Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1127
Views
5
Helpful
2
Replies

enabling ikev2 on outside interface

Go to solution
ara.antranik1
Level 1
Level 1

‎12-21-2018 11:10 AM

hello,

 

Today we have ikev1 enabled on an asa 5580-x on an outside interface and we have a bunch of ipsec tunnels that are live. we want to start testing ikev2. my question is what could happen if i enable ikev2 also on that interface? will ASA start doing something funny to these ikev1 tunnels? as in maybe reset them ?

Anyone tried this before on a live system?

i dont have  a test environment to do this seperately.

 

Regards

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎12-23-2018 12:57 AM

Hi ,

If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:

 

1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1. 

 

2- the dynamic map referencing an ikev2 proposal.

 

As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.

 

Moh,

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎12-21-2018 11:32 AM - edited ‎12-21-2018 11:34 AM

Hi,
Yes, you can run ikev1 and ikev2 in parallel without issue. This document is for migration, but it does confirm they can run in parallel.

HTH

0 Helpful

Go to solution
Mohammad Alhyari
Cisco Employee
Cisco Employee

‎12-23-2018 12:57 AM

Hi ,

If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:

 

1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1. 

 

2- the dynamic map referencing an ikev2 proposal.

 

As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.

 

Moh,

Customers Also Viewed These Support Documents