Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11190
Views
12
Helpful
6
Replies

How does ikev1, ikev2 relate to older ipsec/isakmp?

Go to solution
jimmyc_2
Level 1
Level 1

‎07-06-2013 02:52 PM - edited ‎03-11-2019 07:08 PM

I am connected a site-to-site VPN, with one old ASA version 7.8, and one new ASA, version 8.4.

I am getting very confused about how the new nomenclature relates to the old.

Is ikev1 the same as isakmp in the commands?  Is ikev2 like the old IPSec commands?

Thanks.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎07-08-2013 09:57 AM

So on two new ASAs, you can connect isakmp and IPsec on IKEv1, OR  connect isakmp and IPsec on Ikev2.

You would never mix Ikev1 and ikev2 on a single connection, right?

thanks.

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎07-08-2013 01:37 PM

You got it now,

You would never mix Ikev1 and ikev2 on a single connection, right?

Exactly, they can work only if both sides match ( no interopability )

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎07-06-2013 03:41 PM

Hello Jimmy,

As you saw the commands required for the configuration indeed change,

Now why is this? Well because we know support IKEv1 and IKEv2,

The one you are using right now ( as you are connecting a site to a site running 7.8 ) is IKEv1,

The commands you have on the ASA with 7.8 are equivalent to IKEv1,

Now when we talk about the IKEv2 protocol: It's a new protocol an improvement

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bca116.shtml

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎07-08-2013 09:36 AM

The old way of talking about the process was two phases; isakmp and IPsec.

Were both of those Ikev1 ?

If I have two new ASA and connect them, is Ikev1 every used?

Would you still use the terms isakmp and IPSec?

thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎07-08-2013 09:50 AM

Hello Jimmy,

You got it Both of them were Ikev1

If I have two new ASA and connect them, is Ikev1 every used? Yes, as long as you configure Ikev1 right ( we know can use ikev2 as well)

Would you still use the terms isakmp and IPSec? Yes, Ikev1 is built of 2 phases:

1- Isakmp

2-Ipsec

Same thing

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Go to solution
jimmyc_2
Level 1
Level 1
In response to Julio Carvajal

‎07-08-2013 09:57 AM

So on two new ASAs, you can connect isakmp and IPsec on IKEv1, OR  connect isakmp and IPsec on Ikev2.

You would never mix Ikev1 and ikev2 on a single connection, right?

thanks.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jimmyc_2

‎07-08-2013 01:37 PM

You got it now,

You would never mix Ikev1 and ikev2 on a single connection, right?

Exactly, they can work only if both sides match ( no interopability )

Regards,

Julio

Remember to rate all of the helpful posts.

For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Waterbird
Level 1
Level 1
In response to jimmyc_2

‎11-30-2018 10:09 AM

You can configure both ikev1 and ikev2.  The VPN endpoints (ASAs) will decide which to use based on the policy number you give each.  The lowest policy number on each ASA will win.  For example, you have ikev2 as a lower policy number than ikev1 on the same device, it will use ikev2 first, and then if that fails to connect will use ikev1.

 

The peer device follows the same procedure, however, the two devices do not have to match on the policy number.  Just the lowest one on each respective device is tried first.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card