We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 529 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

265 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Tags: , , ,


Notable Replies

  1. djlc79 says:

    The only other thing I had to do to get this working at work is configure NAT exemptions

  2. Hi Rene,

    I want to use two asa5525-X firewall (Active/Active) design. Branch office want to use anyconnect vpn client. Is it possible or not?

  3. Hi Naing,

    From what I know, this is impossible. ASA 9.x does support some site-to-site VPNs with active/active but no remote VPN or anyconnect.

    Rene

  4. Hello Rene,

    we have couple of ikev 1 l2l vpn tunnels with our vendors. we want to migrate one of the ikev 1 l2l vpn tunnel to ikev 2 vpn. i know there a command to do swiift migration "migrate l2l" but i believe it will migrate all of my ikev l2l vpn tunnels. is there a way that i can just migrate that particular ikev 1 l2l vpn to ikev 2? or do i have to do a configuration for it from scratch? i will really appriciate your help.

    Thanks
    Umer

  5. Hello UMER

    To answer your question, it really depends on what you want to do. I am assuming first of all that you are using ASA 8.X (although I believe with relative certainty that the following is supported for 9.X as well). Also, I am assuming that these tunnels are to different vendors. This is important because according to Cisco "Multiple peers used for redundancy is not supported with IKEv2 on the ASA." Only IKEv1 supports this. So if these tunnels are redundant tunnels to the same vendor, don't migrate to IKEv2.

    Now, when you use the migration command you are correct that all IKEv1 tunnels are migrated to IKEv2. However, the current IKEv1 configurations are not removed. IKEv1 and IKEv2 both run in parallel on the same crypto map and IKEv1 acts as a backup for IKEv2.

    So, assuming you issue the migrate command and you migrate everything, the IKEv2 tunnel will be created and will function as you desire (if the other end is configured correctly as well), but the tunnel you want to remain on IKEv1 will remain as such since it will fall back to IKEv1 if IKEv2 cannot be established.

    You can then tweak your configuration and remove any IKEv2 configuration from that particular tunnel.

    Cisco has very good and detailed documentation for this procedure and you can find it here: http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113597-ptn-113597.html

    I hope this has been helpful!

    Laz

Continue the discussion forum.networklessons.com

12 more replies

Participants