Configure IKEv2 Site to Site VPN between Cisco ASAs

We are using the following topology, the most popular one. 2 sites in different geographical location and both have static IP address configured in their ASA firewall. Before we begin, you should also know the advantages of using IKEv2 

  • IKEv2 uses fewer messsages to establish tunnel thus saves bandwidth
  • IKEv2 has built-in mechanism against DoS attacks. ASA uses minimum CPU until it validates the initiator.
  • IKEv2 has built-in support for NAT traversal, EAP authentication, keep-alive mechanism (Dead peer detection)


In ASA of both sites

Phase 1: IKE policy

The configuration is very similar to IKEv1 but the only additional command is prf sha

Even if we don’t configure certain parameters at initial configuration, Cisco ASA sets its default settings for dh group (2), prf (sha) and SA lifetime (86400 seconds). Let’s look at the ASA configuration again using sh run crypto ikev2 command.

Phase 2: IPsec proposal

In IKEv1, we configure transform set and in IKEv2, its a ipsec-proposal.

In ASA of India network

In crypto map, specify the access-list, peer ip address and IPsec proposal. Do not forget to enable the crypto map on the outside interface.

For IKEv2, asymmetric pre-shared keys can be configured. If you specify same pre-shared key for both local and remote, then you have configured legacy IKEv1 technology.

In ASA of Singapore network

You may also like...

Thank you for visiting us. To continue receiving updates, please Subscribe to our Social Media Channels.

Menu Title