cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
499
Views
5
Helpful
2
Replies
Highlighted
Beginner

enabling ikev2 on outside interface

hello,

 

Today we have ikev1 enabled on an asa 5580-x on an outside interface and we have a bunch of ipsec tunnels that are live. we want to start testing ikev2. my question is what could happen if i enable ikev2 also on that interface? will ASA start doing something funny to these ikev1 tunnels? as in maybe reset them ?

Anyone tried this before on a live system?

i dont have  a test environment to do this seperately.

 

Regards

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi ,

If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:

 

1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1. 

 

2- the dynamic map referencing an ikev2 proposal.

 

As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.

 

Moh,

View solution in original post

2 REPLIES 2
Highlighted
VIP Mentor

Hi,
Yes, you can run ikev1 and ikev2 in parallel without issue. This document is for migration, but it does confirm they can run in parallel.

HTH

Highlighted
Cisco Employee

Hi ,

If you just enable it there on the interface that will not cause a problem. it just means the protocol is enabled globally on the ASA. the other part of the config that cause a difference in the behavior are:

 

1- the most important one is the set statement for the transform set used by the crypto map entry. if the map sequence has both ikev1 and ikev2 configured there then it will attempt ikev2 first if no luck it will fall back to ikev1. 

 

2- the dynamic map referencing an ikev2 proposal.

 

As long as you do not reference an ikev2 proposal on the ikev1 tunnels you should be fine.

 

Moh,

View solution in original post

Content for Community-Ad