Cisco ASA Site-to-Site IKEv2 IPSEC VPN

IKEv2 has been published in RFC 5996 in September 2010 and is fully supported on Cisco ASA firewalls. In this lesson you will learn how to configure site-to-site IKEv2 IPsec VPN. If you haven’t seen it before, in a previous lesson I showed you how to configure IKEv1 IPsec VPN.

We will use the following topology for this example:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 and ASA2 are able to reach each other through their “OUTSIDE” Ethernet 0/1 interfaces. Their Ethernet 0/0 interfaces are the “INSIDE” where we have R1 and R2. The goal is to configure IKEv2 IPSEC site-to-site VPN between ASA1 and ASA2 so that R1 and R2 are able to reach each other.

Configuration

First we will configure the IKEv2 policy which is similar to phase 1 of IKEv1.

IKEv2 Policy Configuration

Here’s what it looks like for both ASA firewalls:

ASA1 & ASA2#
(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400

The configuration is similar to the IKEv1 policy, the only new command is prf sha. PRF is the Pseudo Random Function algorithm which is the same as the integrity algorithm.

IKEv2 IPSEC Proposal

This section is similar to phase 2 of IKEv1 where we have to configure a transform set. For IKEv2 we call this the IPSEC proposal which is configured like this:

ASA1 & ASA2#
(config)# crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL 
(config-ipsec-proposal)# protocol esp encryption aes
(config-ipsec-proposal)# protocol esp integrity sha-1

We will use ESP, AES as the encryption algorithm and SHA for integrity. Next step is to configure an access-list that defines what traffic we will encrypt:

ASA1(config)# access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2
ASA2(config)# access-list LAN2_LAN1 extended permit ip host 192.168.2.2 host 192.168.1.1

Now we have to configure a crypto map that combines the access-list, remote peer and IKEv2 proposal together:

ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2   
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
ASA2(config)# crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1         
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL                                
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

The crypto map is called “MY_CRYPTO_MAP” and it specifies the access-list, remote peer and the IKEv2 proposal. It has been attached to the OUTSIDE interface.

The next step is to configure a tunnel group. This is where we define authentication and the pre-shared-key:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 662 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

515 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Forum Replies

  1. Hi Mark,

    It sounds like your ASA isn’t configured correctly for NAT. It should be configured to translate all traffic from the 192.168.2.0/24 subnet that exits the outside interface UNLESS the destination is 192.168.39.0/24 (the other end of the VPN).

    You can use this example for PAT:

    Cisco ASA PAT configuration

    The only thing left to do is to create an exception for your VPN traffic, like this:

    object network LOCAL_SUBNET
     subnet 192.168.2.0 255.255.255.0
    
     object network REMOTE_SUBNET
     subnet 192.168.39.0 255.255.255.0
    
    nat (LOCAL_SUBNET,OUTSIDE) source stati
    ... Continue reading in our forum

  2. Hi Zaman,

    Aggressive mode can be configured in the crypto map:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive

    And transport mode in the transform set:

    ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET mode ?         
    
    configure mode commands/options:
      transport  mode transport
    

    The first lifetime (ikev1 policy) is for phase 1 and the lifetime in the crypto map is for phase 2.

    Rene

  3. Hello Rene,

    What do the following two commands mean for IKE phase-1 and IKE Phase-2 :

    IKE phase-1:

    ASA1(config-ikev1-policy)# lifetime 4800

    IKE Phase-2:

    ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3000

    I think IKE phase-1 will be deleted after 4800(If no traffic on tunnel) and IKE phase-2 will be delete after 3000(If no traffic on tunnel ).If continue traffic flows on the tunnel then what will happen, IKE phase-1 & IKE phase-2 will be re-negotiate after expiration or not??Please explain.

    Many Thanks

    br//
    zaman

  4. We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.

    Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Group 5 Cfg’d: Group 2Group
    192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)

    Phase 1 (Main mode)
    Lifetime: 86400s (1 day)
    Encryption: AES256
    Hash: SHA1 Key-Ex:
    Group5
    Phase 2
    Lifetime: 3600s (1 hour)
    Encryption: AES256
    Hash: SHA1
    PFS: Group5
    Below is my firewall config.

    crypto ikev1 policy 170
    authenti

    ... Continue reading in our forum

  5. Hi Rene,

    I modified the network in your example with a few more nodes on each site. The network diagram is attached.

    The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
    Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

    However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the pi

    ... Continue reading in our forum

74 more replies! Ask a question or join the discussion by visiting our Community Forum