KB ID 0001196
Problem
We’ve had IKEv2 support on Cisco ASA for a while, (since version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.
What’s the difference between IKEv1 and IKEv2?
IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.
Solution
Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.
I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;
[box]
crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! object network OBJ-MainSite subnet 10.0.0.0 255.255.255.0 object network OBJ-RemoteSite subnet 10.0.3.0 255.255.255.0 ! access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup ! tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key 1234567 isakmp keepalive threshold 10 retry 2 ! crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac ! crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC crypto map CRYPTO-MAP 1 set pfs group2 crypto map CRYPTO-MAP 1 set peer 2.2.2.2 crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM crypto map CRYPTO-MAP interface outside
[/box]
Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.
[box]
Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
[/box]
You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’
[box]
Petes-ASA(config)# migrate ? configure mode commands/options: l2l Migrate IKEv1 lan-to-lan configuration to IKEv2 overwrite Overwrite existing IKEv2 configuration remote-access Migrate IKEv1 remote-access configuration to IKEv2/SSL Petes-ASA(config)# migrate l2l Petes-ASA(config)#
[/box]
Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.
[box]
PetesASA(config)# clear crypto isakmp PetesASA(config)# show cry isa There are no IKEv1 SAs IKEv2 SAs: Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1 Tunnel-id Local Remote Status Role 87787277 123.123.123.123/500 2.2.2.2/500 READY INITIATOR Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/7 sec Child sa: local selector 10.0.0.0/0 - 10.0.0.255/65535 remote selector 10.0.3.0/0 - 10.0.3.255/65535 ESP spi in/out: 0xa5034be1/0x6c5de26e
[/box]
We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.
[box]
! crypto ikev2 policy 10 encryption aes-256 integrity sha group 2 prf sha lifetime seconds 86400 crypto ikev2 enable outside ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! object network OBJ-MainSite subnet 10.0.0.0 255.255.255.0 object network OBJ-RemoteSite subnet 10.0.3.0 255.255.255.0 ! access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup ! tunnel-group 2.2.2.2 type ipsec-l2l tunnel-group 2.2.2.2 ipsec-attributes pre-shared-key 1234567 ikev2 remote-authentication pre-shared-key 1234567 ikev2 local-authentication pre-shared-key 1234567 isakmp keepalive threshold 10 retry 2 ! crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac ! crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM protocol esp encryption aes-256 protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA protocol esp encryption 3des protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5 protocol esp encryption aes protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA protocol esp encryption aes-192 protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA protocol esp encryption aes protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA protocol esp encryption aes-256 protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5 protocol esp encryption 3des protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5 protocol esp encryption aes-192 protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5 protocol esp encryption des protocol esp integrity md5 crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA protocol esp encryption des protocol esp integrity sha-1 crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5 protocol esp encryption aes-256 protocol esp integrity md5 ! crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC crypto map CRYPTO-MAP 1 set pfs group2 crypto map CRYPTO-MAP 1 set peer 2.2.2.2 crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM crypto map CRYPTO-MAP interface outside ! crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM !
[/box]