03-08-2024 05:53 AM
Hello everybody,
a customer has a ASA5516-X running 9.16(4) with two contexts. He is using one
context for remote access by AnyConnect with IKEv2. The other context was used
just for IKEv1 tunnels until now.
Now he need to start to convert IKEv1 to IKEv2 tunnels if possible. So he will
have IKEv1 AND IKEv2 tunnels on the same context.
Is there any we need to keep in mind or is there a known bug that is against this
change project?
Every hint is welcome!
Thanks a lot and have a nice weekend!
Bye
R.
Solved! Go to Solution.
03-08-2024 06:00 AM
@swscco001 you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.
03-08-2024 06:00 AM
@swscco001 you can run both IKEv1 and IKEv2 in parallel without problem in single mode, I don't see a problem either if using multi-context mode.
03-08-2024 06:39 AM
convert from IKEv1 to IKEv2,
I.e. both protect same subnet ? if Yes then there is issue, you need to use either IKEv1 or IKEv2
MHM
03-08-2024 07:17 AM
You can run IKEv1 and IKEv2 on the same crypto map, IKEv2 would be preferred but can fail back to IKEv1.
03-08-2024 07:48 AM
I will run lab my friend and share result here.
If you have other points to check in lab please share it
Thanks
MHM
03-09-2024 10:56 AM - edited 03-09-2024 10:56 AM
the IKEv1 have seq 5 and IKEv2 have seq 10
the IPSec VPN is build without check IKEv2
note:- again this in case your same LAN is protect by both IKEv1/v2
03-10-2024 04:49 AM
just to add in my bit. My understanding about reading your question.
ASA5516-X running 9.16(4) with two contexts. One context running IKEv2 anyconnect and the other context running IKEv1 tunnel. Now the customer want to migrate IKEv1 tunnel to IKEv2.
ASA vpn multi-context support in version 9.16.x. Customer would be fine migrating from tunnel IKEv1 to IKEv2. Just tell them to do the prep-configuration prior to switchover. (having said Rob already mentioned the prefference would be IKEv2). Swift Migration of IKEv1 to IKEv2 L2L Tunnel This is an old document but still very relevent today.
I suggest if customer or youself making these changes in change window ask your third party/remote side to switch to ikev2 as your ASA will automatially switchoff to ikev2 from ikev1. In case if this does not happens issue this command where ikev1 tunnel resides.
vpn-sessiondb logoff tunnel-group 1.1.1.1 noconfirm
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide