Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3486
Views
0
Helpful
4
Replies

IKEv1 to IKEv2 Migration

YORKIE23
Level 1
Level 1

‎07-18-2018 08:22 AM - edited ‎03-12-2019 05:28 AM

Hey guys,

   I have been searching for information relating to migrating from IKEv1 to IKEv2.  We use DMVPN with IKEv1/PSK and would like to transtion to IKEv2/PKI. We are creating a second tunnel that will be configured with IKEv2/PSK so that we can do CA enrollments.  It will not be used for traffic.   The problem I am running into is that IKEv1 is not compatible with IKEv2.  So, when it comes time to apply the IKEv2 IPSec profile to the current IKEv1 tunnel, there will be connectivity issues.  What would be the best way to accomplish this with the least about of connectivity issues?  If an answer can't be provided, could you please point me in the direction of some material that may help?  I was thinking me may need a third tunnel that is configured for IKEv2/PKI that will carry traffic.   We have one main hub and approximately 250 spokes.  

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎07-18-2018 10:48 AM

Hi,
You are on the right track, you need to reference the IKEv2 Profile in the IPSec Profile, which is already in use. Setting up a new IKEv2/IPSec Profile and an additional tunnel interface would give you are migration path, just shut down the old IKEv1 tunnel and bring up the new IKEv2/PKI tunnel.

What about the hub(s) though? Are you setting up a new seperate Hub router (easiest) or do you want to use the existing hub and run IKEv1 and IKEv2 tunnels at the sametime?

HTH
0 Helpful

YORKIE23
Level 1
Level 1
In response to Rob Ingram

‎07-18-2018 11:00 AM

The current plan was to use the same hub and have both IKE versions until the transition was complete.  Never considered using another hub.  I will run that by team.  So, I keep the current tunnel, tunnel 0, that has IKEv1.  Create a second tunnel, tunnel 1,  that is identical to tunnel 0 but with IKEv2 IPSec profile (Different tunnel IPs of course), and the third tunnel, tunnel 2, for PKI enrollment.  The traffic can run between either tunnel 0 or 1 until transtion is complete and we remove tunnel 0?  Did I have it straight?  Want to make sure I understand this correctly.   

0 Helpful

Rob Ingram
VIP
VIP
In response to YORKIE23

‎07-18-2018 11:13 AM

Have a look at this doc, it's not 100% identical to your scenario as it describes migrating DMVPN with IKEv1 to FlexVPN with IKEv2, but it's the same principal. It demonstrates the IKEv1 and IKEv2 can co-exist on the same hub, but separate tunnels and IPSec profiles have to be used.

 

HTH

0 Helpful

Mark1110
Level 1
Level 1
In response to YORKIE23

‎06-16-2023 06:37 AM

Hello, I am having similar issue. we are also doing migration from ikev1 to ikev2 but Configuring IKEv2 tunnels creates connectivity issues. did you complete migration? if possible can you share what steps you did for migration?

0 Helpful
Customers Also Viewed These Support Documents