Cisco ASA – Converting IKEv1 VPN Tunnels to IKEv2

KB ID 0001196 

Problem

We’ve had IKEv2 support on Cisco ASA for a while, (since  version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.

What’s the difference between IKEv1 and IKEv2?

IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.

 

Solution

Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.

I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;

crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside

Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.

Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 123.123.123.123
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’

Petes-ASA(config)# migrate ?

configure mode commands/options:
  l2l            Migrate IKEv1 lan-to-lan configuration to IKEv2
  overwrite      Overwrite existing IKEv2 configuration
  remote-access  Migrate IKEv1 remote-access configuration to IKEv2/SSL
  
Petes-ASA(config)# migrate l2l
Petes-ASA(config)#

Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.

PetesASA(config)# clear crypto isakmp
PetesASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
 87787277       123.123.123.123/500      2.2.2.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/7 sec
Child sa: local selector  10.0.0.0/0 - 10.0.0.255/65535
          remote selector 10.0.3.0/0 - 10.0.3.255/65535
          ESP spi in/out: 0xa5034be1/0x6c5de26e

We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.

!
crypto ikev2 policy 10
 encryption aes-256
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
 protocol esp encryption aes
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
 protocol esp encryption aes-192
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
 protocol esp encryption 3des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
 protocol esp encryption aes-192
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
 protocol esp encryption des
 protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
 protocol esp encryption des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
 protocol esp encryption aes-256
 protocol esp integrity md5
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
!

 

Related Articles, References, Credits, or External Links

Cisco ASA 5500 Site to Site VPN (From CLI)

Author: PeteLong

Share This Post On

4 Comments

  1. “By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv1.” => I think there’s something wrong in there 😉

    Post a Reply
    • Well spotted – Need more Coffee!! Updated ThanQ

      Post a Reply
  2. Very helpful! Do you have a guide on setting up Ikev2 from scratch and what the differences are?

    Post a Reply
    • IKEv2 from scratch – yes, see the search bar above ^^ Differences: there’s another one for IKEv1 put them side by side.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *