Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
0
Replies

IOS -> ASA route-based IKEv2 transition

doka
Level 1
Level 1

‎07-15-2020 06:49 AM - edited ‎07-15-2020 06:54 AM

Dear colleagues,

in few of my spoke sites I need to migrate from IOS/XE to ASA (software version 9.14(1)) and the question is whether it's possible to migrate the route-based VPN configuration, keeping configuration of hub side (many different clients (XE, Mikrotik, Windows, MacOS) still use it).

The basic idea of the existing configuration is to authenticate itself using eap/mschapv2, while authenticate remote side using respective trustpoint:

 

crypto ikev2 proposal RC-proposal
 encryption aes-gcm-256
 prf sha256
 group 14
!
crypto ikev2 policy RC-policy
 match fvrf any
 proposal RC-proposal
!
crypto ikev2 profile RC-profile
 match identity remote fqdn <REMOTE-FQDN>
 identity local email <id>
 authentication local eap mschapv2 username <USERNAME> password <PASSWORD>
 authentication remote rsa-sig
 pki trustpoint MyTP
!
crypto ipsec transform-set RC-ts esp-gcm 256
 mode tunnel
!
crypto ipsec profile RC-tun
 set transform-set RC-ts
 set ikev2-profile RC-profile
!
interface Tunnel0
 ip address negotiated
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source <local internet-facing interface>
 tunnel mode ipsec ipv4
 tunnel destination <REMOTE-IP>
 tunnel protection ipsec profile RC-tun

I use the following guide - https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/214230-configure-policy-based-and-route-based-v.html , but there is no way to declare eap/mschapv2 for local-authentication (step 5):

ciscoasa(config-tunnel-ipsec)# ikev2 local-authentication ?
  certificate     Select the trustpoint that identifies the cert to be sent to
                  the IKE peer
  pre-shared-key  Configure the local pre-shared-key used to authenticate to
                  the remote peer

And next issue is in step 6: in the current configuration, tunnel's address is negotiated over IPSec (int Tunnel0 / ip address negotiated), while ASA has no this choice, proposing only static address assignment:

ciscoasa(config-if)# ip address ?
  Hostname or A.B.C.D  Firewall's network interface address

I will appreciate any comments and suggestions on how to migrate from XE to ASA in my environment.

Thank you.

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents