11-08-2018 01:23 PM
Our vpn peer is migrating away from their old data center & are changing configuration requirments for any peer connecting to them. Their requiremnets for phase 1 are now to use ikev2 which is not enabled on my outside interface. Also they are requirning a pre-shared key authentication for phase 1 as well. All of this seems normal but some advice would be much appreciated. My concerns are as follows.
1) can I enable ikev2 on my outside interface without disabling ikev1 or breaking existing tunnels? I have 15 IPsec tunnels currently working on my ASA all are using ikev1.
2) ikev2 does not have an option to configure "authentication pre-shared key" like ikev1 does on the ASA within the ike policy. A pre-shared key is also a phase 1 requirment for my peer & I dont see where I can configure it for phase 1 on the ASA.
3) my peer is requiring "aes-gcm-256 encryption" does this mean a pre-shared key is not needed on my side?
4) My peer's requirments do not specify an ike version for phase 2. When I google configurations I see examples only showing phase 2 using ikev2 when using ikev1 for phase 1. Do ike versions have to be the same for phase 1 and 2 or can I leave phase 2 to use ikev1?
Here is my version of ASA...
Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2660 MHz, 1 CPU (8 cores)
ASA Version 9.6(4)3
11-08-2018 01:32 PM
11-08-2018 01:34 PM
1. crypto ikev2 enable outside - should not affect ikev1 tunnels
2. tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
3. you still need the PSK
4. you configure an IPSec VPN tunnel using either IKEv1 or v2 - config is different for both
the tunnel is established with Phase 1 (isakmp) first, followed by phase 2 (ipsec)
below is an example config so you can see where how it fits together:
access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption
integrity
group
lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption *
protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
vpn-tunnel-protocol ikev2 | ikev1
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key
regards, mk
please rate if helpful/solved :)
11-08-2018 01:44 PM
Thanks for the feedback guys
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide