11-08-2018 01:23 PM
Our vpn peer is migrating away from their old data center & are changing configuration requirments for any peer connecting to them. Their requiremnets for phase 1 are now to use ikev2 which is not enabled on my outside interface. Also they are requirning a pre-shared key authentication for phase 1 as well. All of this seems normal but some advice would be much appreciated. My concerns are as follows.
1) can I enable ikev2 on my outside interface without disabling ikev1 or breaking existing tunnels? I have 15 IPsec tunnels currently working on my ASA all are using ikev1.
2) ikev2 does not have an option to configure "authentication pre-shared key" like ikev1 does on the ASA within the ike policy. A pre-shared key is also a phase 1 requirment for my peer & I dont see where I can configure it for phase 1 on the ASA.
3) my peer is requiring "aes-gcm-256 encryption" does this mean a pre-shared key is not needed on my side?
4) My peer's requirments do not specify an ike version for phase 2. When I google configurations I see examples only showing phase 2 using ikev2 when using ikev1 for phase 1. Do ike versions have to be the same for phase 1 and 2 or can I leave phase 2 to use ikev1?
Here is my version of ASA...
Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
ASA Version 9.6(4)3
11-08-2018 01:32 PM
11-08-2018 01:34 PM
1. crypto ikev2 enable outside - should not affect ikev1 tunnels
2. tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
3. you still need the PSK
4. you configure an IPSec VPN tunnel using either IKEv1 or v2 - config is different for both
the tunnel is established with Phase 1 (isakmp) first, followed by phase 2 (ipsec)
below is an example config so you can see where how it fits together:
access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption
integrity
group
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption *
protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
vpn-tunnel-protocol ikev2 | ikev1
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
regards, mk
please rate if helpful/solved :)
11-08-2018 01:44 PM
Thanks for the feedback guys
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: