Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1598
Views
0
Helpful
8
Replies

CISCO ASA IKEv1 upgrade

Go to solution
mstillante
Level 1
Level 1

‎04-21-2021 09:15 AM

Good evening to you all

one question for you i don't know how to respond..

 

i have a cisco ASA (don't know more than this at the moment ) as per the picture attached

i would like to understand if possible to upgrade this ASA from IKEv1 to IKEv2 and if yes how and if not why

please let me know if more info are needed

 

thks very much for your help

all the best

 

/michelangelo

 

Labels:
Preview file
306 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2021 09:41 AM

@mstillante Yes this is possible on ASA 9.5, example of the minimum IKEv2 configuration you'll require.

 

Configure an IKEv2/IPSec Proposal

crypto ipsec ikev2 ipsec-proposal AES-GCM
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null

Configure an IKEv2 Policy

crypto ikev2 policy 10
 encryption aes-gcm
 integrity null
 group 19
 prf sha256
 lifetime seconds 86400

Enable IKEv2 on the outside interface

crypto ikev2 enable OUTSIDE

 

Enable IKEv2 protocol under the group policy

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2

Configure an IKEv2 PSK under the tunnel-group

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Enable the IKEv2/IPSec proposal under the crypto map

crypto map CMAP 1 set ikev2 ipsec-proposal AES-GCM

HTH

 

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mstillante

‎04-21-2021 09:49 AM

@mstillante 

Windows Server 2012 R2 is just the server you are using to access ASDM, the GUI to configure the ASA, not the actual ASA itself.

Those commands of for use in the CLI not ASDM. It will work on ASA physical or ASAv.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-21-2021 09:21 AM

Note sure what is the model here, but ASA from 9.X  support IKEV2

here is deployment guide for reference :

 

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mstillante
Level 1
Level 1
In response to balaji.bandi

‎04-21-2021 09:27 AM

sorry but it's written

 

it's ASAv  7.5 (2)       asa version 9.5 (2) 207   

 

running on Windows Server 2012  R2 6.3

 

 

thks /m

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to mstillante

‎04-21-2021 09:36 AM

If you referring the screenshot that is not ASA, that ASDM, Management software for ASA.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
mstillante
Level 1
Level 1
In response to balaji.bandi

‎04-21-2021 09:42 AM

yes but its an ASAv  and with ASA version ...

as far as i know it's running the same software of an ASA device

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎04-21-2021 09:41 AM

@mstillante Yes this is possible on ASA 9.5, example of the minimum IKEv2 configuration you'll require.

 

Configure an IKEv2/IPSec Proposal

crypto ipsec ikev2 ipsec-proposal AES-GCM
protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
protocol esp integrity null

Configure an IKEv2 Policy

crypto ikev2 policy 10
 encryption aes-gcm
 integrity null
 group 19
 prf sha256
 lifetime seconds 86400

Enable IKEv2 on the outside interface

crypto ikev2 enable OUTSIDE

 

Enable IKEv2 protocol under the group policy

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2

Configure an IKEv2 PSK under the tunnel-group

tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

Enable the IKEv2/IPSec proposal under the crypto map

crypto map CMAP 1 set ikev2 ipsec-proposal AES-GCM

HTH

 

0 Helpful

Go to solution
mstillante
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 09:46 AM

Hi Rob

thks very much for this .. and i guess this solution can work on ASA (physical) device as well as on ASAv running on Windows Server 2012 R2 6.3     ...

 

right ?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mstillante

‎04-21-2021 09:49 AM

@mstillante 

Windows Server 2012 R2 is just the server you are using to access ASDM, the GUI to configure the ASA, not the actual ASA itself.

Those commands of for use in the CLI not ASDM. It will work on ASA physical or ASAv.

0 Helpful

Go to solution
mstillante
Level 1
Level 1
In response to Rob Ingram

‎04-21-2021 09:52 AM

thks very much for your help

all the best

 

/m

 

0 Helpful
Customers Also Viewed These Support Documents