https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036577#M1109739 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/96014">@swscco001</a> you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.</P> Fri, 08 Mar 2024 14:00:53 GMT Rob Ingram 2024-03-08T14:00:53Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036574#M1109738 <P>Hello everybody,<BR /><BR />a customer has a ASA5516-X running 9.16(4) with two contexts. He is using one<BR />context for remote access by AnyConnect with IKEv2. The other context was used<BR />just for&nbsp;IKEv1 tunnels until now.<BR /><BR />Now he need to start to convert&nbsp;IKEv1 to IKEv2 tunnels if possible. So he will<BR />have&nbsp;IKEv1 AND IKEv2 tunnels on the same context.<BR /><BR />Is there any we need to keep in mind or is there a known bug that is against this <BR />change project?<BR /><BR />Every hint is welcome!<BR /><BR />Thanks a lot and have a nice weekend!<BR /><BR /><BR /><BR />Bye<BR />R.</P> Fri, 08 Mar 2024 13:53:51 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036574#M1109738 swscco001 2024-03-08T13:53:51Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036577#M1109739 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/96014">@swscco001</a> you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.</P> Fri, 08 Mar 2024 14:00:53 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036577#M1109739 Rob Ingram 2024-03-08T14:00:53Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036597#M1109740 <P>convert from IKEv1 to IKEv2,</P> <P>I.e. both protect same subnet ? if Yes then there is issue, you need to use either IKEv1 or IKEv2&nbsp;<BR /><BR /></P> <P>MHM</P> Fri, 08 Mar 2024 14:39:08 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036597#M1109740 MHM Cisco World 2024-03-08T14:39:08Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036621#M1109741 <P>You can run IKEv1 and IKEv2 on the same crypto map, IKEv2 would be preferred but can fail back to IKEv1.</P> Fri, 08 Mar 2024 15:17:18 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036621#M1109741 Rob Ingram 2024-03-08T15:17:18Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036633#M1109742 <P>I will run lab my friend and share result here.</P> <P>If you have other points to check in lab please share it</P> <P>Thanks&nbsp;</P> <P>MHM</P> Fri, 08 Mar 2024 15:48:53 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036633#M1109742 MHM Cisco World 2024-03-08T15:48:53Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036950#M1109754 <P>the IKEv1 have seq 5 and IKEv2 have seq 10</P> <P>the IPSec VPN is build without check IKEv2&nbsp;<BR />note:- again this in case your same LAN is protect by both IKEv1/v2</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (167).png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/212100i67E4FABF8A5D4CBD/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot (167).png" alt="Screenshot (167).png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot (168).png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/212099i3B8A0179EFA7B571/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot (168).png" alt="Screenshot (168).png" /></span></P> Sat, 09 Mar 2024 18:56:31 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5036950#M1109754 MHM Cisco World 2024-03-09T18:56:31Z https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5037102#M1109758 <P>just to add in my bit. My understanding about reading your question.</P> <P>ASA5516-X running 9.16(4) with two contexts. One context running IKEv2 anyconnect and the other context running IKEv1 tunnel. Now the customer want to migrate IKEv1 tunnel to IKEv2.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/general/asa-916-general-config/ha-contexts.html?bookSearch=true " target="_self">ASA vpn multi-context support</A> in version 9.16.x. Customer would be fine migrating from tunnel IKEv1 to IKEv2. Just tell them to do the prep-configuration prior to switchover. (having said Rob already mentioned the prefference would be IKEv2). <A href="http://tunnel-group 195.59.115.220 ipsec-attributes ikev1 pre-shared-key ***** peer-id-validate req no chain no ikev1 trust-point isakmp keepalive threshold 10 retry 2 no ikev2 remote-authentication no ikev2 local-authentication" target="_self">Swift Migration of IKEv1 to IKEv2 L2L Tunnel</A> This is an old document but still very relevent today.</P> <P>I suggest if customer or youself making these changes in change window ask your third party/remote side to switch to ikev2 as your ASA will automatially switchoff to ikev2 from ikev1. In case if this does not happens issue this command where ikev1 tunnel resides.</P> <LI-CODE lang="markup">vpn-sessiondb logoff tunnel-group 1.1.1.1 noconfirm</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 10 Mar 2024 11:49:33 GMT https://community.cisco.com/t5/network-security/asa-ikev1-and-ikev2-tunnels-on-the-same-context/m-p/5037102#M1109758 Sheraz.Salim 2024-03-10T11:49:33Z