crypto ikev2 enable outside client-services port 443 crypto ikev1 enable outside crypto ikev1 ipsec-over-tcp port 10000 (ERROR: Unable to configure IKEv1 on interface 'outside' as ipsec-over-tcp is enabled on port 10000, which is currently in use by another service. Please choose a different port for ipsec-over-tcp. FRD-INT-FW1(config)# crypto ikev1 ipsec-over-tcp port 10000 ERROR: Port 10000 is already in use on the 'outside' interface and will not be added. Please choose a different port for ipsec-over-tcp.)
ssh key-exchange group dh-group1-sha1 (ERROR: % Invalid Hostname)
ssl trust-point ASDM_TrustPoint9 outside (ERROR: Trustpoint not enrolled. Please enroll trustpoint and try again.)
The RSA keypairs aren't stored in the main configuration; they are kept in private NVRAM storage. So prior to pasting a chunk of configuration involving a trustpoint, you need to do an export/import operation on it:
E.g. for certificates on the old 5520:
crypto ca export ASDM_TrustPoint5 pkcs12 YourSymmPassword
Copy the block of text.
On the new 5545-x, run
crypto ca import ASDM_TrustPoint5 pkcs12 YourSymmPassword
and paste the block, then enter quit.
I'm not sure what the IKE1 problem is; when I went from 8.2 to 9.0 I mostly switched to IKE2, and didn't get that. Does show run | include 10000 exhibit anything camping out there?
This one is stumping me; 10000 is the default port, and it's not supposed to be enabled unless you use this command. Was the output from the old 5520 or the new 5545? In this case we're primarily interested in the 5545, I think?
I don't have this in my configuration, which has both IKEv1 and IKEv2 enabled on the outside interface for assorted IPsec tunnels. However, I re-created my 9.0 crypto configuration from scratch using the ASDM wizards, except for imported trustpoints, rather than trying to migrate it. Are you actually using IPsec over TCP (protocol 6), rather than IPsec over ESP (protocol 50)? The former is common with NAT VPN clients, while the latter is more common with lan-to-lan tunnels.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...