Cisco ASA Site-to-Site IKEv2 IPSEC VPN

Hi Team,

When we are creating ike policy like the following

ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400

Should those attributes (encryption, integrity, DH group, PFS group and lifetime.) be the same on both sites? What happened if they are different? Will exchange of SA fail and no site-to-site VPN in the end?

Hello PO

When implementing the IKEv2 proposal, you must implement the following for it to be considered complete:

  • at least one encryption algorithm
  • at least one integrity algorithm
  • at least one DH group

For each of these, you can configure multiple types. For example, you can configure encryption like so:

ASA1(config-ikev2-policy)# encryption aes 3des

The ASA will attempt to negotiate the encryption method in the priority order that you place the commands. The two ASAs must agree on the encryption method in order for an SA to form.

The same is true about the group. You can configure it like so:

ASA1(config-ikev2-policy)# group 2 5

Where group 2 will be attempted first, and if it fails, group 5 will be tried.

The prf sha command is essentially the same as the integrity algorithm.

So to answer your question, the pair of ASAs will attempt to find the same encryption, integrity, and group numbers in order to successfully create an SA. Otherwise it will fail.

However, for IKEv2, the lifetime values can be different, since lifetimes are not negotiated, in contrary to IKEv1.

Take a look at this Cisco documentation for more information.

I hope this has been helpful!

Laz

Hi, I was wondering if you could share some IKE v2 debug commands for Phase 1 and Phase 2

Hello Ratan

The following Cisco documentation details some debugs that can be used for debugging IKEv2.

As stated in the document, keep in mind that:

The packet exchange process that is used in IKEv2 is radically different from that used in IKEv1. With IKEv1, there is a clearly demarcated phase1 exchange that consists of six packets followed by a phase 2 exchange that consists of three packets. The IKEv2 exchange is variable.

Another useful document that will help you further is the following:

Inform us of how you get along and if you need any more specific information, feel free to let us know!

I hope this has been helpful!

Laz

1 Like

Thank you Laz.
I will play with it and let you know.

1 Like

Hello,
I’m a little new to asdm. Trying to configure ipsec vpn with the wizard. When I get to the second page and trying to select the outside interface, the wizard changes it back to the inside interface. It won’t allow me to select the outside interface. Has anyone seen this? Thanks.

Ken

All I’m seeing here is site to site but not remote access.

Ken

Very useful information. I do have one question though:
How many crypto maps can be applied in the outside interface?

Hello Ken

I haven’t come across such a situation before, and after doing some brief research online, I was unable to find any similar cases. This may be due to several factors that need further troubleshooting to identify.

One of the most common issues I have found with ASDM and Cisco ASA is compatibility issues that arise from the Java installed on your computer, as well as the version of the ASDM corresponding to the version of the ASA. The first thing I would do is ensure that you have the most up to date version of ASDM for the ASA version you are using.

If the issue persists, consider attempting to make the appropriate configurations using the CLI instead of the ASDM. Let us know how you get along in your troubleshooting so that we can help you further.

I hope this has been helpful!

Laz

Ok, thanks for your reply Laz.

1 Like

Hello Johan

According to Cisco’s command reference for this command:

You can assign only one crypto map set to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are part of the same set and are all applied to the interface. The ASA evaluates the crypto map entry with the lowest sequence number first.

I hope this has been helpful!

Laz

Hello Ken

If you want to take a look at a scenario for remote access VPNs using Cisco’s ASA, take a look at this lesson:

Let us know if we can help you any further.

Laz

1 Like

Hi there,

I have been trying to play in a lab and see if I can configure a site to site VPN where I have one VPN peer on one side with dual ISP and multiple peers for example four peers at the other side - like one site Main the other Backup (DR) but both with Main/Backup.

I believe I renewed for the 3rd time my subscription, this site is the greatest resource I had in last 3 years.

I have been playing around with static routes and IP SLA… preparing to forget this trial of mine but figured I should ask first.

Thank you

Hello Laurentiu

It’s great to hear that you are finding the site very useful for you! We do our best to be relevant to what you need!

I’m not quite sure what you want to achieve with this topology. From the diagram, what I understand is that you want to create eight site-to-site VPNs, each one originating on the ASA at the left, with the four ASAs on the right. Since you have two connections to the ISP device, you want to create two VPN connections to each ASA, one via each physical link, right?

If this is the case, then you can achieve this by creating multiple VPNs using VTIs. Once this is done, then you simply need to configure your routing so you direct traffic over the VPN you want for each of the ASAs. The routing can be viewed as a somewhat independent mechanism of the creation of the VPNs. How you will achieve that routing depends on various aspects, however, static routes is one option, and another is indeed using IP SLAs in conjunction with static routes. However, in order to suggest something more specific, can you share some more information about why you want to create such a topology? That will help in ultimately configuring the necessary behavior.

I hope this has been helpful!

Laz

User try to access the application through ASA firewall, but the connection is interrupted. I try to check the debug log and listed below. Please advice.

##################

Jan 07 2023 18:52:27 <hostname> : %ASA-3-402145: CRYPTO: Hash generation error: algorithm 'sha1'
Jan 07 2023 18:52:27 <hostname> : %ASA-7-720041: (VPN-Primary) Sending Sync IKEV2 Parent Msg ID message (IKEv2 Msg ID 75) to standby unit
Jan 07 2023 18:52:27 <hostname> : %ASA-4-750003: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:10.1.110.33 IKEv2 Negotiation aborted due to ERROR: Create child exchange failed
Jan 07 2023 18:52:27 <hostname> : %ASA-6-302015: Built outbound UDP connection 314345 for outside2:10.1.110.33/500 (10.1.110.33/500) to identity:10.1.105.78/500 (10.1.105.78/500)
Jan 07 2023 18:52:50 <hostname> : %ASA-5-750007: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:10.1.110.33 IKEv2 SA DOWN. Reason: peer request
Jan 07 2023 18:52:50 <hostname> : %ASA-7-720041: (VPN-Primary) Sending Sync IKEV2 Parent Delete SA message (IKEv2 Msg ID 74) to standby unit
Jan 07 2023 18:52:50 <hostname> : %ASA-4-113019: Group = 10.1.110.33, Username = 10.1.110.33, IP = 10.1.110.33, Session disconnected. Session Type: LAN-to-LAN, Duration: 23h:59m:21s, Bytes xmt: 54985186, Bytes rcv: 236614885, Reason: User Requested
Jan 07 2023 18:52:50 <hostname> : %ASA-6-302016: Teardown UDP connection 314345 for outside2:10.1.110.33/500 to identity:10.1.105.78/500 duration 0:00:22 bytes 2197
Jan 07 2023 18:52:50 <hostname> : %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2.  Map Tag = outside2_map.  Map Sequence Number = 20.
Jan 07 2023 18:52:50 <hostname> : %ASA-5-750001: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: 10.1.132.12-10.1.132.12 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: 192.202.1.30-192.202.1.30 Protocol: 0 Port Range: 0-65535
Jan 07 2023 18:52:50 <hostname> : %ASA-6-302015: Built outbound UDP connection 314381 for outside2:10.1.110.33/500 (10.1.110.33/500) to identity:10.1.105.78/500 (10.1.105.78/500)
Jan 07 2023 18:52:50 <hostname> : %ASA-7-713906: IKE Receiver: Packet received on 10.1.105.78:500 from 10.1.110.33:500
Jan 07 2023 18:52:50 <hostname> : %ASA-7-713906: IKE Receiver: Packet received on 10.1.105.78:500 from 10.1.110.33:500
Jan 07 2023 18:52:50 <hostname> : %ASA-5-750006: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:10.1.110.33 IKEv2 SA UP. Reason: New Connection Established

###################################

Hello Yik

The syslogs that you shared with us seem to indicate that the first and probably most significant error taking place, is one that involves the generation of the hash using SHA-1.

Jan 07 2023 18:52:27 <hostname> : %ASA-3-402145: CRYPTO: Hash generation error: algorithm 'sha1'

This message indicates an error in generating the hash using the SHA-1 algorithm. This is a significant issue as SHA-1 is fundamental to the secure communication and integrity of the IKEv2 VPN connection. This problem might lead to unsuccessful negotiation attempts.

The next important issue is the following message:

Jan 07 2023 18:52:27 <hostname> : %ASA-4-750003: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:10.1.110.33 IKEv2 Negotiation aborted due to ERROR: Create child exchange failed

This message indicates that the IKEv2 negotiation was aborted due to an error. This is most likely due to the hash generation error seen in the first log message.

Next we see this message:

Jan 07 2023 18:52:50 <hostname> : %ASA-4-113019: Group = 10.1.110.33, Username = 10.1.110.33, IP = 10.1.110.33, Session disconnected. Session Type: LAN-to-LAN, Duration: 23h:59m:21s, Bytes xmt: 54985186, Bytes rcv: 236614885, Reason: User Requested

Note the “user requested” reason at the end. It seems that the VPN session attempt was manually disconnected.

Finally, at the very end, we see a successful establishment of a new connection:

Jan 07 2023 18:52:50 <hostname> : %ASA-5-750006: Local:10.1.105.78:500 Remote:10.1.110.33:500 Username:10.1.110.33 IKEv2 SA UP. Reason: New Connection Established

This seems to indicate that the previous problems were resolved.

Now this is just a description of what some of the messages here mean. In order to fully troubleshoot, we would need to know more about your particular VPN setup, what application was being accessed, and some more information about the configuration on the ASA. Can you share some more information so that we can help you further?

I hope this has been helpful!

Laz

Hello Team,

Thanks for taking the time to read this comm. I just have a question:
I have an ASA1 that I manage locally, which was recently added a new link with a secondary ISP.
The main outside will go to a peer ip with destination x.x.x.x and the idea of the Security guys is to have another active VPN tunnel running at the same time time through the outside2 (New ISP link) to the same peer ip. I have the Crypto map and all the parameters ready but I am not sure if IKEV2 will allow for this to happen so I am looking for assistance on this matter.

Thanks a lot for your help and your kind responses.

Hello Team, one question:
Can I build two different IKEV2 VPN tunnels to the same peer?

Hello Johan

Yes, it is possible to create multiple VPN tunnels between the same endpoints. Take a look at this NetworkLessons note on multiple VPNs between the same endpoints for more information. If you have any further questions, please feel free to let us know!

I hope this has been helpful!

Laz

1 Like

Two questions.

The example above, shows the static routes pointing to each other’s outside interface, or am I confused? In many examples I see online, shows the static route should point to the next hop which is usually the ISP gateway? Right? Which is the WAN address of the ISP gateway? Needed clarification.

Second question is if one side of the VPN has a router outside of the ASA, that is in bridge mode. What requirements are needed for the Site to Site IKEv2 IPSEC VPN to work correctly?