PSK for IKEv2 not persistent

IulianaNegura · ‎04-02-2024

Hi all,

We are planning to replace ASA 5525 with virtualized ASA on Firepower. While checking the configuration which we restored from our running ASA(which contains a folder named VPNPresharedKeys with a single file for each VPN profile), we noticed PSK for IKEv2 is not persistent, it is missing from Crypto map Entry.

As the equipment is not yet in place, there are no active VPNs.

Is this a normal behavior until we connect it to the internet and the PSK will persist once the tunnels will negotiate?

Anyone stumbled in to this so far?

Thank you!

Rob Ingram · ‎04-02-2024

@IulianaNegura EDIT: you can configure the PSK either under the connection profile/tunnel-group or under the crypto map sequence for that peer.

crypto map outside_map2 1 match address outside_cryptomap
crypto map outside_map2 1 set peer 2.2.2.1
crypto map outside_map2 1 set ikev2 pre-shared-key **********
!
tunnel-group 2.2.2.1 ipsec-attributes
 ikev2 local-authentication pre-shared-key **********
 ikev2 remote-authentication pre-shared-key **********

Typically the PSK is configured just under the tunnel-group/connection profile and not under the crypto map, so that should not be a problem that the PSK is not configured under the crypto map.

MHM Cisco World · ‎04-02-2024

As I see there is PSK for local and remote peer auth.

And in cli we config it under the tunnel group

This second field (empty) I will check for what it used.

MHM