Showing results for 
Search instead for 
Did you mean: 

IKEv1 to IKEv2 Migration

Hey guys,

   I have been searching for information relating to migrating from IKEv1 to IKEv2.  We use DMVPN with IKEv1/PSK and would like to transtion to IKEv2/PKI. We are creating a second tunnel that will be configured with IKEv2/PSK so that we can do CA enrollments.  It will not be used for traffic.   The problem I am running into is that IKEv1 is not compatible with IKEv2.  So, when it comes time to apply the IKEv2 IPSec profile to the current IKEv1 tunnel, there will be connectivity issues.  What would be the best way to accomplish this with the least about of connectivity issues?  If an answer can't be provided, could you please point me in the direction of some material that may help?  I was thinking me may need a third tunnel that is configured for IKEv2/PKI that will carry traffic.   We have one main hub and approximately 250 spokes.  

VIP Mentor

You are on the right track, you need to reference the IKEv2 Profile in the IPSec Profile, which is already in use. Setting up a new IKEv2/IPSec Profile and an additional tunnel interface would give you are migration path, just shut down the old IKEv1 tunnel and bring up the new IKEv2/PKI tunnel.

What about the hub(s) though? Are you setting up a new seperate Hub router (easiest) or do you want to use the existing hub and run IKEv1 and IKEv2 tunnels at the sametime?


The current plan was to use the same hub and have both IKE versions until the transition was complete.  Never considered using another hub.  I will run that by team.  So, I keep the current tunnel, tunnel 0, that has IKEv1.  Create a second tunnel, tunnel 1,  that is identical to tunnel 0 but with IKEv2 IPSec profile (Different tunnel IPs of course), and the third tunnel, tunnel 2, for PKI enrollment.  The traffic can run between either tunnel 0 or 1 until transtion is complete and we remove tunnel 0?  Did I have it straight?  Want to make sure I understand this correctly.   


Have a look at this doc, it's not 100% identical to your scenario as it describes migrating DMVPN with IKEv1 to FlexVPN with IKEv2, but it's the same principal. It demonstrates the IKEv1 and IKEv2 can co-exist on the same hub, but separate tunnels and IPSec profiles have to be used.



Content for Community-Ad