Re: Switch from IKEv1 to IKEv2 on Cisco Routers

lanmanjs · ‎02-14-2019

I have been asked to research what is necessary to switch the VPNs configured on a few of our routers from running IKEv1 to IKEv2. I need some help with this. Can I get an idea of what is needed to do this (CLI commands)? What will happen to the VPNs as they are changed from using version 1 and start using version 2? Will the VPN drop altogether and need to be recreated? I'm afraid things will break when I start working on this and am not sure of what to expect.

Also, what about the other side endpoint? What kind of changes would be needed there? I do not admin both sides of all of these VPNs. I need to know what will be necessary on the other side to make sure they still operate properly so I can work with the other tech to get there. Will the tunnel still work if I upgrade to v2 but the other endpoint is still on v1? What about the key exchange? Will it still operate as necessary or will that need to be reconfigured as well?

Any help would be greatly appreciated and thank you in advance for any reply -

lanmanjs

Rob Ingram · ‎02-14-2019

Hi,

You'll need to configure the following:-

- IKEv2 Proposal/Policy (optional, you can use smart defaults)

- IKEv2 Keyring (if using PSK)

- IKEv2 Profile - define authentication (local/remote), identities (local/remote), PSK/Certificates, DPD

- IPSec Transform Set

- IPsec Profile - reference the IKEv2 Profile and Transform Set

- Modify the tunnel interface to use the new IPSec Profile

There are plenty of FlexVPN (IKEv2) configuration guides here with example configuration.

IKEv2 and IKEv1 are not compatible, if you change your end of the VPN to IKEv2 you will need to co-ordinate with the 3rd party in order for them to re-configure their end to establish a tunnel.

HTH

lanmanjs · ‎02-14-2019

Thank you very much HTH. I really do appreciate the information - very helpful and gives me the direction I need.

lanmanjs