If you are running ASA 8.4 code & have existing IKEv1 VPN sessions (Remote Access VPNs or Site to Site Tunnels) , you might want to take advantage of benefits offered by IKEv2 (Internet Key Exchange version 2 – RFC 4306) & migrate those existing sessions for better network resiliency / improvements in SA negotiation & many other benefits. First, we will look at IKEv2 benefits & then run migration command (yes, a single command) & then add additional features to the mix. IKEv2 support was introduced in ASA 8.4 & AnyConnect 3.0 Code.

IKEv2 Benefits :

There are several benefits to running IKEv2 as compared to IKEv1 . IKEv2 offers

  • Improving Network Attack Resiliency :IKEv2 offers Denial of Service prevention using cookies
  • Less Overhead : IKEv2 requires fewer negotiation messages
  • Reducing complexity in IPSec establishment : IKEv2 offers features like Built-in Dead Peer Detection , NAT Traversal (NAT-T) , Initial Contact etc.  built into the protocol
  • Faster Rekey Time : IKEv2 offers Better rekeying and collision handling
  • Authentication : IKEv2 offers Built-in Configuration Payload and User Authentication (using EAP) & it allows unidirectional authentication as well.

Interoperability Issues :

Some interoperability issues need to be kept in mind

  • IKEv2 does not interoperate with IKEv1
  • IPSec VPN cannot be established between a crypto device using IKEv2 and another crypto device using IKEv1 for security reasons.

IKEv2 Migration Benefits:

  • ASA supports fallback to IKEv1 for easy migration i.e Running both IKEv1 and IKEv2 in parallel also provides a rollback mechanism and makes migration easier
  • You can use a single command to migrate an existing ASA running IKEv1 VPN to IKEv2 VPN on ASA 8.4 Code :“migrate L2L”
  • After issuing this command, ASA uses IKEv1 settings to automatically add the new lines of code required for IKEv2 VPN
  • Running both IKEv1 and IKEv2 in parallel allows an IPSEC VPN initiator to fallback from IKEv2 to IKEv1 when a protocol or configuration issue exists with IKEv2 that can lead to connection attempt failure

 

Existing IKEv1 VPN Configuration :

Here’s our existing IKEv1 VPN Configuration :

> IKEv1 ISAKMP Policy

crypto ikev1 enable outside
!
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
!

> IKEv1 IPSec Transform Set

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!

> Group Policy

group-policy GP_L2LVPN  internal
group-policy GP_L2LVPN  attributes
vpn-tunnel-protocol ikev1
!

> L2L Tunnel Group (Connection Profile)

tunnel-group 40.40.40.5 type ipsec-l2l
!
tunnel-group 40.40.40.5 general-attributes
default-group-policy GP_L2LVPN
!
tunnel-group 40.40.40.5 ipsec-attributes
ikev1 pre-shared-key c1sc0s3c
isakmp keepalive threshold 10 retry 2
!

> Crypto Map

crypto map CMAP_VPN 1 match address VPN-INTERESTING-TRAFFIC
crypto map CMAP_VPN 1 set pfs group2
crypto map CMAP_VPN 1 set peer 40.40.40.5
crypto map CMAP_VPN 1 set ikev1 transform-set ESP-3DES-SHA
!
crypto map CMAP_VPN interface outside
!

 

 Running Migration Command :

Run the migration command & then see the changes added to existing configuration.

 

New IKEv2 VPN Configuration :

Here’s is bit by bit the new IKEv2 Configuration

 > IKEv2 ISAKMP Policy

ASA1(config)# show run crypto ikev2
crypto ikev2 policy 10
encryption 3des
integrity sha
group 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
!

 > IKEv2 IPSec Proposal 

ASA1(config)# sh run crypto ipsec
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal ESP-3DES-SHA
 protocol esp encryption 3des
 protocol esp integrity sha-1
!

> Group Policy

ASA1(config)# sh run group-policy
group-policy GP_L2LVPN internal
group-policy GP_L2LVPN attributes
 vpn-tunnel-protocol ikev1 ikev2
!

> Tunnel Group 

ASA1(config)# sh run tunnel-group
tunnel-group 40.40.40.5 type ipsec-l2l
tunnel-group 40.40.40.5 general-attributes
 default-group-policy GP_L2LVPN
tunnel-group 40.40.40.5 ipsec-attributes
ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

> Crypto Map

ASA1(config)# sh run crypto map
crypto map CMAP_VPN 1 match address VPN-INTERESTING-TRAFFIC
crypto map CMAP_VPN 1 set pfs
crypto map CMAP_VPN 1 set peer 40.40.40.5
crypto map CMAP_VPN 1 set ikev1 transform-set ESP-3DES-SHA
crypto map CMAP_VPN 1 set ikev2 ipsec-proposal ESP-3DES-SHA
crypto map CMAP_VPN interface outside
!

Additional IKEv2 VPN Configuration :

You can add more features required by your organization e.g Cookie Challenge , SA Limits etc to take advantage of features of IKEv2.

crypto ikev2 cookie-challenge always
crypto ikev2 limit max-sa 100
!

CONCLUSION :

Remember that both peers need to have IKEv2 enabled in order to negotiate VPN Tunnel. In case of our configuration, if remote peer doesn’t have IKEv2 enabled, it can still fallback to existing IKEv1 VPN tunnel since we are in a migration phase. Once migration phase is complete, you can remove IKEv1 .

Thanks!

PDF Converter    Send article as PDF   

Tags: , , , , , , , , , , , , ,

One Response to “ASA 8.4 : Migrating IKEv1 VPN Sessions to IKEv2”

  1. Clarinda says:

    Kindly post more on IKEv2 implementation.
    Thanks

Leave a Reply

hide totop
  • RSS
  • Facebook
  • Twitter
  • RSS
  • Facebook
  • Twitter