12-21-2018 11:10 AM
hello,
Today we have ikev1 enabled on an asa 5580-x on an outside interface and we have a bunch of ipsec tunnels that are live. we want to start testing ikev2. my question is what could happen if i enable ikev2 also on that interface? will ASA start doing something funny to these ikev1 tunnels? as in maybe reset them ?
Anyone tried this before on a live system?
i dont have a test environment to do this seperately.
Regards
Solved! Go to Solution.
12-23-2018 12:57 AM
Hi ,
If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:
1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1.
2- the dynamic map referencing an ikev2 proposal.
As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.
Moh,
12-21-2018 11:32 AM - edited 12-21-2018 11:34 AM
Hi,
Yes, you can run ikev1 and ikev2 in parallel without issue. This document is for migration, but it does confirm they can run in parallel.
HTH
12-23-2018 12:57 AM
Hi ,
If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:
1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1.
2- the dynamic map referencing an ikev2 proposal.
As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.
Moh,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide