Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4079
Views
25
Helpful
9
Replies

Interoperability between ikev1 and ikev2

Go to solution
amaomury84
Visitor

‎08-04-2021 04:21 AM

We have a Cisco ASA5545 running IOS 9.1. ASA currently has over 500 active ikev1 tunnels to different partners. We will like to enable ikev2 on the box while keeping all our ikev1 tunnels active with no service disruption. kindly assist with steps to take to achieve this.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-04-2021 04:27 AM - edited ‎08-04-2021 04:57 AM

@amaomury84 

You can enable both IKEv1 and IKEv2 on the ASA at the sametime. You'll need something like the following to enable IKEv2:-

 

crypto ipsec ikev2 ipsec-proposal AES-GCM
 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
 protocol esp integrity null
!
crypto ikev2 policy 10
 encryption aes-gcm
 integrity null
 group 19
 prf sha256
 lifetime seconds 3600
!
crypto ikev2 enable OUTSIDE
!
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2
!
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
crypto map <MAP NAME> <NO> set ikev2 ipsec-proposal AES-GCM

You appear to be running a very old version of ASA (9.1), you might wish to upgrade to ensure you support the latest and strongest crypto algorithms.

View solution in original post

9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎08-04-2021 04:27 AM - edited ‎08-04-2021 04:57 AM

@amaomury84 

You can enable both IKEv1 and IKEv2 on the ASA at the sametime. You'll need something like the following to enable IKEv2:-

 

crypto ipsec ikev2 ipsec-proposal AES-GCM
 protocol esp encryption aes-gcm-256 aes-gcm-192 aes-gcm
 protocol esp integrity null
!
crypto ikev2 policy 10
 encryption aes-gcm
 integrity null
 group 19
 prf sha256
 lifetime seconds 3600
!
crypto ikev2 enable OUTSIDE
!
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2
!
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!
crypto map <MAP NAME> <NO> set ikev2 ipsec-proposal AES-GCM

You appear to be running a very old version of ASA (9.1), you might wish to upgrade to ensure you support the latest and strongest crypto algorithms.

Go to solution
amaomury84
Visitor
In response to Rob Ingram

‎08-04-2021 04:50 AM

@Rob Ingram, thank you for the help and suggestion. I would like to confirm if this is a generic solution or I will need to modify it to suit my own need.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to amaomury84

‎08-04-2021 04:56 AM

@amaomury84 

The configuration above is all the IKEv2 components required to enable IKEv2 on the ASA. The algorthims are suggestions, they are however the more secure next generation encryption algorithms.

 

You can select different algorithms will configuring the IKEv2 Proposal/Policies.

Go to solution
00uwebuq2cv2rh8M55d6
Community Member

‎08-04-2021 04:31 AM

ikev1 tunnel to different partner like to enable ikev2 on the box while keeping all our ikev1 tunnel active with no service disruption.
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-04-2021 04:45 AM

you can run both v1 and v2 on the same ASA - i do not see any issue here.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
amaomury84
Visitor

‎08-22-2021 04:43 AM

@Rob Ingram, please help confirm if i can use the same configuration for each partner I am creating an IKEv2 for on my box. what should be the difference in configuration for partner 1 and partner 2 on my box (aside obviously peer IP and host IP)

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to amaomury84

‎08-22-2021 04:54 AM

@amaomury84 

As well as the configuration above for IKEv2, the crypto map configuration determine whether to use IKEv1 or IKEv2. Example below, you can determine Partner 1 uses IKEv1 transform set and Partner 2 uses IKEv2.

 

// Partner 1
crypto map CRYPTO-MAP 1 set ikev1 transform-set TSET1
crypto map CRYPTO-MAP 1 set peer 1.1.1.1
crypto map CRYPTO-MAP 1 match address PARTNER1

// Partner 2
crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal TSET2
crypto map CRYPTO-MAP 2 set peer 2.2.2.2
crypto map CRYPTO-MAP 2 match address PARTNER2

You obviously also need a unique sequence number per VPN tunnel, to distinguish between the peers and a unique ACL to distinguish between the interesting traffic (remote networks).
 

Go to solution
amaomury84
Visitor

‎08-22-2021 06:21 AM

@Rob Ingram, thanks for this. it is very helpful. I would also like to confirm about the group policy, can I use the same group policy(DfltGrpPolicy) for all ikev2 connected partners or I should use a different group policy for each partner. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to amaomury84

‎08-22-2021 06:32 AM

@amaomury84 

Yes, you could use the same group policy, you'd need to ensure IKEv1 and IKEv2 are both enabled as supported vpn-protocols

 

group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev2 ikev1

 

Customers Also Viewed These Support Documents