fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Cisco - How to configure an IKEv2 Site to Site IPSEC VPN ?

Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall.

IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.

NAT Exemption

First of all we create our NAT exemption. This is to ensure that traffic is not NAT`d before being sent down the tunnel. 

object-group network REMOTE-ENCDOM
 network-object <REMOTE ENCDOM> 255.255.255.0
object-group network LOCAL-ENCDOM
 network-object <LOCAL ENCDOM> 255.255.255.0

 nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM

Encryption Domain

Next, we define our endpoints, i.e what we want to encrypt.

Note : The previously created object groups are used to define the local and remote endpoints.

access-list ENCDOM100 extended permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM

Phase 1 Proposal

We then define our Phase 1 proposals. You may of spotted that multiple ciphers are defined for each "method". This is because IKEv2 sends across a single proposal containing multiple ciphers, compared to IKEv1 in which multiple proposals are sent.

crypto ikev2 enable outside
crypto ikev2 policy 10
 encryption 3des des
 integrity sha md5
 group 5
 prf sha
 lifetime seconds 86400

Phase 2 Proposal

 Next, the Phase 2 proposals are configured.

crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
 protocol esp encryption aes
 protocol esp integrity sha-1

Tunnel Group

At this point, the tunnel group is created. Just like IKEv1 the preshared key is defined. However, IKEv2 allows you to use different authentication methods for both local and remote authentication. 

tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
 ikev2 local-authentication pre-shared-key <PRESHARED KEY>

Crypto Map

Finally the crypto map is configured. This combines the previously created encryption domain, the remote peer, and the phase 2 policy into a single crypto map. This then assigned to the outside interface.

crypto map CRYPTOMAP 100 match address ENCDOM100
crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP>
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address

Debug / Show Commands

Here the most command debug and show commands,

  • debug crypto ikev2 platform 5 - debug phase 1 (ISAKMP SA`s)
  • debug crypto ikev2 protocol 5 -  debug phase 1 (ISAKMP SA`s)
  • debug crypto ipsec - debug phase 2 (IPSEC SA`s)
  • show crypto ikev2 sa - show phase 1 SA`s
  • show crypto ipsec sa - show phase 2 SA`s

References

IKEv1 to IKEv2 Migration 

 

Tags: ASA, Cisco, VPN, IKEv2

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001