual Tunnel Interface) tunnel configured to Secure Access on a CAT8500 router shows IPsec SA as established when checking with show crypto ipsec sa, but the IKEv2 SA remains in negotiation state when viewed with show crypto ikev2 sa. The tunnel interface line protocol is down, and the Secure Access side shows the connection as disconnected, preventing the tunnel from establishing properly.
Environment
- Product Family: CAT8500
- Software Version: 17.15.4c
- Technology: Secure Access Network Tunnels (IPsec, Site-to-Site)
- Tunnel Type: VTI (Virtual Tunnel Interface)
- IKE Version: IKEv2
Resolution
According to our supported ipsec parameters -
Recommended values are 19,20 for DH group.
crypto ikev2 proposal csse-G256
encryption aes-gcm-256
prf sha256
group 19 21. <<<<<<<<<<<<<<<<<<<<<<<<< This needs a change to 19,20
Keyring -
crypto ikev2 keyring csse_useast
peer csse_virginia1
address x.x.x.x <<<<<<<<<<<<<<< Secure Access DC
pre-shared-key local <removed>
pre-shared-key remote <removed>
!
Profile - missing match identity local which would be tunnelID from CSA UI when we create a network tunnel group.
crypto ikev2 profile csse_virginia1
match identity remote address x.x.x.x 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local csse_useast
!
Once you change the DH group, the added match local identity issue is fixed.
Cause
The primary cause of this issue is typically missing or incorrect local identity configuration in the IKEv2 profile. Secure Access requires specific identity parameters to properly establish the IKEv2 negotiation. Additionally, using unsupported Diffie-Hellman groups (groups other than 19 and 20) can prevent successful IKEv2 negotiation with Secure Access.
Related Content
Feedback