Configure IKEv2 Site to Site VPN in Cisco ASA

IKEv2 is a new design protocol doing the same objective of IKEv1 which protect user traffic using IPSec. IKEv2 provides a number of benefits over IKEv1, such as IKEV2 uses less bandwidth and supports EAP authentication where IKEv1 does not.

IKEv2 support three authentication methods :
1. PSK
2. PKI (RSA-Sig)
3. EAP ( initiator only)
Initiator means client while responder is the server

IKEv2 has built-in NAT traversal while IKEv1 use it as optional option.
Process of Packet exchange in IKEv2
IKEv2 generates only 4 messages at all while IKEv1 phase 1 generates in main mode 6 messages and in aggressive mode generates 3 messages.

These four message types are: IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA, and Informational.

Phase 1 from IKEv1, which has two functional modes (Main and Aggressive), is known in IKEv2 as IKE_SA_INIT and has a single functional mode requiring two messages to be exchanged. Within a single policy (known as proposal on IOS and policy on ASA), multiple encryption/integrity/PRF/DH groups can be specified in an OR fashion.
After IKE_SA_INIT derives the keying material, mutual authentication is performed through IKE_AUTH, which requires two messages to be exchanged. Phase 2 from IKEv1 (Quick Mode) is known in IKEv2 as CREATE_CHILD_SA. Simply , In IKEv2 there is no Main/Aggressive/Quick Modes

I have prepared separate document for IKEV1 vs IKEv2, you can check.

Steps to create IKEv2 VPN On ASA
1. Creation of Object Group.
2. Encryption Domain
3. Creating Phase 1 proposal.
4. Phase 2 proposal(IPSec Parameters)
5. Tunnel Group
6. Creating Group Policy (if not in default group)

7. Crypto Map

Step-1. Creating Object Group

First of all we create our Local and Remote object group.

object-group network REMOTE-NAME
network-object 255.255.255.0
object-group network LOCAL-NAME
network-object 255.255.255.0

Step-2 ENCRYPTION DOMAIN

Next, We will create ACL for traffic which we want to encrypt

Note : The previously created object groups are used to define the local and remote endpoints.

access-list ENCRYPTION_DOMAIN_NAME extended permit ip object-group LOCAL_NAME object-group REMOTE_NAME

Step-3 PHASE 1 PROPOSAL

We need to create proposal for phase 1 which will be used to> negotiate phase 1 parameters. You can use below command to check if is there any existing Proposal matches your requirement.
Command
sh run crypto ikev2
You may of spotted that multiple ciphers are defined for each “method”. This is because IKEv2 sends across a single proposal containing multiple ciphers, compared to IKEv1 in which multiple proposals are sent.

crypto ikev2 policy 10
encryption 3des des
integrity sha md5
group 5
prf sha
lifetime seconds 86400

We have to allow IKEv2 on interface where VPN will get terminate.
crypto ikev2 enable outside

Step-4 PHASE 2 PROPOSAL (Transform-Set)

We need to create Phase 2 proposals which will include Encryption, Integerity etc for IPSec tunnel

crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
protocol esp encryption aes
protocol esp integrity sha-1

Step-5 TUNNEL GROUP

At this point, the tunnel group is created. Just like IKEv1 the preshared key is defined. However, IKEv2 allows you to use different authentication methods for both local and remote authentication.
we have assumed Peer IP – 172.10.1.1

tunnel-group 172.10.1.1 type ipsec-l2l
tunnel-group 172.10.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key
ikev2 local-authentication pre-shared-key

Step-6 Group Policy

At this point, we have to create group policy if it is not set by default, in most cases we create group policy for every new IKEV2 tunnel
we have assumed Peer IP – 172.10.1.1

group-policy GroupPolicy_NAME internal
group-policy GroupPolicy_NAME attributes
vpn-tunnel-protocol ikev2

Calling Group policy in Tunnel Group
tunnel-group 172.10.1.1 general-attributes
default-group-policy GroupPolicy_NAME

Step-7 CRYPTO MAP

Finally, we have to configure Crypto map where we combine encryption domain, Peer IP, Transform-set(Proposal Phase 2) into single crypto map and then Crypto map is assigned to outside interface.

crypto map CRYPTOMAP 100 match address ENCRYPTION_DOMAIN_NAME
crypto map CRYPTOMAP 100 set peer 172.10.1.1
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address

DEBUG / SHOW COMMANDS

Here the most command debug and show commands,

  • debug crypto ikev2 platform 5 – debug phase 1 (ISAKMP SA`s)
  • debug crypto ikev2 protocol 5 –  debug phase 1 (ISAKMP SA`s)
  • debug crypto ipsec – debug phase 2 (IPSEC SA`s)
  • show crypto ikev2 sa – show phase 1 SA`s
  • show crypto ipsec sa – show phase 2 SA`s
Subscribe
Notify of
guest

0 Comments
Newest
Oldest
Inline Feedbacks
View all comments
fathi
fathi
2 years ago

Do you have a link to download files? Firepower
Cisco ise
Router
Switch
Firewall

0
Would love your thoughts, please comment.x
()
x