Of course first thing one notices is that there is no longer "isakmp" keyword, it was substituted by "ikev1".
ASA 8.4 changes for IPsec.
To avoid further confusion I decided to write about (hopefully) all the new things in ASA 8.4 IPsec VPN:
1) Your previous configuration will be automatically migrated to new one and upgrade notes saved to flash:
Reading from flash... !! INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_2_0_startup_cfg.sav' *** Output from config line 4, "ASA Version 8.3(2) " ... Cryptochecksum (unchanged): a99898c2 d4adba0a 7a776c89 b01c73e1 The flash device is in use by another task. Type help or '?' for a list of available commands. bsns-asa5505-19> INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201102080820.log'
2) The parser accepts old style configuration and changes it to new configuration.
bsns-asa5505-19# sh run crypto bsns-asa5505-19# conf t bsns-asa5505-19(config)# crypto isakmp policy 10 bsns-asa5505-19(config-ikev1-policy)# authentication pre-share bsns-asa5505-19(config-ikev1-policy)# hash sha bsns-asa5505-19(config-ikev1-policy)# group 5 bsns-asa5505-19(config-ikev1-policy)# enc aes bsns-asa5505-19(config-ikev1-policy)# exit bsns-asa5505-19(config)# sh run crypto crypto ikev1 policy 10 authentication pre-share encryption aes hash sha group 5 lifetime 86400
3) ASA 8.4 introduces support for both IKEv1 and IKEv2 LAN-to-LAN tunnels.
tunnel-group-ipsec mode commands/options: pre-shared-key Associate a pre-shared key with the connection policy trust-point Select the trustpoint that identifies the cert to be sent to the IKE peer user-authentication Set the IKEv1 user authentication method bsns-asa5505-19(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options: local-authentication Configure the local authentication method for IKEv2 tunnels remote-authentication Configure the remote authentication method required of the remote peer for IKEv2 tunnels
7) To accommodate IKEv1 and IKEv2 as initialization methods we hade to change the crypto CLI.
Note that your previous configuration will very often have "ikev1" keyword added.
bsns-asa5505-19(config)# crypto ipsec transform-set TRA2 esp-3des esp-sha-hmac bsns-asa5505-19(config)# sh run crypto ipsec crypto ipsec ikev1 transform-set TRA2 esp-3des esp-sha-hmac
bsns-asa5505-19(config)# crypto map MAP 10 set transform-set TRA2 bsns-asa5505-19(config)# sh run crypto map crypto map MAP 10 set peer 188.8.131.52 crypto map MAP 10 set ikev1 transform-set TRA2
8) Configuring Anyconnect 3.0 remote access with IKEv2.
Anyconnect still support and works as usual with SSL, but gives you an option on top to configured IKEv2 as an alternative means to connect to ASA.
If you are considering to test this and you're configuring it for the first time, please use the ASDM 6.4.x wizard to create the configuration.
You will avoid many pitfalls.
In essence the configuration didn't change much.
Certain CLIs needed to be adapted to support both IKEv1 and IKEv2.
Old CLI can still be used and it's translated on the fly to new style configuration.
ASDM 6.4 works quite well with new CLI and is powerful tool to deploy new configurations, especially for Anyconnect IKEv2 support.
Hi there, Is there any command (CLI or GUI) to check or control which NAT rule has been hit? For example: a user is coming from Internet and wants to access a webserver in DMZ zone. Now I would like to know which NAT rule and ACL rule(s) h...
I am having a user who is trying to access iSE using an AD account.The account has the proper groups associated with it and I've verified the ISE configuration. How do I view logs of attempted login attempts? Thanks, Phill
Hi, I have two ISE 2.7 Patch 2 virtual devices. I have a test switch with some users and phones on it. My aim is for laptops, desktop and wyse terminal to authenticate using dot1x. The Cisco phone will authentication via mab. The Cisc...
The device requesting the access is going through the proxy. ISE shows the proxy in region A which is our datacenter. That is fine, however it's trying to authorize the device against region A instead of the actual location policy the network device is co...
we have a requirement to allow non corporate devices straight out to the internet, this is to do with ISO27001. So have started to create iPSKs from internal to DMZ no problem, just time consuming creating DNS,DHCP, Zones ect on Firewall and th...