ASA Site to Site Redundant VPN's for HA running IKEV2

swharvey · ‎09-26-2013

Looking for confirmation whether 8.4.3 code (or higher) can support the ability for spoke endpoint ASA5505's to have certificate based, IKEv2 Site to Site VPN tunnels to separate ASA hub sites at separate geographical locations for high availability/DR purposes. We are able to accomplish this with IKEv1 with PSK's, configuring the peer public ip addresses of the separate ASA hubs in the crypto map (1.1.1.1 and 2.2.2.2 in the example below), but not with IKEv2 with certificates:

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto map outside_map 30 match address matchACLAdresses

crypto map outside_map 30 set pfs

crypto map outside_map 30 set connection-type originate-only

crypto map outside_map 30 set peer 1.1.1.1 2.2.2.2

crypto map outside_map 30 set ikev1 transform-set ESP-3DES-MD5

crypto map outside_map 30 set reverse-route

crypto map outside_map interface outside

crypto ikev1 enable outside

crypto ikev1 policy 20

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

deepam joshi · ‎09-26-2013

I just found a Cisco link that shows the migration overview for migrating ikev1 to ikev2 along with the current limitations of ikev2. You might be hitting the same bug.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bca116.shtml

Few interesting comments on the document is as below,

Multiple peers used for redundancy is not supported with IKEv2 on the ASA. In IKEv1, for redundancy purposes, one can have more than one peer under the same crypto map when you enter the set peer command. The first peer will be the primary and if it fails, the second peer will kick in. Refer to Cisco bug ID CSCud22276 (registered customers only) , ENH: Multiple Peers support for IKEv2.