IPsec tunnel mode with ASR

  • Hello eveyrone,

    I want to build a IPSec Tunnel with an ASR.

    ASR router is configured with IPSec tunnel method (tunnel protection) because the tunnel has to be mounted from a specific VRF (so crypto map is not possible)

    Here is the sanitized configuration of the ASR :

    hostname ASR
    vrf definition INTERCO
     address-family ipv4
      route-target export
      route-target import
    crypto ikev2 proposal aes-cbc-256-proposal
     encryption aes-cbc-256
     integrity sha512
     group 24
    crypto ikev2 policy policy_pfsense
     proposal aes-cbc-256-proposal
    crypto ikev2 keyring mykeys-pfsense
     peer pfsense
      pre-shared-key ##########
    crypto ikev2 profile pfsense
     description IKEv2 profile
     match identity remote address
     identity local address
     authentication remote pre-share
     authentication local pre-share
     keyring local mykeys-pfsense
     lifetime 3600
    crypto ikev2 dpd 10 2 on-demand
    crypto logging ikev2
    crypto ipsec transform-set ESP-AES256-SHA512 esp-aes 256 esp-sha512-hmac
     mode tunnel
    crypto ipsec profile pfsense
     set transform-set ESP-AES256-SHA512
     set ikev2-profile pfsense
    interface Loopback1
     vrf forwarding INTERCO
     ip address
    interface Tunnel100
     vrf forwarding INTERCO
     no ip address
     tunnel source GigabitEthernet2
     tunnel destination
     tunnel protection ipsec profile pfsense
    interface GigabitEthernet2
     ip address
     negotiation auto
     no mop enabled
     no mop sysid
    ip route vrf INTERCO Tunnel100
    line con 0
     stopbits 1
    line vty 0 4
     login local
     transport input ssh

    The IPsec configuration of PfSense is in tunnel IPv4 and the local network is the LAN subnet ( and the remote network is

    In debug mode on the ASR, i have the error : "Failed to find a matching policy" and the IKEv2 SA is flapping between UP & DOWN...

    If I disable the IPsec Phase 2 entrie on PfSense, the IKEv2 and the interface tunnel 100 on the ASR turns to UP.

    I think it's because of the ACL sent by the Pfsense with the remote network and local network but i can't be sure of this...

    With a crypto map, we can make matching the IPSec traffic to an ACL but how can we do the same thing with the tunnel profile method ?

    Is anyone have an idea ? (or had already got the same problem ?)

    If you need more informations, feel free to ask me ! ;)

    Thanks to you !


Log in to reply