Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption トラブルシューティングガイド
Core Issue
The packet exchange in IKEv2 is radically different from what it was in IKEv1. Whereas in IKEv1 there was
a clearly demarcated phase1 exchange that consisted of 6 packets followed by a phase 2 exchange that
consisted of 3 packets, the IKEv2 exchange is variable. For more detailed information on the differences and
an explanation of the packet exchange, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
a clearly demarcated phase1 exchange that consisted of 6 packets followed by a phase 2 exchange that
consisted of 3 packets, the IKEv2 exchange is variable. For more detailed information on the differences and
an explanation of the packet exchange, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
Debugs Used
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127
ASA Configurations
ASA1
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet0/2
nameif inside
security-level 100
ip address 192.168.1.2 255.255.255.0
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
access-list l2l_list extended permit ip host 192.168.1.1
host 192.168.2.99
access-list l2l_list extended permit ip host 192.168.1.12
host 192.168.2.99
crypto map outside_map 1 match address l2l_list
crypto map outside_map 1 set peer 10.0.0.2
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
tunnel-group 10.0.0.2 type ipsec-l2l
tunnel-group 10.0.0.2 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
ASA2
interface GigabitEthernet0/1
nameif outside
security-level 0