11-08-2016 01:01 PM
I have an ASA 5520 running code 9.1(7)9 . It has many L2L ipsec tunnels configured on it, using an IKEV1 policy. One of the existing tunnel endpointsis changing ip addressing, and they are moving over to a new ASR device. They are requesting IKEv2 config on the ASA to match what they will be configuring on the ASR. I have yet to do anything IKEv2, so looking for guidance on what I need to do. Here is the existing tunnel that is being moved, with some proprietary info altered.
crypto map VPN 10 match address vpn-customerA
crypto map VPN 10 set pfs group5
crypto map VPN 10 set peer 10.10.10.10
crypto map VPN 10 set ikev1 transform-set ESP-AES-128-SHA
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key **********
crypto ikev1 enable outside
**************************************
here is what the remote end is proposing for the new endpoint parameters. interesting traffic stays the same
new endpoint address- 10.10.10.11
main mode
IKEv2
phase 1 policies
ESP-AES-192-SHA384
IKE timeout 86400
DH group- 20
phase2 policies
Lifetime- 3600 seconds
Lifetime- 4 GB
Encryption- ESP-AES-192-SHA384
PFS- group20
********************************************
first question is do the ASA5520's even support those settings above, as it may appear they are for next generation firewalls, but I'm not sure on that.
if they do support, how do I configure it? And given that "crypto ikev1 enable outside" is applied to the firewall, how would I incorporate ikev2 without disturbing all the other tunnels that are configured for IKEv1? Need guidance. thank you
11-08-2016 06:28 PM
Hi ibmmsulli,
The 5520 supports ikev2 with suite B as long as you are running at least 9.0, so configuration wise this is what you can do considering the ASR config:
ASA:
Ph1 config-
crypto ikev2 enable outside---> you can also enable ikev2 on the outside without affecting ikev1
crypto ikev2 policy 1
encryption aes-192
integrity sha384
group 20 ---> this one does not works well on the ASA, i will try group 14 on both ends.
prf sha384
lifetime 86400 -> default
Ph2 config-
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha384
crypto map VPN 10 set ikev1 transform-set ESP-AES-128-SHA
crypto map VPN 10 set ikev2 ipsec-proposal AES192
crypto map VPN 10 set security-association lifetime seconds 28800---> change to 3600
crypto map VPN 10 set security-association lifetime kilobytes 4608000
tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
peer-id-validate nocheck
ikev1 pre-shared-key **********
ikev2 remote-authentication pre-shared-key cisco321-->replace with the preshared key
ikev2 local-authentication pre-shared-key cisco123-->replace with the preshared key
run the command sh run all group policy and make sure you have ikev2 enable on the vpn protocol of the DfltGrpPolicy.
If this specific tunnel is only going to run on Ikev2 i will recommend you to remove the ikev1 config on red.
In case something is not clear you can also take a look to the following guide:
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html
Hope this info helps!!
Rate if helps you!!
-JP-
11-10-2016 06:21 AM
Thank you for that, its very helpful. I have a few things I'm not sure of, if you would clarify, I'd appreciate it.
ikev2 remote-authentication pre-shared-key cisco321-->replace with the preshared key
ikev2 local-authentication pre-shared-key cisco123-->replace with the preshared key
I need both remote-auth and local-auth in my config?
and why doesn't "group20" work well on the ASA? Is this a known issue or something?
also, regarding the prf sha384 command, is this a replacement for PFS or something? not quite sure what it does, I know it stands for pseudo-random function , but unclear on whether it takes place of PFS or not? The existing tunnel has PFS enabled in the crypto map so I need to make sure that stays in place. thank you
11-10-2016 08:56 PM
Hi ibmmsulli,
-Yes you need a local and remote authentication preshared key.
-I did a lab with group 20 and seems to be working fine so you can use it without any problem.
-PRF does not have anything to do with PFS, the PRF as you are saying is the pseudo-random function that was introduced on ikev2, this function (PRF) is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption.
Hope this info helps!!
Rate if helps you!!
-JP-
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide