Of course first thing one notices is that there is no longer "isakmp" keyword, it was substituted by "ikev1".
ASA 8.4 changes for IPsec.
To avoid further confusion I decided to write about (hopefully) all the new things in ASA 8.4 IPsec VPN:
1) Your previous configuration will be automatically migrated to new one and upgrade notes saved to flash:
Reading from flash... !! INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_2_0_startup_cfg.sav' *** Output from config line 4, "ASA Version 8.3(2) " ... Cryptochecksum (unchanged): a99898c2 d4adba0a 7a776c89 b01c73e1 The flash device is in use by another task. Type help or '?' for a list of available commands. bsns-asa5505-19> INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201102080820.log'
2) The parser accepts old style configuration and changes it to new configuration.
bsns-asa5505-19# sh run crypto bsns-asa5505-19# conf t bsns-asa5505-19(config)# crypto isakmp policy 10 bsns-asa5505-19(config-ikev1-policy)# authentication pre-share bsns-asa5505-19(config-ikev1-policy)# hash sha bsns-asa5505-19(config-ikev1-policy)# group 5 bsns-asa5505-19(config-ikev1-policy)# enc aes bsns-asa5505-19(config-ikev1-policy)# exit bsns-asa5505-19(config)# sh run crypto crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 5 lifetime 86400
3) ASA 8.4 introduces support for both IKEv1 and IKEv2 LAN-to-LAN tunnels.
tunnel-group-ipsec mode commands/options: pre-shared-key Associate a pre-shared key with the connection policy trust-point Select the trustpoint that identifies the cert to be sent to the IKE peer user-authentication Set the IKEv1 user authentication method bsns-asa5505-19(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options: local-authentication Configure the local authentication method for IKEv2 tunnels remote-authentication Configure the remote authentication method required of the remote peer for IKEv2 tunnels
7) To accommodate IKEv1 and IKEv2 as initialization methods we hade to change the crypto CLI.
Note that your previous configuration will very often have "ikev1" keyword added.
bsns-asa5505-19(config)# crypto ipsec transform-set TRA2 esp-3des esp-sha-hmac bsns-asa5505-19(config)# sh run crypto ipsec crypto ipsec ikev1 transform-set TRA2 esp-3des esp-sha-hmac
bsns-asa5505-19(config)# crypto map MAP 10 set transform-set TRA2 bsns-asa5505-19(config)# sh run crypto map crypto map MAP 10 set peer 188.8.131.52 crypto map MAP 10 set ikev1 transform-set TRA2
8) Configuring Anyconnect 3.0 remote access with IKEv2.
Anyconnect still support and works as usual with SSL, but gives you an option on top to configured IKEv2 as an alternative means to connect to ASA.
If you are considering to test this and you're configuring it for the first time, please use the ASDM 6.4.x wizard to create the configuration.
You will avoid many pitfalls.
In essence the configuration didn't change much.
Certain CLIs needed to be adapted to support both IKEv1 and IKEv2.
Old CLI can still be used and it's translated on the fly to new style configuration.
ASDM 6.4 works quite well with new CLI and is powerful tool to deploy new configurations, especially for Anyconnect IKEv2 support.
I have two ASA 5525X in a High Availability (Active/Standby) configuration both running Firepower services licensed on both for IPS, AMP, & URL. I'm managing both ASA FTD's through a virtual FMC. My question is: Do I also need to configure the Hi...
Where can we find what the sizing limits are regarding SGT-IP mappings and max number of SXP sessions for switch models ?
I am looking for cat6k with sup2t.
Is there some central place where we can find this for all Cisco switches ?
I am having a hard time figuring out the licensing required for ASA (5545-X) to ISE. On ISE< I have plenty available Apex licenses. On the ASA, I have plenty available Premium licenses. I am trying to get basic AAA between the ASA and ISE (NO posturing...
Maybe one very simple question but I need help: Scenario should be Phone and a client PC on same Switch port, Client connected behind Phone (example Cisco Phone).Switchport in multiple auth domain and ISE gives back 2 policy with diffrent ...