Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3279
Views
0
Helpful
2
Replies

IKEv1 to IKEv2

Go to solution
nishikesh
Level 1
Level 1

‎06-17-2016 06:59 AM

Hello Everyone,

 

I have query related to IKEv1 to IKEv2 feasibility.

 

Currently I am using ASA5540 with Software Version 9.1(6)11.

On this ASA we are using IKEv1 and having almost 240 Active SA/tunnels.

Now I have received request to change IKEv1 to IKEv2 only for TWO tunnels and keep other on IKEv1 as it is.

  

Here my question are;

  1. is it possible to configure IKEv2 only for existing TWO tunnels out of 240?

 Active SA: 240

Total IKE SA: 240

 

  1. If I configured IKEv2, will it affect other 238 running tunnels? Is there any kind of business impact for other running tunnels?
  2. Currently “crypto ikev1 enable OUTSIDE” is present, if I entered “crypto ikev2 enable OUTSIDE” what will happen.. will IKEv2 command overwritte IKEv1 configuration OR support both

 

I am not that expert in this. Could you pls guide & advise me.

 

Your help would be greatly appreciated.

 

Best regards,

Nishikesh Deshmukh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎06-17-2016 07:29 AM

You can run both IKEv1 and IKEv2 at the same time. With enabling IKEv2 on the outside interface, nothing will actually happen with your tunnels. Only if the other side is also configured for IKEv2 and your ASA has all needed config in place, the configured VPNs will change to IKEv2.

What you need to do:

  1. Make yourself comfortable with IKEv2 troubleshooting and debugs. The commands are different then for IKEv1.
  2. Configure IKEv2 policies and proposals (similar to transform-sets). These have to be compatible to your peers.
  3. If using PSKs, add them to your tunnel-group. These can be different for IKEv1 and IKEv2. This migration might be a good opportunity to change the keys.
  4. Add the IKEv2 proposals to your crypto map sequence
  5. enable IKEv2 on the outside interface.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎06-17-2016 07:29 AM

You can run both IKEv1 and IKEv2 at the same time. With enabling IKEv2 on the outside interface, nothing will actually happen with your tunnels. Only if the other side is also configured for IKEv2 and your ASA has all needed config in place, the configured VPNs will change to IKEv2.

What you need to do:

  1. Make yourself comfortable with IKEv2 troubleshooting and debugs. The commands are different then for IKEv1.
  2. Configure IKEv2 policies and proposals (similar to transform-sets). These have to be compatible to your peers.
  3. If using PSKs, add them to your tunnel-group. These can be different for IKEv1 and IKEv2. This migration might be a good opportunity to change the keys.
  4. Add the IKEv2 proposals to your crypto map sequence
  5. enable IKEv2 on the outside interface.
0 Helpful

Go to solution
nishikesh
Level 1
Level 1
In response to Karsten Iwen

‎06-17-2016 10:32 AM

Hello Karsten,

Thanks for the information.

Yes, we are configuring IKEv2 on both sides.

Actually I was worried about other existing/production tunnels.

Thanks for your help.

0 Helpful
Customers Also Viewed These Support Documents