Sunday, April 24, 2016
Sunday, April 3, 2016
Migrating IKEv1 and IKEv2 Policy (migrate l2l overwrite Command)
I was asked to modify the "weak" IKE Phase 1 and Phase 2 encryption protocols (i.e. DES and 3DES) that are being used in our VPN infrastructure. So I simulated a test in GNS3 when performing this in a remote scenario. Below is a sample setup for the IPsec VPN tunnel between HQ and a remote ASA firewall.
hostname ASA-1
interface g0
ip add 202.78.6.4 255.255.255.240
nameif outside
no shut
interface g1
ip add 172.27.1.1 255.255.255.0
nameif inside
no shut
route outside 0 0 202.78.6.1
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535
crypto isakmp policy 1
authentication pre-share
encryption des // WEAK ENCRYPTION TO BE CHANGED
hash md5 // WEAK HASH TO BE CHANGED
group 2
lifetime 86400
tunnel-group 111.203.2.19 type ipsec-l2l
tunnel-group 111.203.2.19 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ikev1 policy 5
authentication pre-share
encryption aes // STRONG ENCRYPTION
hash sha // STRONG HASH
group 2
lifetime 43200 // CHANGE TO 12 HOURS
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac // NEW TRANSFORM SET
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1
----
hostname ASA-2
interface g0
ip add 111.203.2.19 255.255.255.240
nameif outside
no shut
interface g1
ip add 172.27.19.1 255.255.255.0
nameif inside
no shut
route outside 0 0 111.203.2.17
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1
------
ASA-1# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-2# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-1# show crypto isakmp sa
There are no IKEv1 SAs // NEED TO TRIGGER INTERESTING TRAFFIC (CRYPTO ACL)
There are no IKEv2 SAs
ASA-2# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
PC1> ping 172.27.19.20 // PING FROM SINGAPORE LAN TO CHINA LAN IP
172.27.19.20 icmp_seq=1 timeout // TIMEOUT DUE TO IKE PHASE 1 AND PHASE 2 NEGOTIATION
172.27.19.20 icmp_seq=2 timeout
172.27.19.20 icmp_seq=3 timeout
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=89.005 ms
ASA-1# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86372
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E271AEF1
current inbound spi : 82CECD8A
inbound esp sas:
spi: 0x82CECD8A (2194591114)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28766)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xE271AEF1 (3799101169)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28766)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86350
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DCA8F338
current inbound spi : E150B17A
inbound esp sas:
spi: 0xE150B17A (3780161914)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28728)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xDCA8F338 (3702059832)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28728)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
----
PC1> ping 172.27.19.20 -t
172.27.19.20 icmp_seq=1 timeout
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=276.016 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=81.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=92.005 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=266.015 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=259.015 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=68.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=44.002 ms
172.27.19.20 icmp_seq=15 timeout // CHANGED REMOTE ASA TO USE THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHM; CHANGED HQ ASA IKE PHASE 1 and PHASE ALGORITHMS AFTERWARDS
172.27.19.20 icmp_seq=16 timeout
172.27.19.20 icmp_seq=17 timeout
172.27.19.20 icmp_seq=18 timeout
172.27.19.20 icmp_seq=19 timeout
172.27.19.20 icmp_seq=20 timeout
172.27.19.20 icmp_seq=21 timeout
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=86.005 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=35.002 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=260.015 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=54.003 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=28 ttl=64 time=215.013 ms
84 bytes from 172.27.19.20 icmp_seq=29 ttl=64 time=94.005 ms
84 bytes from 172.27.19.20 icmp_seq=30 ttl=64 time=61.003 ms
ASA-2(config)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
ASA-2# show crypto isakmp sa detail // ASA-2 IS ALREADY USING THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHMS
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 43200
Lifetime Remaining: 43125
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 043ED956
current inbound spi : 2B6D2E84
inbound esp sas:
spi: 0x2B6D2E84 (728575620)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28693)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000007FF
outbound esp sas:
spi: 0x043ED956 (71227734)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28693)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-1# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 43200
Lifetime Remaining: 43061
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 7BD96CAA
current inbound spi : 68F180BD
inbound esp sas:
spi: 0x68F180BD (1760657597)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28727)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x7BD96CAA (2077846698)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4374000/28726)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
We're unable to run IKEv2 yet since we still have first generation ASA firewalls (5500 without X) running the older pre 8.4 version. For ASA running post 8.4 image, you can configure both IKEv1 and IKEv2 simultaneously on an ASA but IKEv2 algorithm wins and will be used to negotiate for the IPsec VPN tunnel.
ASA-2(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA-2(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA-2(config)# crypto ikev2 policy 10
ASA-2(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA-2(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA-2(config-ikev2-policy)# encryption aes-256
ASA-2(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA-2(config-ikev2-policy)# integrity sha256
ASA-2(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA-2(config-ikev2-policy)# group 2
ASA-2(config-ikev2-policy)# lifetime ?
ikev2-policy mode commands/options:
seconds Lifetime seconds
ASA-2(config-ikev2-policy)# lifetime seconds ?
ikev2-policy mode commands/options:
<120-2147483647> Enter the ikev2 lifetime
none Disable rekey and allow an unlimited rekey period
ASA-2(config-ikev2-policy)# lifetime seconds 43200
ASA-2(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA-2(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
ASA-2(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA-2(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA-2(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA-2(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA-2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA-2(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA-2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA-2(config)# crypto map VPN_CMAP 1615 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal ?
configure mode commands/options:
WORD ipsec-proposal tag
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
ASA-2(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
<cr>
ASA-2(config)# crypto ikev2 enable outside
ASA-2(config)# tunnel-group 202.78.6.4 ipsec-attributes
ASA-2(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA-2(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Require certificate authentication from remote peer
pre-shared-key Require pre-shared-key authentication from remote peer
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
ASA-2(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
ASA-2(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
ASA-2(config-tunnel-ipsec)# sh run tunnel
tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
ASA-1(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-1# show crypto isakmp sa detail // IKEv1 CURRENTLY USED
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86077
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: ECF2F9D9
current inbound spi : 632D966B
inbound esp sas:
spi: 0x632D966B (1663932011)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0xECF2F9D9 (3975346649)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28455)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86038
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 632D966B
current inbound spi : ECF2F9D9
inbound esp sas:
spi: 0xECF2F9D9 (3975346649)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28432)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x632D966B (1663932011)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28432)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# clear crypto ikev1 sa // FORCE IKEv2 SA
ASA-2# show crypto isakmp sa detail
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
11112945 111.203.2.19/500 202.78.6.4/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 43200/10 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 5200C3AFFECDAD0C Remote spi: D563E6EC93E31890
Local id: 111.203.2.19
Remote id: 202.78.6.4
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.27.19.0/0 - 172.27.19.255/65535
remote selector 172.27.1.0/0 - 172.27.1.255/65535
ESP spi in/out: 0x3807a279/0x3215f1f1
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 23, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/500, remote crypto endpt.: 202.78.6.4/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 3215F1F1
current inbound spi : 3807A279
inbound esp sas:
spi: 0x3807A279 (940024441)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4055038/28723)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00FFFFFF
outbound esp sas:
spi: 0x3215F1F1 (840298993)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3916798/28722)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
PC1> ping 172.27.19.20 -t
84 bytes from 172.27.19.20 icmp_seq=1 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=100.005 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=93.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=269.016 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.004 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=62.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=67.004 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=15 ttl=64 time=59.004 ms
84 bytes from 172.27.19.20 icmp_seq=16 ttl=64 time=270.015 ms
84 bytes from 172.27.19.20 icmp_seq=17 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=18 ttl=64 time=67.003 ms
84 bytes from 172.27.19.20 icmp_seq=19 ttl=64 time=65.003 ms
84 bytes from 172.27.19.20 icmp_seq=20 ttl=64 time=66.003 ms
172.27.19.20 icmp_seq=21 timeout // DUE TO IKEv2 NEGOTIATION
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=53.003 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=80.004 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=87.005 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=70.004 ms
There's also a guide from Cisco in doing a swift migration to IKEv2 using the migrate l2l overwrite command.
ASA-2# configure terminal
ASA-2(config)# migrate ?
configure mode commands/options:
l2l Migrate IKEv1 lan-to-lan configuration to IKEv2
overwrite Overwrite existing IKEv2 configuration
remote-access Migrate IKEv1 remote-access configuration to IKEv2/SSL
<cr>
ASA-2(config)# migrate l2l ?
configure mode commands/options:
overwrite Overwrite existing IKEv2 configuration
<cr>
ASA-2(config)# migrate l2l overwrite
interface g0
ip add 202.78.6.4 255.255.255.240
nameif outside
no shut
interface g1
ip add 172.27.1.1 255.255.255.0
nameif inside
no shut
route outside 0 0 202.78.6.1
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535
crypto isakmp policy 1
authentication pre-share
encryption des // WEAK ENCRYPTION TO BE CHANGED
hash md5 // WEAK HASH TO BE CHANGED
group 2
lifetime 86400
tunnel-group 111.203.2.19 type ipsec-l2l
tunnel-group 111.203.2.19 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ikev1 policy 5
authentication pre-share
encryption aes // STRONG ENCRYPTION
hash sha // STRONG HASH
group 2
lifetime 43200 // CHANGE TO 12 HOURS
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac // NEW TRANSFORM SET
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1
----
hostname ASA-2
interface g0
ip add 111.203.2.19 255.255.255.240
nameif outside
no shut
interface g1
ip add 172.27.19.1 255.255.255.0
nameif inside
no shut
route outside 0 0 111.203.2.17
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1
------
ASA-1# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-2# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-1# show crypto isakmp sa
There are no IKEv1 SAs // NEED TO TRIGGER INTERESTING TRAFFIC (CRYPTO ACL)
There are no IKEv2 SAs
ASA-2# show crypto isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
PC1> ping 172.27.19.20 // PING FROM SINGAPORE LAN TO CHINA LAN IP
172.27.19.20 icmp_seq=1 timeout // TIMEOUT DUE TO IKE PHASE 1 AND PHASE 2 NEGOTIATION
172.27.19.20 icmp_seq=2 timeout
172.27.19.20 icmp_seq=3 timeout
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=89.005 ms
ASA-1# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86372
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: E271AEF1
current inbound spi : 82CECD8A
inbound esp sas:
spi: 0x82CECD8A (2194591114)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28766)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xE271AEF1 (3799101169)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28766)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86350
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DCA8F338
current inbound spi : E150B17A
inbound esp sas:
spi: 0xE150B17A (3780161914)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28728)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xDCA8F338 (3702059832)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28728)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
----
PC1> ping 172.27.19.20 -t
172.27.19.20 icmp_seq=1 timeout
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=276.016 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=81.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=92.005 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=266.015 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=259.015 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=68.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=44.002 ms
172.27.19.20 icmp_seq=15 timeout // CHANGED REMOTE ASA TO USE THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHM; CHANGED HQ ASA IKE PHASE 1 and PHASE ALGORITHMS AFTERWARDS
172.27.19.20 icmp_seq=16 timeout
172.27.19.20 icmp_seq=17 timeout
172.27.19.20 icmp_seq=18 timeout
172.27.19.20 icmp_seq=19 timeout
172.27.19.20 icmp_seq=20 timeout
172.27.19.20 icmp_seq=21 timeout
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=86.005 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=35.002 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=260.015 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=54.003 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=28 ttl=64 time=215.013 ms
84 bytes from 172.27.19.20 icmp_seq=29 ttl=64 time=94.005 ms
84 bytes from 172.27.19.20 icmp_seq=30 ttl=64 time=61.003 ms
ASA-2(config)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
ASA-2# show crypto isakmp sa detail // ASA-2 IS ALREADY USING THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHMS
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 43200
Lifetime Remaining: 43125
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 043ED956
current inbound spi : 2B6D2E84
inbound esp sas:
spi: 0x2B6D2E84 (728575620)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28693)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000007FF
outbound esp sas:
spi: 0x043ED956 (71227734)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28693)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-1# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : aes Hash : SHA
Auth : preshared Lifetime: 43200
Lifetime Remaining: 43061
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 7BD96CAA
current inbound spi : 68F180BD
inbound esp sas:
spi: 0x68F180BD (1760657597)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28727)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x7BD96CAA (2077846698)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4374000/28726)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
We're unable to run IKEv2 yet since we still have first generation ASA firewalls (5500 without X) running the older pre 8.4 version. For ASA running post 8.4 image, you can configure both IKEv1 and IKEv2 simultaneously on an ASA but IKEv2 algorithm wins and will be used to negotiate for the IPsec VPN tunnel.
ASA-2(config)# crypto ?
configure mode commands/options:
ca Certification authority
dynamic-map Configure a dynamic crypto map
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
ipsec Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp Configure ISAKMP
key Long term key operations
map Configure a crypto map
exec mode commands/options:
ca Execute Certification Authority Commands
ASA-2(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 policy ?
configure mode commands/options:
<1-65535> Policy suite priority(1 highest, 65535 lowest)
ASA-2(config)# crypto ikev2 policy 10
ASA-2(config-ikev2-policy)# ?
ikev2 policy configuration commands:
encryption Configure one or more encryption algorithm
exit Exit from ikev2 policy configuration mode
group Configure one or more DH groups
help Help for ikev2 policy configuration commands
integrity Configure one or more integrity algorithm
lifetime Configure the ikev2 lifetime
no Remove an ikev2 policy configuration item
prf Configure one or more hash algorithm
ASA-2(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA-2(config-ikev2-policy)# encryption aes-256
ASA-2(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
ASA-2(config-ikev2-policy)# integrity sha256
ASA-2(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
ASA-2(config-ikev2-policy)# group 2
ASA-2(config-ikev2-policy)# lifetime ?
ikev2-policy mode commands/options:
seconds Lifetime seconds
ASA-2(config-ikev2-policy)# lifetime seconds ?
ikev2-policy mode commands/options:
<120-2147483647> Enter the ikev2 lifetime
none Disable rekey and allow an unlimited rekey period
ASA-2(config-ikev2-policy)# lifetime seconds 43200
ASA-2(config)# crypto ipsec ?
configure mode commands/options:
df-bit Set IPsec DF policy
fragmentation Set IPsec fragmentation policy
ikev1 Set IKEv1 settings
ikev2 Set IKEv2 settings
security-association Set security association parameters
ASA-2(config)# crypto ipsec ikev2 ?
configure mode commands/options:
ipsec-proposal Configure IKEv2 IPSec Policy
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal ?
configure mode commands/options:
WORD < 65 char Enter the name of the ipsec-proposal
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
ASA-2(config-ipsec-proposal)# ?
ikev2 IPSec Policy configuration commands:
exit Exit from ipsec-proposal configuration mode
help Help for ikev2 IPSec policy configuration commands
no Remove an ikev2 IPSec policy configuration item
protocol Configure a protocol for the IPSec proposal
ASA-2(config-ipsec-proposal)# protocol ?
ipsec-proposal mode commands/options:
esp IPsec Encapsulating Security Payload
ASA-2(config-ipsec-proposal)# protocol esp ?
ipsec-proposal mode commands/options:
encryption Add one or more encryption algorithms for this protocol
integrity Add one or more integrity algorithms for this protocol
ASA-2(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
ASA-2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA-2(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
ASA-2(config-ipsec-proposal)# protocol esp integrity sha-1
ASA-2(config)# crypto map VPN_CMAP 1615 set ?
configure mode commands/options:
connection-type Specify connection-type for site-site connection based
on this entry
ikev1 Configure IKEv1 policy
ikev2 Configure IKEv2 policy
nat-t-disable Disable nat-t negotiation for connections based on this
entry
peer Set IP address of peer
pfs Specify pfs settings
reverse-route Enable reverse route injection for connections based on
this entry
security-association Security association duration
trustpoint Specify trustpoint that defines the certificate to be
used while initiating a connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ?
configure mode commands/options:
ipsec-proposal Specify list of IPSec proposals in priority order
pre-shared-key Specify a pre-shared key to be used while initiating a
connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal ?
configure mode commands/options:
WORD ipsec-proposal tag
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
ASA-2(config)# crypto ikev2 ?
configure mode commands/options:
cookie-challenge Enable and configure IKEv2 cookie challenges based on
half-open SAs
enable Enable IKEv2 on the specified interface
limit Enable limits on IKEv2 SAs
policy Set IKEv2 policy suite
redirect Set IKEv2 redirect
remote-access Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 enable ?
configure mode commands/options:
Type an interface name to enable
inside Name of interface GigabitEthernet1
outside Name of interface GigabitEthernet0
<cr>
ASA-2(config)# crypto ikev2 enable outside
ASA-2(config)# tunnel-group 202.78.6.4 ipsec-attributes
ASA-2(config-tunnel-ipsec)# ?
tunnel-group configuration commands:
chain Enable sending certificate chain
exit Exit from tunnel-group IPSec attribute configuration mode
help Help for tunnel group configuration commands
ikev1 Configure IKEv1
ikev2 Configure IKEv2
isakmp Configure ISAKMP policy
no Remove an attribute value pair
peer-id-validate Validate identity of the peer using the peer's certificate
ASA-2(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Require certificate authentication from remote peer
pre-shared-key Require pre-shared-key authentication from remote peer
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
WORD < 129 char Enter an alphanumeric string between 1-128 characters
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
or certificate to complete authentication.
ASA-2(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
tunnels
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication ?
tunnel-group-ipsec mode commands/options:
certificate Select the trustpoint that identifies the cert to be sent to
the IKE peer
pre-shared-key Configure the local pre-shared-key used to authenticate to
the remote peer
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?
tunnel-group-ipsec mode commands/options:
0 Specifies an UNENCRYPTED password will follow
8 Specifies an ENCRYPTED password will follow
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco
ASA-2(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200
ASA-2(config-tunnel-ipsec)# sh run tunnel
tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
ikev1 pre-shared-key cisco
ikev2 remote-authentication pre-shared-key cisco
ikev2 local-authentication pre-shared-key cisco
ASA-1(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
encryption aes-256
integrity sha256
group 2
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
ASA-1# show crypto isakmp sa detail // IKEv1 CURRENTLY USED
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 111.203.2.19
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86077
There are no IKEv2 SAs
ASA-1# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4
access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
current_peer: 111.203.2.19
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: ECF2F9D9
current inbound spi : 632D966B
inbound esp sas:
spi: 0x632D966B (1663932011)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0xECF2F9D9 (3975346649)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4373999/28455)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# show crypto isakmp sa detail
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 202.78.6.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Encrypt : des Hash : MD5
Auth : preshared Lifetime: 86400
Lifetime Remaining: 86038
There are no IKEv2 SAs
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 632D966B
current inbound spi : ECF2F9D9
inbound esp sas:
spi: 0xECF2F9D9 (3975346649)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28432)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x632D966B (1663932011)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3914999/28432)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
ASA-2# clear crypto ikev1 sa // FORCE IKEv2 SA
ASA-2# show crypto isakmp sa detail
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
11112945 111.203.2.19/500 202.78.6.4/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 43200/10 sec
Session-id: 1
Status Description: Negotiation done
Local spi: 5200C3AFFECDAD0C Remote spi: D563E6EC93E31890
Local id: 111.203.2.19
Remote id: 202.78.6.4
Local req mess id: 0 Remote req mess id: 2
Local next mess id: 0 Remote next mess id: 2
Local req queued: 0 Remote req queued: 2
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected
Child sa: local selector 172.27.19.0/0 - 172.27.19.255/65535
remote selector 172.27.1.0/0 - 172.27.1.255/65535
ESP spi in/out: 0x3807a279/0x3215f1f1
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel
ASA-2# show crypto ipsec sa
interface: outside
Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19
access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
current_peer: 202.78.6.4
#pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 23, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 111.203.2.19/500, remote crypto endpt.: 202.78.6.4/500
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 3215F1F1
current inbound spi : 3807A279
inbound esp sas:
spi: 0x3807A279 (940024441)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (4055038/28723)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00FFFFFF
outbound esp sas:
spi: 0x3215F1F1 (840298993)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
sa timing: remaining key lifetime (kB/sec): (3916798/28722)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
PC1> ping 172.27.19.20 -t
84 bytes from 172.27.19.20 icmp_seq=1 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=100.005 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=93.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=269.016 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.004 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=62.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=67.004 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=15 ttl=64 time=59.004 ms
84 bytes from 172.27.19.20 icmp_seq=16 ttl=64 time=270.015 ms
84 bytes from 172.27.19.20 icmp_seq=17 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=18 ttl=64 time=67.003 ms
84 bytes from 172.27.19.20 icmp_seq=19 ttl=64 time=65.003 ms
84 bytes from 172.27.19.20 icmp_seq=20 ttl=64 time=66.003 ms
172.27.19.20 icmp_seq=21 timeout // DUE TO IKEv2 NEGOTIATION
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=53.003 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=80.004 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=87.005 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=70.004 ms
There's also a guide from Cisco in doing a swift migration to IKEv2 using the migrate l2l overwrite command.
ASA-2# configure terminal
ASA-2(config)# migrate ?
configure mode commands/options:
l2l Migrate IKEv1 lan-to-lan configuration to IKEv2
overwrite Overwrite existing IKEv2 configuration
remote-access Migrate IKEv1 remote-access configuration to IKEv2/SSL
<cr>
ASA-2(config)# migrate l2l ?
configure mode commands/options:
overwrite Overwrite existing IKEv2 configuration
<cr>
ASA-2(config)# migrate l2l overwrite