Cisco ASA Site-to-Site IKEv2 IPSEC VPN

This topic is to discuss the following lesson:

Hi Rene,

When would one use IKEv2 over IKEv1? What are the main differences in using one over the other?

Thanks
Rob

Hi Rob,

Nowadays you should always use IKEv2 (if possible). It supports a couple of things that IKEv1 doesn’t.

- IKEv2 uses fewer messages than IKEv1 to establish the tunnel and uses less bandwidth.
- IKEv2 has built-in support for NAT traversal.
- IKEv2 has a built-in keepalive mechanism (Dead Peer Detection).
- IKEv2 supports EAP authentication.
- IKEv2 has some built-in mechanisms against DoS attacks.

In short, there’s no reason to use IKEv1 anymore unless you have older equipment that doesn’t support IKEv2 for some reason.

Rene

hello Rene,

Is there any possibiltity you create any post about ssl/tls tecnology??

 

Hi Francesco,

Here’s a good example for SSL:

Rene

The only other thing I had to do to get this working at work is configure NAT exemptions

Hi Rene,

I want to use two asa5525-X firewall (Active/Active) design. Branch office want to use anyconnect vpn client. Is it possible or not?

Hi Naing,

From what I know, this is impossible. ASA 9.x does support some site-to-site VPNs with active/active but no remote VPN or anyconnect.

Rene

Hello Rene,

I have a question regarding the following config:

 IPSCal# sh run crypto map 
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer x.x.x.x
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface outside

From the looks of this crypto map it looks like we are using both ikev1 and ikev2. Whats interesting is that I only see a phase 1 ikev1 policy, does this mean we use ikev1 only?

Thanks

Hi Fabian,

It is possible to accept IKEv1 and IKEv2, you don’t have to choose between one or the other. Just make sure the configuration for both is complete :slight_smile:

Rene

Strange that when I do this, it kills my Amazon VPC connection. My Amazon VPC is IKEV1 policy 10 and crypto map 10, whereas I’m using 20 for the directions you provided.

Have you done Amazon VPC + IKEV2 Site to Site?

Hi Michael,

What are you using on the VPC? Strongswan?

I used it before:

Any chance your VPN is landing on the wrong tunnel-group? That could cause one VPN to be terminated when you are trying to establish another one.

Rene

Hi Rene,

I’ve been unable to establish crypto isakmp SA following this guide. Should this work in gns3. or are there known issues

Hi Richard,

It might be related to GNS3, it’s difficult to tell. If possible I would test it on real hardware first (or try Cisco VIRL).

Rene

Pls can you a small lab on Ikev2 ASA-ASA static-Dynamic IP

Thanks

Hi Anuoluwapo,

You should be able to make it work by combining the ASA IKEv1 Dynamic Peer tutorial and this ASA IKEv2 tutorial.

Rene

Hello Rene,

we have couple of ikev 1 l2l vpn tunnels with our vendors. we want to migrate one of the ikev 1 l2l vpn tunnel to ikev 2 vpn. i know there a command to do swiift migration “migrate l2l” but i believe it will migrate all of my ikev l2l vpn tunnels. is there a way that i can just migrate that particular ikev 1 l2l vpn to ikev 2? or do i have to do a configuration for it from scratch? i will really appriciate your help.

Thanks
Umer

Hello UMER

To answer your question, it really depends on what you want to do. I am assuming first of all that you are using ASA 8.X (although I believe with relative certainty that the following is supported for 9.X as well). Also, I am assuming that these tunnels are to different vendors. This is important because according to Cisco “Multiple peers used for redundancy is not supported with IKEv2 on the ASA.” Only IKEv1 supports this. So if these tunnels are redundant tunnels to the same vendor, don’t migrate to IKEv2.

Now, when you use the migration command you are correct that all IKEv1 tunnels are migrated to IKEv2. However, the current IKEv1 configurations are not removed. IKEv1 and IKEv2 both run in parallel on the same crypto map and IKEv1 acts as a backup for IKEv2.

So, assuming you issue the migrate command and you migrate everything, the IKEv2 tunnel will be created and will function as you desire (if the other end is configured correctly as well), but the tunnel you want to remain on IKEv1 will remain as such since it will fall back to IKEv1 if IKEv2 cannot be established.

You can then tweak your configuration and remove any IKEv2 configuration from that particular tunnel.

Cisco has very good and detailed documentation for this procedure and you can find it here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

I hope this has been helpful!

Laz

This lesson has been so valuable to me. Ive only be in Networking for a year with just my CCNA, so ive come into contact with devices that I did not learn about while studying. This job has been my rock and today I was asked to learn how to and configure an IPSEC VPN between the ASA at my site and the ASA at a new site we just put up.

I just want to thank you so much for offering a clear and concise tutorial. I often get overwhelmed by wordy explanations of things and your website has literally solved my problems with getting “lost in the sauce”. I am studying for CCNP now using both your site, INE, and the official cert guide.

Thank you so much!

Hello Letia

It’s great to hear that you are enjoying and finding value in this site. This is what we aim to do. I wish you success in your CCNP studies and exams!

Laz