IKEv1 & IKEv2 IPSec VPN on Cisco ASA
IKEv1 and IKEv2 are protocols used to establish IPSec VPNs on Cisco ASA. IKEv1 operates in two phases: Phase 1 (building a secure tunnel) and Phase 2 (negotiating IPSec parameters). It supports Main and Aggressive modes but is older and less efficient. IKEv2 improves security, efficiency, and reliability by combining phases, reducing overhead, and supporting features like EAP authentication and MOBIKE for mobility.
IKEv1
First lets make sure ASA on both sides can reach each other on the outside interface
The first configuration is to set up an IKEv1 policy with specific encryption, hashing, authentication, and key exchange settings:
1
2
3
4
5
6
crypto ikev1 policy 10 #defines an IKEv1 policy with a priority of 10, lower numbers have higher priority
encryption aes #AES (Advanced Encryption Standard) algorithm is used for encryption
hash sha #SHA (Secure Hash Algorithm) is used for integrity verification
authentication pre-share #pre-shared key (PSK) method is used for authentication
group 14 #Diffie-Hellman (DH) Group 14 determines the strength of the key exchange process, group 14 uses a 2048-bit key
lifetime 86400 #sets the IKE SA (Security Association) lifetime to 24 hours. After this period, the tunnel must be re-established to maintain security.
Next, tunnel groups are used to define VPN peer settings. The following configuration establishes an IPSec tunnel with a specific remote peer using IKEv1 authentication
1
2
3
tunnel-group 172.16.200.1 type ipsec-l2l #defines a tunnel group for a LAN-to-LAN (L2L) VPN
tunnel-group 172.16.200.1 ipsec-attributes #configures IPSec-specific settings for this tunnel group
ikev1 pre-shared-key helena123 #sets the pre-shared key (PSK) for authentication
Then ACL (Access Control List) is used to define which traffic will be encrypted and allowed through the VPN tunnel.
1
access-list VPN_ACL extended permit ip 10.1.0.0 255.255.255.0 10.2.0.0 255.255.255.0
Finally, the crypto map ties together several components of configurations, including the ACL, transform-set, and peer settings, to define how the traffic will be encrypted and tunneled for Phase 2
1
2
3
4
5
crypto ipsec ikev1 transform-set VPN_TRANSFORM_SET esp-aes esp-sha-hmac #defines the transform set which specifies the encryption and hashing algorithms to be used
crypto map VPN_MAP 10 match address VPN_ACL #associates the crypto map with the ACL
crypto map VPN_MAP 10 set peer 172.16.200.1 #specifies the remote VPN peer as 172.16.200.1
crypto map VPN_MAP 10 set ikev1 transform-set VPN_TRANSFORM_SET #associates the previously defined IKEv1 transform set with the crypto map
crypto map VPN_MAP interface outside #binds the crypto map to the outside interface
And with that we can now enable the IKEv1 on the outside interface
1
crypto ikev1 enable outside
Now both sites can connect though the IPSec VPN
We can also see the VPN ACL being hit by the passing traffic
Running “show crypto ikev1 sa” provides information about the Phase 1 tunnel that has been established to the remote peer
And running “show crypto ipsec sa” shows the Phase 2 status of the IPSec tunnel. It shows details about the active IPSec Security Associations (SAs), such as encryption algorithms, traffic statistics, and the current state of the tunnel
IKEv2
Now we add another site to establish new VPN to using IKEv2, as usual lets validate that we have connectivity
First the IKEv2 policy defines how the Phase 1 (IKE) negotiation is handled. This includes the algorithms used for securing the communication between the peers during the establishment of the VPN tunnel.
1
2
3
4
5
6
crypto ikev2 policy 20 #IKEv2 policy with the ID 20, which has lower priority than the ikev1 configured earlier
encryption aes
integrity sha
group 14
prf sha #Pseudo-Random Function, which is used in IKEv2 to generate the keying material
lifetime seconds 86400
Next configuration sets up the tunnel group and defines the authentication settings for the IKEv2 IPSec VPN connection
1
2
3
4
tunnel-group 172.16.230.1 type ipsec-l2l
tunnel-group 172.16.230.1 ipsec-attributes
ikev2 local-authentication pre-shared-key helena123
ikev2 remote-authentication pre-shared-key helena123
Then we configure the ACL to define traffic passing through this VPN
1
access-list VPN_ACL2 extended permit ip 10.1.0.0 255.255.255.0 10.3.0.0 255.255.255.0
After that we define an IPSec proposal that specifies the encryption and integrity algorithms to be used during Phase 2
1
2
3
crypto ipsec ikev2 ipsec-proposal VPN_PROPOSAL
protocol esp encryption aes #specifies the encryption algorithm used for ESP (Encapsulating Security Payload)
protocol esp integrity sha-256 #specifies the integrity algorithm used with ESP during transmission
Finally we can apply the IPSec settings to the crypto map
1
2
3
4
crypto map VPN_MAP 20 match address VPN_ACL2 #ties the crypto map with the ACL
crypto map VPN_MAP 20 set peer 172.16.230.1 #specifies the IP address of the remote peer
crypto map VPN_MAP 20 set ikev2 ipsec-proposal VPN_PROPOSAL #associates the IKEv2 IPSec proposal with the crypto map entry for this specific peer
crypto map VPN_MAP interface outside #applies the crypto map to the outside interface
And lastly now we can enable IKEv2 on the outside interface
1
crypto ikev2 enable outside
With all that configured, now both sites are connected with VPN
The VPN ACL is also being hit confirming the traffic is passing through this VPN
Running “show crypto ikev2 sa” shows current IKEv2 VPN tunnel and its status, including information about both Phase 1 (IKEv2 SA) and Phase 2 (IPSec SA) negotiations.
And command “show crypto ipsec sa” provides more details about the Phase 2 of the VPN tunnel, which involves encrypting and securing the actual data traffic between the ASA and the remote peer.
