help with IKEv2 tunnel on ASA5520

ibmmsulli · ‎11-08-2016

I have an ASA 5520 running code 9.1(7)9 . It has many L2L ipsec tunnels configured on it, using an IKEV1 policy. One of the existing tunnel endpointsis changing ip addressing, and they are moving over to a new ASR device. They are requesting IKEv2 config on the ASA to match what they will be configuring on the ASR. I have yet to do anything IKEv2, so looking for guidance on what I need to do. Here is the existing tunnel that is being moved, with some proprietary info altered.

crypto map VPN 10 match address vpn-customerA
crypto map VPN 10 set pfs group5
crypto map VPN 10 set peer 10.10.10.10
crypto map VPN 10 set ikev1 transform-set ESP-AES-128-SHA
crypto map VPN 10 set security-association lifetime seconds 28800
crypto map VPN 10 set security-association lifetime kilobytes 4608000

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key **********

crypto ikev1 enable outside

**************************************
here is what the remote end is proposing for the new endpoint parameters. interesting traffic stays the same

new endpoint address- 10.10.10.11
main mode
IKEv2

phase 1 policies
ESP-AES-192-SHA384
IKE timeout 86400
DH group- 20

phase2 policies
Lifetime- 3600 seconds
Lifetime- 4 GB
Encryption- ESP-AES-192-SHA384
PFS- group20

********************************************

first question is do the ASA5520's even support those settings above, as it may appear they are for next generation firewalls, but I'm not sure on that.
if they do support, how do I configure it? And given that "crypto ikev1 enable outside" is applied to the firewall, how would I incorporate ikev2 without disturbing all the other tunnels that are configured for IKEv1? Need guidance. thank you

JP Miranda Z · ‎11-08-2016

Hi ibmmsulli,

The 5520 supports ikev2 with suite B as long as you are running at least 9.0, so configuration wise this is what you can do considering the ASR config:

ASA:

Ph1 config-

crypto ikev2 enable outside---> you can also enable ikev2 on the outside without affecting ikev1

crypto ikev2 policy 1

encryption aes-192

integrity sha384

group 20 ---> this one does not works well on the ASA, i will try group 14 on both ends.

prf sha384

lifetime 86400 -> default

Ph2 config-

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha384

crypto map VPN 10 set ikev1 transform-set ESP-AES-128-SHA

crypto map VPN 10 set ikev2 ipsec-proposal AES192
crypto map VPN 10 set security-association lifetime seconds 28800---> change to 3600
crypto map VPN 10 set security-association lifetime kilobytes 4608000

tunnel-group 10.10.10.10 type ipsec-l2l
tunnel-group 10.10.10.10 ipsec-attributes

peer-id-validate nocheck

ikev1 pre-shared-key **********

ikev2 remote-authentication pre-shared-key cisco321-->replace with the preshared key
ikev2 local-authentication pre-shared-key cisco123-->replace with the preshared key

run the command sh run all group policy and make sure you have ikev2 enable on the vpn protocol of the DfltGrpPolicy.

If this specific tunnel is only going to run on Ikev2 i will recommend you to remove the ikev1 config on red.

In case something is not clear you can also take a look to the following guide:

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

Hope this info helps!!

Rate if helps you!!

-JP-

ibmmsulli · ‎11-10-2016

Thank you for that, its very helpful. I have a few things I'm not sure of, if you would clarify, I'd appreciate it.

ikev2 remote-authentication pre-shared-key cisco321-->replace with the preshared key
ikev2 local-authentication pre-shared-key cisco123-->replace with the preshared key

I need both remote-auth and local-auth in my config?

and why doesn't "group20" work well on the ASA? Is this a known issue or something?

also, regarding the prf sha384 command, is this a replacement for PFS or something? not quite sure what it does, I know it stands for pseudo-random function , but unclear on whether it takes place of PFS or not? The existing tunnel has PFS enabled in the crypto map so I need to make sure that stays in place. thank you

JP Miranda Z · ‎11-10-2016

Hi ibmmsulli,

-Yes you need a local and remote authentication preshared key.

-I did a lab with group 20 and seems to be working fine so you can use it without any problem.

-PRF does not have anything to do with PFS, the PRF as you are saying is the pseudo-random function that was introduced on ikev2, this function (PRF) is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption.

Hope this info helps!!

Rate if helps you!!

-JP-