cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


8526
Views
12
Helpful
6
Replies
Highlighted
Beginner

How does ikev1, ikev2 relate to older ipsec/isakmp?

I am connected a site-to-site VPN, with one old ASA version 7.8, and one new ASA, version 8.4.

I am getting very confused about how the new nomenclature relates to the old.

Is ikev1 the same as isakmp in the commands?  Is ikev2 like the old IPSec commands?

Thanks.

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

How does ikev1, ikev2 relate to older ipsec/isakmp?

So on two new ASAs, you can connect isakmp and IPsec on IKEv1, OR  connect isakmp and IPsec on Ikev2.

You would never mix Ikev1 and ikev2 on a single connection, right?

thanks.

How does ikev1, ikev2 relate to older ipsec/isakmp?

You got it now,

You would never mix Ikev1 and ikev2 on a single connection, right?

Exactly, they can work only if both sides match ( no interopability )

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES 6

How does ikev1, ikev2 relate to older ipsec/isakmp?

Hello Jimmy,

As you saw the commands required for the configuration indeed change,

Now why is this? Well because we know support IKEv1 and IKEv2,

The one you are using right now ( as you are connecting a site to a site running 7.8 ) is IKEv1,

The commands you have on the ASA with 7.8 are equivalent to IKEv1,

Now when we talk about the IKEv2 protocol: It's a new protocol an improvement

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bca116.shtml

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

How does ikev1, ikev2 relate to older ipsec/isakmp?

The old way of talking about the process was two phases; isakmp and IPsec.

Were both of those Ikev1 ?

If I have two new ASA and connect them, is Ikev1 every used?

Would you still use the terms isakmp and IPSec?

thanks.

How does ikev1, ikev2 relate to older ipsec/isakmp?

Hello Jimmy,

You got it Both of them were Ikev1

If I have two new ASA and connect them, is Ikev1 every used? Yes, as long as you configure Ikev1 right ( we know can use ikev2 as well)

Would you still use the terms isakmp and IPSec? Yes, Ikev1 is built of 2 phases:

1- Isakmp

2-Ipsec

Same thing

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

How does ikev1, ikev2 relate to older ipsec/isakmp?

So on two new ASAs, you can connect isakmp and IPsec on IKEv1, OR  connect isakmp and IPsec on Ikev2.

You would never mix Ikev1 and ikev2 on a single connection, right?

thanks.

How does ikev1, ikev2 relate to older ipsec/isakmp?

You got it now,

You would never mix Ikev1 and ikev2 on a single connection, right?

Exactly, they can work only if both sides match ( no interopability )

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Beginner

Re: How does ikev1, ikev2 relate to older ipsec/isakmp?

You can configure both ikev1 and ikev2.  The VPN endpoints (ASAs) will decide which to use based on the policy number you give each.  The lowest policy number on each ASA will win.  For example, you have ikev2 as a lower policy number than ikev1 on the same device, it will use ikev2 first, and then if that fails to connect will use ikev1.

 

The peer device follows the same procedure, however, the two devices do not have to match on the policy number.  Just the lowest one on each respective device is tried first.