Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
426
Views
0
Helpful
1
Replies

ASA ikev2 site to site vpn peers and Phase config

aconticisco
Level 2
Level 2

‎09-16-2020 08:48 AM

Hi,

 

AWS require 2 peers to be setup for redundancy, is this not possible to achieve with ikev2?

 

Should Phase 1 and Phase 2 encryption/hashing/DF Group match? Seeing no return pkts decaps=0 so wonder if this has to do with Phase 1 picker lower security config due to ASA drop down approach (first match)

 

Thanks

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎09-16-2020 08:56 AM

Hi @aconticisco 

The Phase 1 settings on your ASA must match the AWS peers Phase 1 settings and the Phase 2 settings on your ASA must match the AWS peers Phase 2 settings. If you meant locally on each device whether the Phase 1 and 2 settings need to be identical then no, they do not. The IKEv2 SA (Phase 1/INIT) and IPSec SA (Phase 2/AUTH) as separate tunnels, negotiated with the ciphers defined.

 

If you are seeings encaps counters increase but no decaps, then it's possible an issue on the AWS side, perhaps the return traffic is being NATTED or not routed to the VPN tunnel.

HTH

0 Helpful
Customers Also Viewed These Support Documents