Wednesday 9 November 2022

ikev2 s2s VPN on cisco ASA

Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2

Enable IKEv2 on outside interface

crypto ikev2 enable OUTSIDE


Group policy for VPN peer (IKEv2 selected, always on settings)

You may have other settings you need to config here

group-policy GroupPolicy_x.x.x.x internal

group-policy GroupPolicy_x.x.x.x attributes

 vpn-idle-timeout none

 vpn-session-timeout none

 vpn-filter none

 vpn-tunnel-protocol ikev2


IKEv2 P1 policy

*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.

 crypto ikev2 policy 1

 encryption aes-256

 integrity sha256

 group 21

 prf sha256

 lifetime seconds 86400


IKEv2 P2 proposal

crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

 protocol esp encryption aes-256

 protocol esp integrity sha-256


Crypto MAP

crypto map MYMAP 10 match address CUST_VPN

crypto map MYMAP 10 set peer x.x.x.x

crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256

crypto map MYMAP 10 set security-association lifetime seconds 3600


Encryption domain

access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS

object-group network LOCAL-NETS

 network-object 192.168.10.0 255.255.255.0

 object-group network REMOTE-NETS

 network-object 172.30.10.0 255.255.255.0


NoNat

nat (INSIDE,OUTSIDE) source static  LOCAL-NETS  LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup


Tunnel group

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x general-attributes

 default-group-policy GroupPolicy_x.x.x.x

 tunnel-group x.x.x.x ipsec-attributes

 ikev2 remote-authentication pre-shared-key StrongPassWordHere

 ikev2 local-authentication pre-shared-key StrongPassWordHere



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)