Solved: Upgrading L2L tunnel from IKEv2 to IKEv2. How to adjust cryptomap?

jmaxwellUSAF · ‎04-14-2023

Hello.

I'm upgrading an L2L tunnel from IKEv2 to IKEv2. I am unsure of how to adjust the crypto map.

QUESTION: Out of the numbered options below, may you please select the correct config? If not found, may you please write the correct config?

Thank you.
-----

#1...
#crypto map Vendor1-cryptomap interface Outside
#crypto map Vendor1-cryptomap 1 match address Cryptomap-ACL
#crypto map Vendor1-cryptomap 1 set peer 1.1.1.1
#crypto map Vendor1-cryptomap 1 set ikev1 ipsec-proposal PROPOSAL-1
#crypto map Vendor1-cryptomap 2 set ikev2 ipsec-proposal PROPOSAL-2

#2...
#crypto map Vendor1-cryptomap interface Outside
#crypto map Vendor1-cryptomap 1 match address Cryptomap-ACL
#crypto map Vendor1-cryptomap 1 set peer 1.1.1.1
#crypto map Vendor1-cryptomap 1 set ikev1 ipsec-proposal PROPOSAL-1
#crypto map Vendor1-cryptomap 2 match address Cryptomap-ACL
#crypto map Vendor1-cryptomap 2 set peer 1.1.1.1
#crypto map Vendor1-cryptomap 2 set ikev2 ipsec-proposal PROPOSAL-2

#3 (other)

Rob Ingram · ‎04-14-2023

@jmaxwellUSAF IKEv2 is prferred over IKEv1 if both enabled. I'd recommended to try not to over complicate the configuration, schedule a change window with the peer and cutover that tunnel to IKEv2.

So remove IKEv1 proposal and at the same time apply the IKEv2 proposal to the same sequence number.

crypto map Vendor1-cryptomap interface Outside
no crypto map Vendor1-cryptomap 1 set ikev1 ipsec-proposal PROPOSAL-1
crypto map Vendor1-cryptomap 2 set ikev2 ipsec-proposal PROPOSAL-2

You'd obviously also require the IKEv2 policies, enable IKEv2 on the Outside interface and define the IKEv2 PSK (if used) under the tunnel group.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

View solution in original post

MHM Cisco World · ‎04-15-2023

IKEv1 config steps
IKEv2 config steps

access-list l2laclikev1 extended permit ip 10.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0
access-list l2laclikev2 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
crypto ipsec ikev1 transform-set mhm esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal mhm
protocol esp encryption des
protocol esp integrity md5
crypto map l2lmap 10 match address l2laclikev2
crypto map l2lmap 10 set peer 200.0.0.3
crypto map l2lmap 10 set ikev2 ipsec-proposal mhm
crypto map l2lmap 20 match address l2laclikev1
crypto map l2lmap 20 set peer 150.0.0.2
crypto map l2lmap 20 set ikev1 transform-set mhm
crypto map l2lmap interface OUT
crypto ikev2 policy 10
encryption des
integrity md5
group 5
prf sha
crypto ikev2 enable OUT
crypto ikev1 enable OUT
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
group-policy ikev1 internal
group-policy ikev1 attributes
vpn-tunnel-protocol ikev1
group-policy ikev2 internal
group-policy ikev2 attributes
vpn-tunnel-protocol ikev2
tunnel-group 200.0.0.3 type ipsec-l2l
tunnel-group 200.0.0.3 general-attributes
default-group-policy ikev2
tunnel-group 200.0.0.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 150.0.0.2 type ipsec-l2l
tunnel-group 150.0.0.2 general-attributes
default-group-policy ikev1
tunnel-group 150.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****

View solution in original post

Rob Ingram · ‎04-14-2023

@jmaxwellUSAF IKEv2 is prferred over IKEv1 if both enabled. I'd recommended to try not to over complicate the configuration, schedule a change window with the peer and cutover that tunnel to IKEv2.

So remove IKEv1 proposal and at the same time apply the IKEv2 proposal to the same sequence number.

crypto map Vendor1-cryptomap interface Outside
no crypto map Vendor1-cryptomap 1 set ikev1 ipsec-proposal PROPOSAL-1
crypto map Vendor1-cryptomap 2 set ikev2 ipsec-proposal PROPOSAL-2

You'd obviously also require the IKEv2 policies, enable IKEv2 on the Outside interface and define the IKEv2 PSK (if used) under the tunnel group.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

MHM Cisco World · ‎04-15-2023

IKEv1 config steps
IKEv2 config steps

access-list l2laclikev1 extended permit ip 10.0.0.0 255.255.255.0 30.0.0.0 255.255.255.0
access-list l2laclikev2 extended permit ip 10.0.0.0 255.255.255.0 20.0.0.0 255.255.255.0
crypto ipsec ikev1 transform-set mhm esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal mhm
protocol esp encryption des
protocol esp integrity md5
crypto map l2lmap 10 match address l2laclikev2
crypto map l2lmap 10 set peer 200.0.0.3
crypto map l2lmap 10 set ikev2 ipsec-proposal mhm
crypto map l2lmap 20 match address l2laclikev1
crypto map l2lmap 20 set peer 150.0.0.2
crypto map l2lmap 20 set ikev1 transform-set mhm
crypto map l2lmap interface OUT
crypto ikev2 policy 10
encryption des
integrity md5
group 5
prf sha
crypto ikev2 enable OUT
crypto ikev1 enable OUT
crypto ikev1 policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
group-policy ikev1 internal
group-policy ikev1 attributes
vpn-tunnel-protocol ikev1
group-policy ikev2 internal
group-policy ikev2 attributes
vpn-tunnel-protocol ikev2
tunnel-group 200.0.0.3 type ipsec-l2l
tunnel-group 200.0.0.3 general-attributes
default-group-policy ikev2
tunnel-group 200.0.0.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group 150.0.0.2 type ipsec-l2l
tunnel-group 150.0.0.2 general-attributes
default-group-policy ikev1
tunnel-group 150.0.0.2 ipsec-attributes
ikev1 pre-shared-key *****