Hello,
I have to change some Cisco firewalls (ASA to FTD).
The previous configuration is a IKEv1 tunnel with XAuth.
On the FTD, it seems that the only choice is to configure IKEv2 tunnel.
I have configured another tunnel with IKEv2 to a FTD for testing but it seems that the tunnel never tries to go up.
What can I check for this issue ?
Thank you
I don’t know much about this product, but it seems to me, I would start with the following:
Check the firmware version you are running on the WR21. Does it support IKE v2 and is it configured/enabled?
Try using the bash show ipsec sa and show ike sa to see if it is even trying.
This will tell you if the WR21 is even tunnel is even being triggered.
Check the local and remote subnets and you have the correct Access List/traffic selector.
Show config
This should give you a good starting point to work from.
Hello
Thank you for your response.
I have updated the digi WR21 to the latest firmware (8.6.0.4) and the problem is still here.
If the tunnel is configured in IKEv1, I can see informations in the Event Log but I configure it in IKEv2, nothing happens, no logs, no connections attempt.
It seems that the DIGI could not be the initiator of the connection in this mode.
Thanks
As I indicated, I don’t support this product, but I did run this through an internal AI. With that said, I am getting the following:
IKEv2 may not be enabled in the profile.
from a command prompt:
ike_version 2
If that was missing, the tunnel profile exits but was never triggered.
show config
Look for the IKE version line inside the VPN profile.
Check via the CLI that the IKEv2 is enabled and set for “Always initiate”
initiate enable
Note that IKEv2 tunnels will not initiate if NAT-T, and DPD are both enabled. Also make sure that the Mode is set to tunnel.
nat_traversal enable
dpd enable
debug ikev2
debug vpn
ping
