Customer did an update and all the old IKEv1 and old cipher VPNs were not working due to security settings and SW update. I didn't have time to figure out which ciphers worked so switched VPNs to IKEv2
Enable IKEv2 on outside interface
crypto ikev2 enable OUTSIDE
Group policy for VPN peer (IKEv2 selected, always on settings)
You may have other settings you need to config here
group-policy GroupPolicy_x.x.x.x internal
group-policy GroupPolicy_x.x.x.x attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol ikev2
IKEv2 P1 policy
*NOTE* Saw an issue where a policy was selected even though the lifetimes didn't match (other settings did). The VPN came up but was having issues rekeying. Not coming back up on its own. Check the lifetimes match under "sh crypto isakmp sa" on both sides of the VPN. In my case the HQ already had an ikev2 pol with 86400 lifetime and other VPNs using that.
cbc
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 21
prf sha256
lifetime seconds 28800
gcm
crypto ikev2 policy 160
encryption aes-gcm-256
integrity null
group 21
prf sha256
lifetime seconds 28800
cbc vs gcm
aes-256-cbc (works with asa (aes-256) to palo fw aes-256-cbc)
cbc is older, weaker but can run faster on weaker hardware. Since we are running a tunnel within a tunnel on S2S VPN's it should be fine.
gcm is newer, adds authentication (you don't need to use SHA for hashing its all done in gcm) You will config integrity null, more secure, the best practice pick. However some older devices won't support gcm or won't have it as an option so you will have to use cbc in that case
IKEv2 P2 proposal
crypto ipsec ikev2 ipsec-proposal IKEV2_AES_256_SHA_256
protocol esp encryption aes-256
protocol esp integrity sha-256
Crypto MAP
crypto map MYMAP 10 match address CUST_VPN
crypto map MYMAP 10 set peer x.x.x.x
crypto map MYMAP 10 set ikev2 ipsec-proposal IKEV2_AES_256_SHA_256
crypto map MYMAP 10 set security-association lifetime seconds 3600
Encryption domain
access-list CUST_VPN extended permit ip object-group LOCAL-NETS object-group REMOTE-NETS
object-group network LOCAL-NETS
network-object 192.168.10.0 255.255.255.0
object-group network REMOTE-NETS
network-object 172.30.10.0 255.255.255.0
NoNat
nat (INSIDE,OUTSIDE) source static LOCAL-NETS LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS no-proxy-arp route-lookup
Tunnel group
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy GroupPolicy_x.x.x.x
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key StrongPassWordHere
ikev2 local-authentication pre-shared-key StrongPassWordHere
No comments:
Post a Comment