Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6744
Views
15
Helpful
8
Replies

Cisco ASA Support to have IKE v1 support DH Group 14

nesdishqcisco
Level 1
Level 1

‎02-09-2019 03:49 AM

I am trying to establish a VPN tunnel between a Cisco ASA 5525 running version 9.8(2) and the AWS GOV cloud.

 

The AWS GOV cloud requires the use of IKEv1 with DH-Group 14. However this is not possible to do on the ASA with IKEv1. You can use IKEv2 with DH group 14 but AWS GOV CLOUD config file shows IKEv1 must be used.

 

Has anyone come across this problem with AWS GOV Cloud and the use of IKEv1 with DH group 14? 

 

Any help is appreciated.

 

Thanks,

Labels:
0 Helpful
8 Replies 8

nesdishqcisco
Level 1
Level 1

‎02-09-2019 03:51 AM

I am also aware of this bug. Does anyone have an update if this is now supported?

https://quickview.cloudapps.cisco.com/quickview/bug/CSCuv51888
0 Helpful

wolf1
Level 1
Level 1
In response to nesdishqcisco

‎03-29-2019 08:49 AM

Now the fixed releases are:

201.4(10.18)
201.4(1.116)
201.1(15.136)
I cannot tell for which hardware these releases are.
Does anybody know, if there will be a fixed release for: 9.8(x) or 9.9(x) ?
0 Helpful

Rob Ingram
VIP
VIP

‎02-09-2019 05:02 AM - edited ‎02-09-2019 05:07 AM

Hi,

It's long been my understanding that stronger DH groups would not be developed under IKEv1 on the ASA, with the maximum supported as DH Group 5. The reason being they would want you to use IKEv2 instead. If they have not introduced the stronger DH groups for IKEv1 by now, I feel it is unlikely ever to do so, this is my personal opinion - you may wish to check with your cisco account manager.

 

There is a very recent post (06/02/19) here on AWS saying they do support IKEv2 now, perhaps this help you now?

 

HTH

nesdishqcisco
Level 1
Level 1
In response to Rob Ingram

‎02-10-2019 02:18 PM

Yes I saw this AWS announcement after I posted my message. 

Not sure how AWS is ready or tested IKEv2 as the configs one downloads after configuring the IPSEC tunnel on AWS still only references IKEv1.

 

I will need to wait until they update their configs with the settings required. For example IKEv2.

 

Good new that AWS now supports IKEv2 and users can use the AWS GOV Cloud DH Group 14 which is a minimum requirement,

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-09-2019 08:03 AM

Additional info that my be helpful while researching your requirements.   I suggest moving towards IKEv2 if possible for a few of the following reasons:

 

Provides the ability to support asymmetric authentication which allows each peer to use different auth methods.

Allows the use of NAT-Traversal

Introduces the cookie challenge which aides in beating DoS attempts

IKEv1 main mode takes 9 packets & aggressive mode uses 6 packets. Whereas IKEv2 combines IKEv1 phase 2 info into the IKE_AUTH exchange.

Allows the use of the DH group you mentioned among others.

 

HTH. 

 

 

 

nesdishqcisco
Level 1
Level 1
In response to Mike.Cifelli

‎02-10-2019 02:23 PM

We use IKEv2 for VPN tunnels but for AWS Gov Cloud only supported IKEv1 until Feb.6th 2019 when it announced that AWS site to site VPN tunnels now support IKEv2.

Link: https://aws.amazon.com/about-aws/whats-new/2019/02/aws-site-to-site-vpn-now-supports-ikev2/

 

I have been trying now for 2 days trying to set up a IKEv2 IPSEC tunnel to AWS GovCloud and running into problems. Not sure how ready they are since their VPN device config files one downloads from the AWS VPN tunnel dashboard for the configuration set up still only references IKEv1.

0 Helpful

wsroiegaerig
Level 1
Level 1
In response to nesdishqcisco

‎03-16-2019 12:09 PM

Hi, Were you able to get the tunnel with amazon gov cloud working?  Either with ikev1 or ikev2?

 

 

0 Helpful

john thoren
Level 1
Level 1

‎01-09-2023 08:26 PM

I have not tested group 14 with ikev1, but the asa now suggests it's allowable:

on asa version 9.14(3)15 and 9.16(3)
sco-asa-1/pri/act(config)# crypto map REMOTESITES 820 set pfs ?
group14 D-H Group 14 (2048-bit MODP Group)
group15 D-H Group 15 (3072-bit MODP Group) (Unsupported for IKEv1)
group16 D-H Group 16 (4096-bit MODP Group) (Unsupported for IKEv1)
group19 D-H Group 19 (NIST 256-bit ECP Group) (Unsupported for IKEv1)
group2 D-H Group 2 (1024-bit MODP Group) (DEPRECATED)
group20 D-H Group 20 (NIST 384-bit ECP Group) (Unsupported for IKEv1)
group21 D-H Group 21 (NIST 521-bit ECP Group) (Unsupported for IKEv1)
group24 D-H Group 24 (2048-bit MODP Group with 256-bit Prime Order Subgroup) (Unsupported for IKEv1) (DEPRECATED)
group5 D-H Group 5 (1536-bit MODP Group) (DEPRECATED)
<cr>

used to be ( I cannot remember which verstion this was. Probably 9.12.x):
sco-asa-1/pri/act(config)# crypto map REMOTESITES 820 set pfs ?
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents