Configure IKEv2 Site to Site VPN between Cisco ASAs
We are using the following topology, the most popular one. 2 sites in different geographical location and both have static IP address configured in their ASA firewall. Before we begin, you should also know the advantages of using IKEv2
- IKEv2 uses fewer messsages to establish tunnel thus saves bandwidth
- IKEv2 has built-in mechanism against DoS attacks. ASA uses minimum CPU until it validates the initiator.
- IKEv2 has built-in support for NAT traversal, EAP authentication, keep-alive mechanism (Dead peer detection)
In ASA of both sites
Phase 1: IKE policy
The configuration is very similar to IKEv1 but the only additional command is prf sha
123456 IND-ASA(config)#crypto ikev2 policy 10IND-ASA(config-ikev2-policy)#encryption aes-gcm-256IND-ASA(config-ikev2-policy)#integrity sha512 sha384 sha256IND-ASA(config)#crypto ikev2 enable outside
Even if we don’t configure certain parameters at initial configuration, Cisco ASA sets its default settings for dh group (2), prf (sha) and SA lifetime (86400 seconds). Let’s look at the ASA configuration again using sh run crypto ikev2 command.
12345678910 IND-ASA(config)# sh run crypto ikev2crypto ikev2 policy 10encryption aes-gcm-256integrity sha512 sha384 sha256group 2prf shalifetime seconds 86400crypto ikev2 enable outside
Phase 2: IPsec proposal
In IKEv1, we configure transform set and in IKEv2, its a ipsec-proposal.
12345 crypto ipsec ikev2 ipsec-proposal AES-256-SHA-256protocol esp encryption aes-256protocol esp integrity sha-256
In ASA of India network
12345678910 object-group network india_networknetwork-object 10.10.10.0 255.255.255.0object-group network singapore_networknetwork-object 192.168.1.0 255.255.255.0nat (inside,outside) source static india_network india_network destination static singapore_network singapore_networkaccess-list ind_sin_acl extended permit ip object-group india_network object-group singapore_network
In crypto map, specify the access-list, peer ip address and IPsec proposal. Do not forget to enable the crypto map on the outside interface.
123456 crypto map outside_map 5 match address ind_sin_aclcrypto map outside_map 5 set peer 220.127.116.11crypto map outside_map 5 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1crypto map outside_map interface outside
For IKEv2, asymmetric pre-shared keys can be configured. If you specify same pre-shared key for both local and remote, then you have configured legacy IKEv1 technology.
123456 tunnel-group 18.104.22.168 type ipsec-l2ltunnel-group 22.214.171.124 ipsec-attributesikev2 remote-authentication pre-shared-key itadminguideikev2 local-authentication pre-shared-key cisco
In ASA of Singapore network
1234567891011121314151617181920 object-group network india_networknetwork-object 10.10.10.0 255.255.255.0object-group network singapore_networknetwork-object 192.168.1.0 255.255.255.0nat (inside,outside) source static singapore_network singapore_network destination static india_network india_networkaccess-list sin_ind_acl extended permit ip object-group singapore_network object-group india_networkcrypto map outside_map 5 match address ind_sin_aclcrypto map outside_map 5 set peer 126.96.36.199crypto map outside_map 5 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1crypto map outside_map interface outsidetunnel-group 188.8.131.52 type ipsec-l2ltunnel-group 184.108.40.206 ipsec-attributesikev2 remote-authentication pre-shared-key ciscoikev2 local-authentication pre-shared-key itadminguide