cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
746
Views
6
Helpful
6
Replies

ASA: IKEv1 AND IKEv2 tunnels on the same context?

swscco001
Level 3
Level 3

Hello everybody,

a customer has a ASA5516-X running 9.16(4) with two contexts. He is using one
context for remote access by AnyConnect with IKEv2. The other context was used
just for IKEv1 tunnels until now.

Now he need to start to convert IKEv1 to IKEv2 tunnels if possible. So he will
have IKEv1 AND IKEv2 tunnels on the same context.

Is there any we need to keep in mind or is there a known bug that is against this
change project?

Every hint is welcome!

Thanks a lot and have a nice weekend!



Bye
R.

1 Accepted Solution

Accepted Solutions

@swscco001 you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.

View solution in original post

6 Replies 6

@swscco001 you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.

convert from IKEv1 to IKEv2,

I.e. both protect same subnet ? if Yes then there is issue, you need to use either IKEv1 or IKEv2 

MHM

You can run IKEv1 and IKEv2 on the same crypto map, IKEv2 would be preferred but can fail back to IKEv1.

I will run lab my friend and share result here.

If you have other points to check in lab please share it

Thanks 

MHM

the IKEv1 have seq 5 and IKEv2 have seq 10

the IPSec VPN is build without check IKEv2 
note:- again this in case your same LAN is protect by both IKEv1/v2

Screenshot (167).pngScreenshot (168).png

just to add in my bit. My understanding about reading your question.

ASA5516-X running 9.16(4) with two contexts. One context running IKEv2 anyconnect and the other context running IKEv1 tunnel. Now the customer want to migrate IKEv1 tunnel to IKEv2.

ASA vpn multi-context support in version 9.16.x. Customer would be fine migrating from tunnel IKEv1 to IKEv2. Just tell them to do the prep-configuration prior to switchover. (having said Rob already mentioned the prefference would be IKEv2). Swift Migration of IKEv1 to IKEv2 L2L Tunnel This is an old document but still very relevent today.

I suggest if customer or youself making these changes in change window ask your third party/remote side to switch to ikev2 as your ASA will automatially switchoff to ikev2 from ikev1. In case if this does not happens issue this command where ikev1 tunnel resides.

vpn-sessiondb logoff tunnel-group 1.1.1.1 noconfirm

 

 

 

 

please do not forget to rate.
Review Cisco Networking for a $25 gift card