KB ID 0001196
Problem
We’ve had IKEv2 support on Cisco ASA for a while, (since version 8.4). I tend to setup site to site VPN tunnels at command line, and on the rare occasions I’m using the ASDM I normally just ignore the IKEv2 settings. Like all techies I know a way that works, so I will keep doing it that way.
What’s the difference between IKEv1 and IKEv2?
IKE version 2 is a lot more efficient and has a smaller network overhead, this is because it uses less messages to establish secure peers. Back with IKEv1 we had main mode (9 messages), and aggressive mode (6 messages), but IKEv2 only has one mode and that has only 4 messages. Back with IKEv1 both ends of the tunnel needed to use the same method of authentication (usually a shared secret (PSK) or an RSA Signature (Digital certificate). But with IKEv2 each end of the tunnel can use a different authentication method. Nat Traversal is automatically taken care of, and DoS Attacks can be mitigated by built in anti-replay, and cookie support to defend against flood attacks.
Solution
Migrating your tunnels from IKEv1 to IKEv2 is probably the easiest job you’ve been given, (it can be done with one command). But doing something, and understanding whats happening are two different things.
I usually use AES-256 and SHA for site to site VPNs so a typical config I would deploy would look like this;
[box]
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
[/box]
Assuming both sites are OK and the tunnel is up, if we look to see what’s happening with ISAKMP we see something like this.
[box]
Petes-ASA(config)# show crypto isakmp
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 123.123.123.123
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
[/box]
You do the entire conversion with one command ‘migrate l2l’, or if these are client to site VPNS you can use ‘migrate remote-access’
[box]
Petes-ASA(config)# migrate ?
configure mode commands/options:
l2l Migrate IKEv1 lan-to-lan configuration to IKEv2
overwrite Overwrite existing IKEv2 configuration
remote-access Migrate IKEv1 remote-access configuration to IKEv2/SSL
Petes-ASA(config)# migrate l2l
Petes-ASA(config)#
[/box]
Now ensure you do the same at the other end, (or ensure the other vendor supports IKEv2). BE AWARE: By default if you configure IKEv1 and IKEv2 the ASA will fall back to IKEv1 if it cannot negotiate IKEv2. At this point we already have a tunnel established, so we need to ‘bounce’ the tunnel to get it to re-esablish.
[box]
PetesASA(config)# clear crypto isakmp
PetesASA(config)# show cry isa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
87787277 123.123.123.123/500 2.2.2.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7 sec
Child sa: local selector 10.0.0.0/0 - 10.0.0.255/65535
remote selector 10.0.3.0/0 - 10.0.3.255/65535
ESP spi in/out: 0xa5034be1/0x6c5de26e
[/box]
We are now running over IKEv2, to see how that’s changed the config see the differences below, highlighted in blue.
[box]
!
crypto ikev2 policy 10
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
!
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
object network OBJ-MainSite
subnet 10.0.0.0 255.255.255.0
object network OBJ-RemoteSite
subnet 10.0.3.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit ip object OBJ-MainSite object OBJ-RemoteSite
nat (inside,outside) source static OBJ-MainSite OBJ-MainSite destination static OBJ-RemoteSite OBJ-RemoteSite no-proxy-arp route-lookup
!
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key 1234567
ikev2 remote-authentication pre-shared-key 1234567
ikev2 local-authentication pre-shared-key 1234567
isakmp keepalive threshold 10 retry 2
!
crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac
!
crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
protocol esp encryption 3des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-MD5
protocol esp encryption aes
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-SHA
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-128-SHA
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-3DES-MD5
protocol esp encryption 3des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-AES-192-MD5
protocol esp encryption aes-192
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-MD5
protocol esp encryption des
protocol esp integrity md5
crypto ipsec ikev2 ipsec-proposal ESP-DES-SHA
protocol esp encryption des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal ESP-AES-256-MD5
protocol esp encryption aes-256
protocol esp integrity md5
!
crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.2
crypto map CRYPTO-MAP 1 set ikev1 transform-set VPN-TRANSFORM
crypto map CRYPTO-MAP interface outside
!
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
!
[/box]
Related Articles, References, Credits, or External Links
Cisco ASA 5500 Site to Site VPN (From CLI)