Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1834
Views
10
Helpful
3
Replies

Site to Site VPN's using IKEV2

Hawk
Level 1
Level 1

‎11-08-2018 01:23 PM

Our vpn peer is migrating away from their old data center & are changing configuration requirments for any peer connecting to them.  Their requiremnets for phase 1 are now to use ikev2 which is not enabled on my outside interface.  Also they are requirning a pre-shared key authentication for phase 1 as well.  All of this seems normal but some advice would be much appreciated.  My concerns are as follows.  

 

1) can I enable ikev2 on my outside interface without disabling ikev1 or breaking existing tunnels?  I have 15 IPsec tunnels currently working on my ASA all are using ikev1.

 

2) ikev2 does not have an option to configure "authentication pre-shared key" like ikev1 does on the ASA within the ike policy.  A pre-shared key is also a phase 1 requirment for my peer & I dont see where I can configure it for phase 1 on the ASA.

 

3) my peer is requiring "aes-gcm-256 encryption" does this mean a pre-shared key is not needed on my side?

 

4) My peer's requirments do not specify an ike version for phase 2.  When I google configurations I see examples only showing phase 2 using ikev2 when using ikev1 for phase 1.  Do ike versions have to be the same for phase 1 and 2 or can I leave phase 2 to use ikev1?

 

Here is my version of ASA...

 

Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
ASA Version 9.6(4)3

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎11-08-2018 01:32 PM

Hi,
1. You can enable IKEv1 and IKEv2 on an ASA at the sametime and both will work
2. The syntax for the PSK is slightly different for IKEv2 PSK. E.g

tunnel-group 1.1.1.1 ipsec-attributes
ikev2 local-authentication pre-shared-key Cisco1234
ikev2 remote-authentication pre-shared-key Cisco1234

3. Yes you will need a PSK

4. You will need to define an IKEv2 Phase 2, an example of IKEv2 Phase 2:-

crypto ipsec ikev2 ipsec-proposal TSET
protocol esp encryption aes-gcm

mkazam001
Level 3
Level 3

‎11-08-2018 01:34 PM

1. crypto ikev2 enable outside - should not affect ikev1 tunnels

2. tunnel-group x.x.x.x ipsec-attributes
       ikev2 remote-authentication pre-shared-key
       ikev2 local-authentication pre-shared-key

3. you still need the PSK

4. you configure an IPSec VPN tunnel using either IKEv1 or v2 - config is different for both

 

the tunnel is established with Phase 1 (isakmp) first, followed by phase 2 (ipsec)

 

below is an example config so you can see where how it fits together:

access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption
integrity
group
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption *
protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
vpn-tunnel-protocol ikev2 | ikev1
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key

 

regards, mk

please rate if helpful/solved :)

Hawk
Level 1
Level 1
In response to mkazam001

‎11-08-2018 01:44 PM

Thanks for the feedback guys

0 Helpful
Customers Also Viewed These Support Documents