Solved: How to change an existing VPN tunnel in ASDM?

rweir0001 · ‎06-01-2016

I currently have a VPN tunnel set up but want to change some of the configurations like making it ikev2, changing the hash to SHA512, and the changing it to DH Group 14. I plan to do this in ASDM. I have already created a ikev2 tunnel group that I will place the tunnel in, and created a Crypto Map that is configured with the right ikev2 IPSec Proposal and DH Group. All the other configurations like the Peer IP address, and subnets are configured and I am going to work with the engineers on the other end of the tunnel to make sure our configurations match, I just want to make sure that I'm not missing anything. Has anyone ever just changed the configurations of an existing tunnel in such a way in ASDM, and did it work correctly? These are the steps I will be taken along with the ones I've already mentioned:

- Edit the Connection Profile so that the Group Policy name is using the correct tunnel that was created for ikev2

- Enter both the Local Pre-Shared Key and the Remote Pre-Shared Key under the ikev2 tab

- Change the IKE Policy so that it is using the ikev2 policy that was created to use SHA512

- Change the IPSEC Proposal so that it is using AES256-SHA512

- THE CRYPTO MAP IS ALREADY CREATED

- Change the Perfect Forward Secrecy to group 14

David Castro F. · ‎06-02-2016

Hello,

Let me go through your questions to double clarify this:

1. if I have a Crypto Map applied to my outside interface that has an IPSec Proposal of ikev1 can I simply add an ikev2 proposal to that Crypto Map as well?

If you have a crypto map applied to your outside and 3 different peers with different sequence number, you will have to replace the IKEv1 proposal for IKEv2 for the peer that will use IKEv2, the other ones should keep using their IKEv1 IPSec proposal.

2. So can I add an ikev2 proposal with a AES256-SHA512 hash to my 123.123.123.456 tunnel group and continue to have ALL three tunnel groups still pass traffic? What if I add the ikev2 proposal, but REMOVE the ikev1 proposal from that tunnel group because I don't want that tunnel group to use any hash other than AES256-SHA512?

123.123.123.456 - ikev2 - AES256-SHA512

Let me expand this a little bit, If the peer 123.123.123.456, should use IKEv2, you will need to declare the IKEv2 in the tunnel group and add the pertinent "Local and Remote PSK" --> This is for phase 1, and this means that it will use the IKEv2 policy defined before, and the IKEv2 IPSec proposal is on phase 2 where the crypto map is, you will need to replace the IKEv1 and use the IKEv2 IPSec proposal. This way it will use for phase 1 the IKEv2 policy you defined, and the Transform set IKEv2, when doing this change make sure both sides are mirrored with IKEv2 policy and IPSec proposals, and the tunnel will go down and will come up with the new proposals.

This wont affect any other tunnel, as long as you change the settings to the correct tunnel group and don't delete any proposals, just remove them from the connection profile, those might be in used.

3. Do you see what I mean? All three tunnel groups on that outside interface will be using different crypto maps, with only two out of the three using ikev1 as an IPSec proposal. Will that work?

You can only have one crypto map applied per interface, and the 3 tunnels using different sequence number with the same crypto map name, You can 2 tunnels on the same crypto map using IKEV1, and still in the same crypto map have the third tunnel using IKEv2(different Transform set using IKEv2). This wont cause any issues.

4. what about the group policy DfltGrpPolicy? Currently all my tunnel groups use it but it is only configured for ikev1. I'm not really sure what it's role is in all this so can I simply add ikev2 to it?

The default group policy is added by default to all of your tunnel groups(Connection Profiles), every single time you create one, the default group policy is inherit to it by default, you can change it for a Group Policy that you can create, a Group policy is a set of attributes that will be used to define something or limit it, for example for a site to site you may configure a VPN filter (It filters the traffic that goes through the tunnel), Now getting back on your point, You need to define on the default group policy the protocols that will be negotiated whether for a L2L on IKEv1 or IKEv2, Anyconnect using SSL or IKEv2 and so on, so it is important that you add the IKEv2 so the negotiation will be allowed, or either to create a new group policy and add the IKEv2 protocol; and under the tunnel group add the pertinent group policy you just created.

I hope it is clarified, keep me posted!

Please proceed to rate and mark as correct this post and the previous one it it helped you!

David Castro,

View solution in original post

David Castro F. · ‎06-03-2016

Hello,

Good job, you did it correctly, and followed the best practices actually, that should do it, and the other tunnels will keep the child SAs up and running using IKEv1 and IPSec, you may see the VPN sessions on ASDM and it will show you very detailed the L2L for IKEv1 and IKEv2.

If you have any other queries let me know, please proceed to rate and mark as correct the helpful posts!

David Castro,

View solution in original post

Michael Muenz · ‎06-01-2016

Yes that's possible, but ikev2 policy is global, think about this if you change things.

Michael Please rate all helpful posts

rweir0001 · ‎06-02-2016

Thanks for the input, Michael. I'm a little confused as to why the ikev2 policy would be global, though? I know I could configure a global ikev2 policy on the ASA, but can't I also just configure a specific Connection Profile to use ikev2 without it affecting the Connection Profiles that are currently using ikev1?

Let's say I have three Connection profiles all using ikev1, but I want to change my 123.123.123.456 Connection Profile to ikev2:

123.123.123.456 - ikev2

789.489.789.123 - ikev1

456.789.123.123 - ikev1

If I have created a separate Group Policy and Crypto Map that only the 123.123.123.456 Connection Profile is going to use, and configure that Connection Profile to use ikev2, then won't the other two Connection Profiles still be allowed to use ikev1 even though they are all sending packets out of the same interface?

David Castro F. · ‎06-02-2016

Hello,

You can create specific IKEv2 policies (not global), and also have your IKEv1 policies defined at the same time, where you specify that One peer is going to use IKEv1 or IKEv2 from the other is on the (Connection profiles) known as tunnel group,

Now remember that If you have just one Outside interface, You can only apply one crypto map per interface, so use the same crypto map that you use for IKEv1 peers, the only difference is that the IPSec proposal will be IKEv2,

Keep me posted!

Please proceed to rate and mark as correct the helpful post!

David Castro,

rweir0001 · ‎06-02-2016

Thanks, David. So if I have a Crypto Map applied to my outside interface that has an IPSec Proposal of ikev1 can I simply add an ikev2 proposal to that Crypto Map as well? Will my tunnel groups that are using ikev1 continue to do so along with my tunnel group that is now using ikev2?

Right now I have three different tunnel groups, with three different peer addresses. All three of them are using a DIFFERENT crypto map on the SAME outside interface, and even though all the crypto maps are using ikev1, they are using different ikev1 transform sets. Technically, they are all using ESP-AES256-SHA but the 123.123.123.456 tunnel group is using additional hashes:

123.123.123.456 - ikev1 - ESP-AES256-SHA, ESP-AES-192-SHA, ESP-3DES-SHA

789.489.789.123 - ikev1 - ESP-AES256-SHA

456.789.123.123 - ikev1 - ESP-AES256-SHA

So can I add an ikev2 proposal with a AES256-SHA512 hash to my 123.123.123.456 tunnel group and continue to have ALL three tunnel groups still pass traffic? What if I add the ikev2 proposal, but REMOVE the ikev1 proposal from that tunnel group because I don't want that tunnel group to use any hash other than AES256-SHA512?:

123.123.123.456 - ikev2 - AES256-SHA512

789.489.789.123 - ikev1 - ESP-AES256-SHA

456.789.123.123 - ikev1 - ESP-AES256-SHA

Do you see what I mean? All three tunnel groups on that outside interface will be using different crypto maps, with only two out of the three using ikev1 as an IPSec proposal. Will that work? Your last answer seems to imply that it wouldn't, that I would need to have ALL three tunnel groups configured for ikev1 that are using the same interface, but that I could additionally add an ikev2 IPSec proposal to the 123.123.123.456 tunnel group.

Also, what about the group policy DfltGrpPolicy? Currently all my tunnel groups use it but it is only configured for ikev1. I'm not really sure what it's role is in all this so can I simply add ikev2 to it?

David Castro F. · ‎06-02-2016

Hello,

Let me go through your questions to double clarify this:

1. if I have a Crypto Map applied to my outside interface that has an IPSec Proposal of ikev1 can I simply add an ikev2 proposal to that Crypto Map as well?

If you have a crypto map applied to your outside and 3 different peers with different sequence number, you will have to replace the IKEv1 proposal for IKEv2 for the peer that will use IKEv2, the other ones should keep using their IKEv1 IPSec proposal.

2. So can I add an ikev2 proposal with a AES256-SHA512 hash to my 123.123.123.456 tunnel group and continue to have ALL three tunnel groups still pass traffic? What if I add the ikev2 proposal, but REMOVE the ikev1 proposal from that tunnel group because I don't want that tunnel group to use any hash other than AES256-SHA512?

123.123.123.456 - ikev2 - AES256-SHA512

Let me expand this a little bit, If the peer 123.123.123.456, should use IKEv2, you will need to declare the IKEv2 in the tunnel group and add the pertinent "Local and Remote PSK" --> This is for phase 1, and this means that it will use the IKEv2 policy defined before, and the IKEv2 IPSec proposal is on phase 2 where the crypto map is, you will need to replace the IKEv1 and use the IKEv2 IPSec proposal. This way it will use for phase 1 the IKEv2 policy you defined, and the Transform set IKEv2, when doing this change make sure both sides are mirrored with IKEv2 policy and IPSec proposals, and the tunnel will go down and will come up with the new proposals.

This wont affect any other tunnel, as long as you change the settings to the correct tunnel group and don't delete any proposals, just remove them from the connection profile, those might be in used.

3. Do you see what I mean? All three tunnel groups on that outside interface will be using different crypto maps, with only two out of the three using ikev1 as an IPSec proposal. Will that work?

You can only have one crypto map applied per interface, and the 3 tunnels using different sequence number with the same crypto map name, You can 2 tunnels on the same crypto map using IKEV1, and still in the same crypto map have the third tunnel using IKEv2(different Transform set using IKEv2). This wont cause any issues.

4. what about the group policy DfltGrpPolicy? Currently all my tunnel groups use it but it is only configured for ikev1. I'm not really sure what it's role is in all this so can I simply add ikev2 to it?

The default group policy is added by default to all of your tunnel groups(Connection Profiles), every single time you create one, the default group policy is inherit to it by default, you can change it for a Group Policy that you can create, a Group policy is a set of attributes that will be used to define something or limit it, for example for a site to site you may configure a VPN filter (It filters the traffic that goes through the tunnel), Now getting back on your point, You need to define on the default group policy the protocols that will be negotiated whether for a L2L on IKEv1 or IKEv2, Anyconnect using SSL or IKEv2 and so on, so it is important that you add the IKEv2 so the negotiation will be allowed, or either to create a new group policy and add the IKEv2 protocol; and under the tunnel group add the pertinent group policy you just created.

I hope it is clarified, keep me posted!

Please proceed to rate and mark as correct this post and the previous one it it helped you!

David Castro,

rweir0001 · ‎06-03-2016

Thanks for all the help, David. The information you provided helped to clarify some things for me. I have made the changes to the tunnel and it is up and passing traffic.

I made the following changes in ASDM:

- I created a new Group Policy and configured it for IPSec IKEv2

- Added this Group Policy to the Tunnel Group

- Configured the Tunnel Group to use ikev2 and added both the Local and Remote Pre-Shared Keys

- Changed both the IKE Policy and the IPSec Proposal to AES-256 and SHA-512

- Changed the Crypto Map Entry in the Tunnel Group to DH Group 14

- These changes are then inherited by the Crypto Map

David Castro F. · ‎06-03-2016

Hello,

Good job, you did it correctly, and followed the best practices actually, that should do it, and the other tunnels will keep the child SAs up and running using IKEv1 and IPSec, you may see the VPN sessions on ASDM and it will show you very detailed the L2L for IKEv1 and IKEv2.

If you have any other queries let me know, please proceed to rate and mark as correct the helpful posts!

David Castro,