Cisco ASA Site-to-Site IKEv2 IPSEC VPN

cpj_68 · July 22, 2022, 3:06am

Hi Team,

When we are creating ike policy like the following

ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400

Should those attributes (encryption, integrity, DH group, PFS group and lifetime.) be the same on both sites? What happened if they are different? Will exchange of SA fail and no site-to-site VPN in the end?

lagapides · July 24, 2022, 5:44am

Hello PO

When implementing the IKEv2 proposal, you must implement the following for it to be considered complete:

at least one encryption algorithm
at least one integrity algorithm
at least one DH group

For each of these, you can configure multiple types. For example, you can configure encryption like so:

ASA1(config-ikev2-policy)# encryption aes 3des

The ASA will attempt to negotiate the encryption method in the priority order that you place the commands. The two ASAs must agree on the encryption method in order for an SA to form.

The same is true about the group. You can configure it like so:

ASA1(config-ikev2-policy)# group 2 5

Where group 2 will be attempted first, and if it fails, group 5 will be tried.

The prf sha command is essentially the same as the integrity algorithm.

So to answer your question, the pair of ASAs will attempt to find the same encryption, integrity, and group numbers in order to successfully create an SA. Otherwise it will fail.

However, for IKEv2, the lifetime values can be different, since lifetimes are not negotiated, in contrary to IKEv1.

Take a look at this Cisco documentation for more information.

I hope this has been helpful!

Laz

ratan_m · March 17, 2023, 3:28pm

Hi, I was wondering if you could share some IKE v2 debug commands for Phase 1 and Phase 2

lagapides · March 20, 2023, 5:54am

Hello Ratan

The following Cisco documentation details some debugs that can be used for debugging IKEv2.

As stated in the document, keep in mind that:

The packet exchange process that is used in IKEv2 is radically different from that used in IKEv1. With IKEv1, there is a clearly demarcated phase1 exchange that consists of six packets followed by a phase 2 exchange that consists of three packets. The IKEv2 exchange is variable.

Another useful document that will help you further is the following:

Inform us of how you get along and if you need any more specific information, feel free to let us know!

I hope this has been helpful!

Laz

ratan_m · March 20, 2023, 1:12pm

Thank you Laz.
I will play with it and let you know.