cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1054
Views
0
Helpful
3
Replies

Cisco ASA IKEV2 Requirements?

Steven Williams
Level 4
Level 4

What are some of the requirements around IKEV2 on a Cisco ASA? Is it dependent on hardware? License? Code?

 

I have been trying to implement this for a bit now and can't seem to get things up and running. My Site to Site VPN skills are very "Novice", so it could be that I am missing some basics here. 

 

Here is a template I have started:

 

crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 19
prf sha256
lifetime seconds 86400
exit
!
crypto ikev2 enable OUTSIDE
!
crypto ipsec ikev2 ipsec-proposal MNF_TRSET01_AES256_SHA256
protocol esp encryption aes-256
protocol esp integrity sha-1
!
object-group network MNL_INTERNAL_NETWORKS
network-object 10.81.112.0 255.255.255.0
network-object 10.81.113.0 255.255.255.0
network-object 10.81.114.0 255.255.255.0
network-object 10.81.115.0 255.255.255.0
object-group network RFC_1918
network-object 10.0.0.0 255.0.0.0
network-object 172.16.0.0 255.240.0.0
network-object 192.168.0.0 255.255.0.0
!
access-list MNF_TO_MNL_L2L extended permit ip object-group RFC_1918 object-group MNL_INTERNAL_NETWORKS
!
nat (INSIDE,OUTSIDE) source static RFC_1918 RFC_1918 destination static MNL_INTERNAL_NETWORKS MNL_INTERNAL_NETWORKS
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key **
ikev2 local-authentication pre-shared-key **
isakmp keepalive threshold 10 retry 2
exit
!
!
!
crypto map MNF_TO_MNL 1 match address MNF_TO_MNL_L2L
crypto map MNF_TO_MNL 1 set peer 1.1.1.1
crypto map MNF_TO_MNL 1 set ikev2 ipsec-proposal MNF_TRSET01_AES256_SHA256
crypto map MNF_TO_MNL interface OUTSIDE
!
!
!

 

So I need a route to the networks over the tunnel since I cannot use a dynamic routing protocol over the L2L tunnel, so my question is what is the next hop address for the route? The outside Pubic address of the peer? 

 

I can never get the tunnel up and debugs show nothing. I am running a 5508-x and 5506-x both running code 9.8.

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Is this Lab environment ? do you have reachbility between ASA like 1.1.1.1 ( in your case), where is other side ASA  config ?

 

i start with simple tunnel configuration and build more ACL on top of it. ( make sure you do not have Overlap subnet both the side, if that is the case you need to do NAT)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yes I have reachability and ICMP success between the outside interfaces of each ASA on each side. No over-lapping so I built a no-nat.

I didnt include the other config cause its the same just peer ip switched and ACL and NAT switched.

Jon Marshall
Hall of Fame
Hall of Fame

 

You only need a route if the default route does not use the same interface you applied the crypto map to. 

 

If you are not seeing any debug output at all then it is either this or your traffic is not being seen as interesting traffic eg. it is being translated to a different IP(s) before the crypto acl is checked. 

 

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: