Re: Unable to Migrate VPN Tunnel from IKEv1 to IKEv2

kalebcargin · ‎09-28-2024

UPDATE: I am now being told that this IPSEC Tunnel is no longer needed, so I no longer need to convert it to IKEv2.

Hello,

I have a Cisco ASA that has three IKEv1 tunnels and I need to change one of them to use IKEv2.
Attached is the original running-config that brings all three IKEv1 tunnels up and active. Also, I have attached the running config of the ASA after switching the tunnel with a peer IP of 19.12.76.9 from IKEv1 to IKEv2.

To switch the tunnel from IKEv1 to IKEv2, I ran the following config commands:

tunnel-group 19.12.76.9 ipsec-attributes

no ikev1 pre-shared-key *******************

no crypto map HBMTJM 2 set ikev1 transform-set ESP-AES-256-SHA

crypto map HBMTJM 2 set pfs group14

crypto map HBMTJM 2 set ikev2 ipsec-proposal AES256-SHA256

crypto map HBMTJM 2 set ikev2 pre-shared-key *******************

However, the tunnel only comes up with a state of UP-IDLE and loading a website and pinging an IP on the other side of the tunnel times out.

Here is the result of the show crypto isakmp sa command:

IKEv2 SAs:

Session-id:475, Status:UP-IDLE, IKE count:12, CHILD count:0

Tunnel-id Local Remote Status
Role
3531684191 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/8 sec

Tunnel-id Local Remote Status
Role
3031233181 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/13 sec

Tunnel-id Local Remote Status
Role
226038679 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/18 sec

Tunnel-id Local Remote Status
Role
3519504561 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/23 sec

Tunnel-id Local Remote Status
Role
1258801873 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/43 sec

Tunnel-id Local Remote Status
Role
105182045 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/58 sec

Tunnel-id Local Remote Status
Role
3417865807 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/73 sec

Tunnel-id Local Remote Status
Role
918654701 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/78 sec

Tunnel-id Local Remote Status
Role
1381709793 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/83 sec

Tunnel-id Local Remote Status
Role
642537917 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/93 sec

Tunnel-id Local Remote Status
Role
1242201417 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/103 sec

Tunnel-id Local Remote Status
Role
841674625 XXX.XXX.XXX.XXX/500 19.12.76.9/500 DELETE
INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: Unknown - 0, Auth verify: Unknown - 0
Life/Active Time: 86400/118 sec

The other side of the tunnel is a Cisco router and the engineers on the other side say that their config is correct.
We have verified that the PSK matches on both sides.

Why does this tunnel work with IKEv1, but not IKEv2?

MHM Cisco World · ‎09-28-2024

Only match VPN ACL to new ikev2 tunnel and issue will solve

MHM

kalebcargin · ‎09-28-2024

Thank you for the prompt reply, MHM!

So what you are saying is that I should remove (via "no" command) this ACL?
access-list outside_cryptomap extended permit ip interface outside object-group FORD_ENCRY_DOMAINS

MHM Cisco World · ‎09-29-2024

Sorry for late reply

OK you want to use ikev2 instead of ikev1, do you remove match VPN ACL from ikev1 map?

I Check config you share there are any vpn so I don't know which one you talk about

Thanks

MHM

kalebcargin · ‎09-29-2024

The tunnel that we are wanting to switch to IKEv2 is the one with a peer IP of 19.12.76.9.

I am not sure what you mean by "do you remove match VPN ACL from ikev1 map"?.
As I stated previously, I did notice that there is an ACL that mentions the same object group (FORD_ENCRY_DOMAINS), but is not specified by the tunnel's cryptomap, so I am thinking it certainly cannot hurt to remove it...

Here are the two ACLs that specify FORD_ENCRY_DOMAINS:

access-list outside_cryptomap extended permit ip interface outside object-group FORD_ENCRY_DOMAINS
access-list outside_cryptomap_1 extended permit ip interface outside object-group FORD_ENCRY_DOMAINS

Only the outside_cryptomap_1 ACL is specified in the tunnel's cryptomap:

crypto map HBMTJM 2 match address outside_cryptomap_1
crypto map HBMTJM 2 set peer 19.12.76.9

MHM Cisco World · ‎09-30-2024

did you clear crypto sa peer 19.12.76.9

it can the ASA use old ikev1 SA

MHM

kalebcargin · ‎10-01-2024

Can't say for sure.
I know I cleared the config of all the "crypto map HBMTJM 2" commands and then put them back in. Not sure if doing that would clear the old IKEv1 SA...

Based on the (lack of) other specific responses, I guess there is nothing obviously misconfigured. Maybe not running "clear crypto sa peer 19.12.76.9" after converting the tunnel from IKEv1 to IKEv2 was the only thing that was needed to bring the IKEv2 tunnel to an "UP-ACTIVE" state?

balaji.bandi · ‎09-29-2024

what Router other side and what IOS code running, there is some issues older code with 14, so can you lower that both the side start with 5 and start testing.

what is the logs on other side ?

for reference as below guide :

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kalebcargin · ‎09-29-2024

Unfortunately, I am unable to obtain a running config from the router on the other side, but I doubt it's running code that is older than my ASA's code. In fact, the network engineers on the other side are the one's wanting me to go from DH Group2 to Group14.

Again, I am not creating a totally new tunnel. The pre-existing tunnel has been working 100% for years when configured to use IKEv1, but we can only get UP-IDLE after switching the tunnel to IKEv2.

The tunnel that we are wanting to switch to IKEv2 is the one with a peer IP of 19.12.76.9.

I did reference this article from Cisco on switching a pre-existing tunnel from IKEv1 to IKEv2:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html#config