Cisco - How to configure an IKEv2 Site to Site IPSEC VPN ?
Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall.
IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.
First of all we create our NAT exemption. This is to ensure that traffic is not NAT`d before being sent down the tunnel.
object-group network REMOTE-ENCDOM network-object <REMOTE ENCDOM> 255.255.255.0 object-group network LOCAL-ENCDOM network-object <LOCAL ENCDOM> 255.255.255.0 nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM
Next, we define our endpoints, i.e what we want to encrypt.
Note : The previously created object groups are used to define the local and remote endpoints.
access-list ENCDOM100 extended permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM
Phase 1 Proposal
We then define our Phase 1 proposals. You may of spotted that multiple ciphers are defined for each "method". This is because IKEv2 sends across a single proposal containing multiple ciphers, compared to IKEv1 in which multiple proposals are sent.
crypto ikev2 enable outside crypto ikev2 policy 10 encryption 3des des integrity sha md5 group 5 prf sha lifetime seconds 86400
Phase 2 Proposal
Next, the Phase 2 proposals are configured.
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 protocol esp encryption aes protocol esp integrity sha-1
At this point, the tunnel group is created. Just like IKEv1 the preshared key is defined. However, IKEv2 allows you to use different authentication methods for both local and remote authentication.
tunnel-group 172.16.1.1 type ipsec-l2l tunnel-group 172.16.1.1 ipsec-attributes ikev2 remote-authentication pre-shared-key <PRESHARED KEY> ikev2 local-authentication pre-shared-key <PRESHARED KEY>
Finally the crypto map is configured. This combines the previously created encryption domain, the remote peer, and the phase 2 policy into a single crypto map. This then assigned to the outside interface.
crypto map CRYPTOMAP 100 match address ENCDOM100 crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP> crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1 crypto map CRYPTOMAP interface outside crypto isakmp identity address
Debug / Show Commands
Here the most command debug and show commands,
- debug crypto ikev2 platform 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ikev2 protocol 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ipsec - debug phase 2 (IPSEC SA`s)
- show crypto ikev2 sa - show phase 1 SA`s
- show crypto ipsec sa - show phase 2 SA`s