Sunday, April 3, 2016

Migrating IKEv1 and IKEv2 Policy (migrate l2l overwrite Command)

I was asked to modify the "weak" IKE Phase 1 and Phase 2 encryption protocols (i.e. DES and 3DES) that are  being used in our VPN infrastructure. So I simulated a test in GNS3 when performing this in a remote scenario. Below is a sample setup for the IPsec VPN tunnel between HQ and a remote ASA firewall.


hostname ASA-1

interface g0
ip add 202.78.6.4 255.255.255.240
nameif outside
no shut

interface g1
ip add 172.27.1.1 255.255.255.0
nameif inside
no shut

route outside 0 0 202.78.6.1

access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0

crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535

crypto isakmp policy 1
authentication pre-share
encryption des    // WEAK ENCRYPTION TO BE CHANGED
hash md5    // WEAK HASH TO BE CHANGED
group 2
lifetime 86400

tunnel-group 111.203.2.19 type ipsec-l2l
tunnel-group 111.203.2.19 ipsec-attributes
ikev1 pre-shared-key cisco

crypto ikev1 policy 5
authentication pre-share
encryption aes   // STRONG ENCRYPTION
hash sha   // STRONG HASH
group 2
lifetime 43200    // CHANGE TO 12 HOURS

crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac    // NEW TRANSFORM SET
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET

no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1


----


hostname ASA-2

interface g0
ip add 111.203.2.19 255.255.255.240
nameif outside
no shut

interface g1
ip add 172.27.19.1 255.255.255.0
nameif inside
no shut

route outside 0 0 111.203.2.17

access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0

crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
no crypto ikev1 policy 65535

crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
ikev1 pre-shared-key cisco

crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200

crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET

no crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
no crypto isakmp policy 1


------


ASA-1# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400


ASA-2# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400

ASA-1# show crypto isakmp sa

There are no IKEv1 SAs   // NEED TO TRIGGER INTERESTING TRAFFIC (CRYPTO ACL)

There are no IKEv2 SAs


ASA-2# show crypto isakmp sa

There are no IKEv1 SAs

There are no IKEv2 SAs



PC1> ping 172.27.19.20     // PING FROM SINGAPORE LAN TO CHINA LAN IP
172.27.19.20 icmp_seq=1 timeout     // TIMEOUT DUE TO IKE PHASE 1 AND PHASE 2 NEGOTIATION
172.27.19.20 icmp_seq=2 timeout
172.27.19.20 icmp_seq=3 timeout
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=89.005 ms


ASA-1# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 111.203.2.19
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86372

There are no IKEv2 SAs

ASA-1# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4

      access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      current_peer: 111.203.2.19

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: E271AEF1
      current inbound spi : 82CECD8A

    inbound esp sas:
      spi: 0x82CECD8A (2194591114)
         transform: esp-3des esp-md5-hmac no compression    
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28766)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xE271AEF1 (3799101169)
         transform: esp-3des esp-md5-hmac no compression   
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28766)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


ASA-2# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.78.6.4
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE   
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86350   

There are no IKEv2 SAs

ASA-2# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19

      access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      current_peer: 202.78.6.4

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4  
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4  
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DCA8F338
      current inbound spi : E150B17A

    inbound esp sas:
      spi: 0xE150B17A (3780161914)
         transform: esp-3des esp-md5-hmac no compression   
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28728)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xDCA8F338 (3702059832)
         transform: esp-3des esp-md5-hmac no compression   
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 12288, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28728)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


----


PC1> ping 172.27.19.20 -t
172.27.19.20 icmp_seq=1 timeout
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=276.016 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=81.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=45.002 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=92.005 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=266.015 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=259.015 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=68.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=44.002 ms
172.27.19.20 icmp_seq=15 timeout      // CHANGED REMOTE ASA TO USE THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHM; CHANGED HQ ASA IKE PHASE 1 and PHASE ALGORITHMS AFTERWARDS
172.27.19.20 icmp_seq=16 timeout
172.27.19.20 icmp_seq=17 timeout
172.27.19.20 icmp_seq=18 timeout
172.27.19.20 icmp_seq=19 timeout
172.27.19.20 icmp_seq=20 timeout
172.27.19.20 icmp_seq=21 timeout
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=86.005 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=35.002 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=260.015 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=54.003 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=28 ttl=64 time=215.013 ms
84 bytes from 172.27.19.20 icmp_seq=29 ttl=64 time=94.005 ms
84 bytes from 172.27.19.20 icmp_seq=30 ttl=64 time=61.003 ms


ASA-2(config)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP interface outside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200


ASA-2# show crypto isakmp sa detail    // ASA-2 IS ALREADY USING THE NEW IKE PHASE 1 AND PHASE 2 ALGORITHMS

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.78.6.4
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE  
    Encrypt : aes             Hash    : SHA       
    Auth    : preshared       Lifetime: 43200   
    Lifetime Remaining: 43125

There are no IKEv2 SAs

ASA-2# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19

      access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      current_peer: 202.78.6.4

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 043ED956
      current inbound spi : 2B6D2E84

    inbound esp sas:
      spi: 0x2B6D2E84 (728575620)
         transform: esp-aes esp-sha-hmac no compression    
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28693)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000007FF
    outbound esp sas:
      spi: 0x043ED956 (71227734)
         transform: esp-aes esp-sha-hmac no compression   
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 24576, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28693)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


ASA-1# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 111.203.2.19
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE  
    Encrypt : aes             Hash    : SHA     
    Auth    : preshared       Lifetime: 43200
    Lifetime Remaining: 43061   

There are no IKEv2 SAs


ASA-1# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4

      access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      current_peer: 111.203.2.19

      #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10
      #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 10, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 7BD96CAA
      current inbound spi : 68F180BD

    inbound esp sas:
      spi: 0x68F180BD (1760657597)
         transform: esp-aes esp-sha-hmac no compression   
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28727)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000000F
    outbound esp sas:
      spi: 0x7BD96CAA (2077846698)
         transform: esp-aes esp-sha-hmac no compression  
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4374000/28726)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


We're unable to run IKEv2 yet since we still have first generation ASA firewalls (5500 without X) running the older pre 8.4 version. For ASA running post 8.4 image, you can configure both IKEv1 and IKEv2 simultaneously on an ASA but IKEv2 algorithm wins and will be used to negotiate for the IPsec VPN tunnel.


ASA-2(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

exec mode commands/options:
  ca  Execute Certification Authority Commands
ASA-2(config)# crypto ikev2 ?

configure mode commands/options:
  cookie-challenge  Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
  enable            Enable IKEv2 on the specified interface
  limit             Enable limits on IKEv2 SAs
  policy            Set IKEv2 policy suite
  redirect          Set IKEv2 redirect
  remote-access     Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 policy ?

configure mode commands/options:
  <1-65535>  Policy suite priority(1 highest, 65535 lowest)
ASA-2(config)# crypto ikev2 policy 10
ASA-2(config-ikev2-policy)# ?

ikev2 policy configuration commands:
  encryption  Configure one or more encryption algorithm
  exit        Exit from ikev2 policy configuration mode
  group       Configure one or more DH groups
  help        Help for ikev2 policy configuration commands
  integrity   Configure one or more integrity algorithm
  lifetime    Configure the ikev2 lifetime
  no          Remove an ikev2 policy configuration item
  prf         Configure one or more hash algorithm
ASA-2(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption
ASA-2(config-ikev2-policy)# encryption aes-256
ASA-2(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512
ASA-2(config-ikev2-policy)# integrity sha256
ASA-2(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
ASA-2(config-ikev2-policy)# group 2
ASA-2(config-ikev2-policy)# lifetime ?

ikev2-policy mode commands/options:
  seconds  Lifetime seconds
ASA-2(config-ikev2-policy)# lifetime seconds ?

ikev2-policy mode commands/options:
  <120-2147483647>  Enter the ikev2 lifetime
  none              Disable rekey and allow an unlimited rekey period
ASA-2(config-ikev2-policy)# lifetime seconds 43200

ASA-2(config)# crypto ipsec ?

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters
ASA-2(config)# crypto ipsec ikev2 ?

configure mode commands/options:
  ipsec-proposal  Configure IKEv2 IPSec Policy
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal ?

configure mode commands/options:
  WORD < 65 char  Enter the name of the ipsec-proposal
ASA-2(config)# crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
ASA-2(config-ipsec-proposal)# ?

ikev2 IPSec Policy configuration commands:
  exit      Exit from ipsec-proposal configuration mode
  help      Help for ikev2 IPSec policy configuration commands
  no        Remove an ikev2 IPSec policy configuration item
  protocol  Configure a protocol for the IPSec proposal
ASA-2(config-ipsec-proposal)# protocol ?

ipsec-proposal mode commands/options:
  esp  IPsec Encapsulating Security Payload
ASA-2(config-ipsec-proposal)# protocol esp ?

ipsec-proposal mode commands/options:
  encryption  Add one or more encryption algorithms for this protocol
  integrity   Add one or more integrity algorithms for this protocol
ASA-2(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption
ASA-2(config-ipsec-proposal)# protocol esp encryption aes-256
ASA-2(config-ipsec-proposal)# protocol esp integrity ?       

ipsec-proposal mode commands/options:
  md5    set hash md5
  sha-1  set hash sha-1
ASA-2(config-ipsec-proposal)# protocol esp integrity sha-1   

ASA-2(config)# crypto map VPN_CMAP 1615 set ?

configure mode commands/options:
  connection-type       Specify connection-type for site-site connection based
                        on this entry
  ikev1                 Configure IKEv1 policy
  ikev2                 Configure IKEv2 policy
  nat-t-disable         Disable nat-t negotiation for connections based on this
                        entry
  peer                  Set IP address of peer
  pfs                   Specify pfs settings
  reverse-route         Enable reverse route injection for connections based on
                        this entry
  security-association  Security association duration
  trustpoint            Specify trustpoint that defines the certificate to be
                        used while initiating a connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ?

configure mode commands/options:
  ipsec-proposal  Specify list of IPSec proposals in priority order
  pre-shared-key  Specify a pre-shared key to be used while initiating a
                  connection based on this entry
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal ?

configure mode commands/options:
  WORD  ipsec-proposal tag
ASA-2(config)# crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET

ASA-2(config)# crypto ikev2 ?

configure mode commands/options:
  cookie-challenge  Enable and configure IKEv2 cookie challenges based on
                    half-open SAs
  enable            Enable IKEv2 on the specified interface
  limit             Enable limits on IKEv2 SAs
  policy            Set IKEv2 policy suite
  redirect          Set IKEv2 redirect
  remote-access     Configure IKEv2 for Remote Access
ASA-2(config)# crypto ikev2 enable ?

configure mode commands/options:
Type an interface name to enable
  inside   Name of interface GigabitEthernet1
  outside  Name of interface GigabitEthernet0
  <cr>
ASA-2(config)# crypto ikev2 enable outside

ASA-2(config)# tunnel-group 202.78.6.4 ipsec-attributes
ASA-2(config-tunnel-ipsec)# ?

tunnel-group configuration commands:
  chain             Enable sending certificate chain
  exit              Exit from tunnel-group IPSec attribute configuration mode
  help              Help for tunnel group configuration commands
  ikev1             Configure IKEv1
  ikev2             Configure IKEv2
  isakmp            Configure ISAKMP policy
  no                Remove an attribute value pair
  peer-id-validate  Validate identity of the peer using the peer's certificate

ASA-2(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
  local-authentication   Configure the local authentication method for IKEv2
                         tunnels
  remote-authentication  Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication ?

tunnel-group-ipsec mode commands/options:
  certificate     Require certificate authentication from remote peer
  pre-shared-key  Require pre-shared-key authentication from remote peer
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
  0                Specifies an UNENCRYPTED password will follow
  8                Specifies an ENCRYPTED password will follow
  WORD < 129 char  Enter an alphanumeric string between 1-128 characters
ASA-2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key cisco
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
ASA-2(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
  local-authentication   Configure the local authentication method for IKEv2
                         tunnels
  remote-authentication  Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication ?

tunnel-group-ipsec mode commands/options:
  certificate     Select the trustpoint that identifies the cert to be sent to
                  the IKE peer
  pre-shared-key  Configure the local pre-shared-key used to authenticate to
                  the remote peer
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key ?

tunnel-group-ipsec mode commands/options:
  0  Specifies an UNENCRYPTED password will follow
  8  Specifies an ENCRYPTED password will follow
ASA-2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key cisco

ASA-2(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set NEW_TSET esp-aes esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 202.78.6.4
crypto map VPN_CMAP 1615 set ikev1 transform-set NEW_TSET
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha
 lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 5
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
ASA-2(config-tunnel-ipsec)# sh run tunnel
tunnel-group 202.78.6.4 type ipsec-l2l
tunnel-group 202.78.6.4 ipsec-attributes
 ikev1 pre-shared-key cisco
 ikev2 remote-authentication pre-shared-key cisco
 ikev2 local-authentication pre-shared-key cisco


ASA-1(config-tunnel-ipsec)# show run crypto
crypto ipsec ikev1 transform-set vpn3des esp-3des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal IKEv2_TSET
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto map VPN_CMAP 1615 match address SIN-CHN
crypto map VPN_CMAP 1615 set peer 111.203.2.19
crypto map VPN_CMAP 1615 set ikev1 transform-set vpn3des
crypto map VPN_CMAP 1615 set ikev2 ipsec-proposal IKEv2_TSET
crypto map VPN_CMAP interface outside
crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 2
 prf sha
 lifetime seconds 43200
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 1
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400


ASA-1# show crypto isakmp sa detail   // IKEv1 CURRENTLY USED

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 111.203.2.19
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86077

There are no IKEv2 SAs


ASA-1# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 202.78.6.4

      access-list SIN-CHN extended permit ip 172.27.1.0 255.255.255.0 172.27.19.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      current_peer: 111.203.2.19

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 202.78.6.4/0, remote crypto endpt.: 111.203.2.19/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: ECF2F9D9
      current inbound spi : 632D966B

    inbound esp sas:
      spi: 0x632D966B (1663932011)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28456)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0xECF2F9D9 (3975346649)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4373999/28455)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


ASA-2# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 202.78.6.4
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : des             Hash    : MD5      
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86038

There are no IKEv2 SAs


ASA-2# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19

      access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      current_peer: 202.78.6.4

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 111.203.2.19/0, remote crypto endpt.: 202.78.6.4/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 632D966B
      current inbound spi : ECF2F9D9

    inbound esp sas:
      spi: 0xECF2F9D9 (3975346649)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28432)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x632D966B (1663932011)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 4096, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3914999/28432)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


ASA-2# clear crypto ikev1 sa    // FORCE IKEv2 SA
ASA-2# show crypto isakmp sa detail

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1  

Tunnel-id                 Local                Remote     Status         Role
 11112945   111.203.2.19/500      202.78.6.4/500      READY    RESPONDER
      Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:2, Auth sign: PSK, Auth verify: PSK  
      Life/Active Time: 43200/10 sec
      Session-id: 1
      Status Description: Negotiation done
      Local spi: 5200C3AFFECDAD0C       Remote spi: D563E6EC93E31890
      Local id: 111.203.2.19
      Remote id: 202.78.6.4
      Local req mess id: 0              Remote req mess id: 2
      Local next mess id: 0             Remote next mess id: 2
      Local req queued: 0               Remote req queued: 2
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected 
Child sa: local selector  172.27.19.0/0 - 172.27.19.255/65535
          remote selector 172.27.1.0/0 - 172.27.1.255/65535
          ESP spi in/out: 0x3807a279/0x3215f1f1 
          AH spi in/out: 0x0/0x0 
          CPI in/out: 0x0/0x0 
          Encr: AES-CBC, keysize: 256, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel


ASA-2# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN_CMAP, seq num: 1615, local addr: 111.203.2.19

      access-list SIN-CHN extended permit ip 172.27.19.0 255.255.255.0 172.27.1.0 255.255.255.0
      local ident (addr/mask/prot/port): (172.27.19.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (172.27.1.0/255.255.255.0/0/0)
      current_peer: 202.78.6.4

      #pkts encaps: 23, #pkts encrypt: 23, #pkts digest: 23
      #pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 23, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 111.203.2.19/500, remote crypto endpt.: 202.78.6.4/500
      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 3215F1F1
      current inbound spi : 3807A279

    inbound esp sas:
      spi: 0x3807A279 (940024441)
         transform: esp-aes-256 esp-sha-hmac no compression  
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (4055038/28723)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00FFFFFF
    outbound esp sas:
      spi: 0x3215F1F1 (840298993)
         transform: esp-aes-256 esp-sha-hmac no compression    
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8192, crypto-map: VPN_CMAP
         sa timing: remaining key lifetime (kB/sec): (3916798/28722)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


PC1> ping 172.27.19.20 -t
84 bytes from 172.27.19.20 icmp_seq=1 ttl=64 time=61.003 ms
84 bytes from 172.27.19.20 icmp_seq=2 ttl=64 time=100.005 ms
84 bytes from 172.27.19.20 icmp_seq=3 ttl=64 time=93.005 ms
84 bytes from 172.27.19.20 icmp_seq=4 ttl=64 time=269.016 ms
84 bytes from 172.27.19.20 icmp_seq=5 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=6 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=7 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=8 ttl=64 time=66.004 ms
84 bytes from 172.27.19.20 icmp_seq=9 ttl=64 time=62.004 ms
84 bytes from 172.27.19.20 icmp_seq=10 ttl=64 time=67.004 ms
84 bytes from 172.27.19.20 icmp_seq=11 ttl=64 time=69.004 ms
84 bytes from 172.27.19.20 icmp_seq=12 ttl=64 time=70.004 ms
84 bytes from 172.27.19.20 icmp_seq=13 ttl=64 time=65.004 ms
84 bytes from 172.27.19.20 icmp_seq=14 ttl=64 time=63.004 ms
84 bytes from 172.27.19.20 icmp_seq=15 ttl=64 time=59.004 ms
84 bytes from 172.27.19.20 icmp_seq=16 ttl=64 time=270.015 ms
84 bytes from 172.27.19.20 icmp_seq=17 ttl=64 time=66.003 ms
84 bytes from 172.27.19.20 icmp_seq=18 ttl=64 time=67.003 ms
84 bytes from 172.27.19.20 icmp_seq=19 ttl=64 time=65.003 ms
84 bytes from 172.27.19.20 icmp_seq=20 ttl=64 time=66.003 ms
172.27.19.20 icmp_seq=21 timeout   // DUE TO IKEv2 NEGOTIATION
172.27.19.20 icmp_seq=22 timeout
84 bytes from 172.27.19.20 icmp_seq=23 ttl=64 time=79.004 ms
84 bytes from 172.27.19.20 icmp_seq=24 ttl=64 time=53.003 ms
84 bytes from 172.27.19.20 icmp_seq=25 ttl=64 time=80.004 ms
84 bytes from 172.27.19.20 icmp_seq=26 ttl=64 time=87.005 ms
84 bytes from 172.27.19.20 icmp_seq=27 ttl=64 time=70.004 ms


There's also a guide from Cisco in doing a swift migration to IKEv2 using the migrate l2l overwrite command.


ASA-2# configure terminal
ASA-2(config)# migrate ?

configure mode commands/options:
  l2l            Migrate IKEv1 lan-to-lan configuration to IKEv2
  overwrite      Overwrite existing IKEv2 configuration
  remote-access  Migrate IKEv1 remote-access configuration to IKEv2/SSL
  <cr>
ASA-2(config)# migrate l2l ?

configure mode commands/options:
  overwrite  Overwrite existing IKEv2 configuration
  <cr>
ASA-2(config)# migrate l2l overwrite   

No comments:

Post a Comment