cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1826
Views
10
Helpful
3
Replies

Site to Site VPN's using IKEV2

Hawk
Level 1
Level 1

Our vpn peer is migrating away from their old data center & are changing configuration requirments for any peer connecting to them.  Their requiremnets for phase 1 are now to use ikev2 which is not enabled on my outside interface.  Also they are requirning a pre-shared key authentication for phase 1 as well.  All of this seems normal but some advice would be much appreciated.  My concerns are as follows.  

 

1) can I enable ikev2 on my outside interface without disabling ikev1 or breaking existing tunnels?  I have 15 IPsec tunnels currently working on my ASA all are using ikev1.

 

2) ikev2 does not have an option to configure "authentication pre-shared key" like ikev1 does on the ASA within the ike policy.  A pre-shared key is also a phase 1 requirment for my peer & I dont see where I can configure it for phase 1 on the ASA.

 

3) my peer is requiring "aes-gcm-256 encryption" does this mean a pre-shared key is not needed on my side?

 

4) My peer's requirments do not specify an ike version for phase 2.  When I google configurations I see examples only showing phase 2 using ikev2 when using ikev1 for phase 1.  Do ike versions have to be the same for phase 1 and 2 or can I leave phase 2 to use ikev1?

 

Here is my version of ASA...

 

Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
ASA Version 9.6(4)3

3 Replies 3

Hi,
1. You can enable IKEv1 and IKEv2 on an ASA at the sametime and both will work
2. The syntax for the PSK is slightly different for IKEv2 PSK. E.g

tunnel-group 1.1.1.1 ipsec-attributes
ikev2 local-authentication pre-shared-key Cisco1234
ikev2 remote-authentication pre-shared-key Cisco1234

3. Yes you will need a PSK

4. You will need to define an IKEv2 Phase 2, an example of IKEv2 Phase 2:-

crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-gcm

mkazam001
Level 3
Level 3

1. crypto ikev2 enable outside - should not affect ikev1 tunnels

2. tunnel-group x.x.x.x ipsec-attributes
       ikev2 remote-authentication pre-shared-key
       ikev2 local-authentication pre-shared-key

3. you still need the PSK

4. you configure an IPSec VPN tunnel using either IKEv1 or v2 - config is different for both

 

the tunnel is established with Phase 1 (isakmp) first, followed by phase 2 (ipsec)

 

below is an example config so you can see where how it fits together:

access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption
integrity
group
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption *
protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
vpn-tunnel-protocol ikev2 | ikev1
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key

 

regards, mk

please rate if helpful/solved :)

Thanks for the feedback guys

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: