Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
10
Helpful
6
Replies

help with setting up basic IKEv2 site to site vpn

baselzind
Level 6
Level 6

‎11-24-2020 04:17 AM

i have FMC and ftd .I  had some experience with setting up ikev1 site to site vpn as i provide the other side with these phase1 and phase 2 info as following:

phase1:

encryption, hash , DH group , lifetime , authen method

phase 2

esp encryption , esp hash

but for IKEv2 site to site vpn is it the same steps? because I found the phase 1 for ikev2 having different parameters like

integrity algorithm , encryption algorithm , PRF algorithm , DH group  but the same for ikev2 phase 2 "esp encryption , esp hash"  . So do i ask the other side for those fields and match it so the site to site vpn would come up?

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎11-24-2020 04:23 AM

Hi @baselzind 

You still need the peer (the other side) VPN to match the same algorithms you have used for encryption, integrity, PRF, DH etc. Some of the terminlogy has changed, in IKEv1 it was "hashing", in IKEv2 it's "integrity".

If you are using AES-GCM then you'd don't need to specify the integrity algorithm, as integrity is builtin with GCM.

 

HTH

baselzind
Level 6
Level 6
In response to Rob Ingram

‎11-24-2020 06:17 AM

is AES-GCM an encryption method in ikev2 exclusively? 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to baselzind

‎11-24-2020 06:22 AM - edited ‎11-24-2020 06:24 AM

Correct AES-GCM is used only in IKEv2. Refer to cisco guide below when selecting your IKEv2 algorithms, select NGE or Acceptable and do not select Legacy or Avoid algorthims.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

Refer to this post for an example IKEv2 VPN on FMC, using AES-GCM.

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-24-2020 04:23 AM

You need to make a Template to match both the sides : example :

 

I do below for each VPN i do with Clients :

 

Encryption:
Encryption Method:
Prefer IKEv2, support IKEv1
Encryption Suite:
Custom: Advanced:
IKE Phase 1: AES-256, SHA1
IKE Phase 2: AES-256, SHA1

 

Tunnel Management:
Uncheck "Set Permananet Tunnels"

 

VPN Tunnel Sharing:
One VPN tunnel per each pair of hosts

 

Advanced Settings:
Shared Secret: XXXXXXXXXXXXXXXXXX

Advanced VPN Properties:
IKE (Phase1): DFH -> Group 2(1024 bit)
Renegotiate IKE: 1440 minutes
Uncheck "Use aggressive mode"
IPsec (Phase 2)
Check "Use Perfect Forward Secrecy"
DFH -> Group 2 (1024 bit)
Renegotiate IPsec: 3600 seconds

 

hope this helps you.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

baselzind
Level 6
Level 6
In response to balaji.bandi

‎11-24-2020 06:16 AM

is this template for ikev1 or ikev2?

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎11-24-2020 06:47 AM

Its universal template to collect information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents