I had to reconfigure an old Cisco 800 router from a "legacy" Crypto Map (Policy Based) IKE Version 1 to a more secure IKE Version 2. Refer to this link for IKEv2 in a Cisco router. The "newer" approach or implementation for IKEv2 in a Cisco router should be Route Based VPN (VTI) configuration.
These are the configurations for IKEv2 in a Cisco router. Make sure the remote device has an identical IKEv2 configuration.
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 14 5
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer ASAFW
address 89.123.4.5
pre-shared-key local cisco123
pre-shared-key remote cisco123
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match address local 161.51.1.20
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring local IKEV2-KEYRING
ip access-list extended IKEV2-ACL
permit ip host 10.30.2.90 host 172.16.100.210
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set set pfs group14
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL
interface FastEthernet4
crypto map CMAP_IKEV2
c800#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c800(config)#crypto ikev2 proposal IKEV2-PROPOSAL
IKEv2 proposal should have atleast an encryption algorithm, an integrity algorithm and a dh group configured
c800(config-ikev2-proposal)#encryption ?
3des 3DES
aes-cbc-128 AES-CBC-128
aes-cbc-192 AES-CBC-192
aes-cbc-256 AES-CBC-256
c800(config-ikev2-proposal)#encryption aes-cbc-128
c800(config-ikev2-proposal)#integrity ?
md5 Message Digest 5
sha1 Secure Hash Standard
sha256 Secure Hash Standard 2 (256 bit)
sha384 Secure Hash Standard 2 (384 bit)
sha512 Secure Hash Standard 2 (512 bit)
c800(config-ikev2-proposal)#integrity sha1
c800(config-ikev2-proposal)#group ?
1 DH 768 MODP
14 DH 2048 MODP
15 DH 3072 MODP
16 DH 4096 MODP
19 DH 256 ECP
2 DH 1024 MODP
20 DH 384 ECP
24 DH 2048 (256 subgroup) MODP
5 DH 1536 MODP
c800(config-ikev2-proposal)#group 14 5 // YOU CAN SPECIFY MULTIPLE DH GROUP
kellog-mvpn-gw01(config-ikev2-proposal)#exit
c800(config)#
c800(config)#crypto ikev2 policy ?
WORD Name of IKEv2 policy
c800(config)#crypto ikev2 policy IKEV2-POLICY
IKEv2 policy should have atleast one complete proposal attached
c800(config-ikev2-policy)#proposal ?
WORD Specify the name of proposal to be attached
c800(config-ikev2-policy)#proposal IKEV2-PROPOSAL
c800(config-ikev2-policy)#exit
c800(config)#
c800(config)#crypto ikev2 keyring ?
WORD Name of IKEv2 Keyring
c800(config)#crypto ikev2 keyring IKEV2-KEYRING
c800(config-ikev2-keyring)#?
IKEv2 Keyring commands:
exit Exit from crypto ikev2 keyring sub mode
no Negate a command or set its defaults
peer Configure a Peer and associated keys
c800(config-ikev2-keyring)#peer ?
WORD Name of the peer block
c800(config-ikev2-keyring)#peer ASAFW
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
c800(config-ikev2-keyring-peer)#?
Crypto IKEv2 Keyring Peer submode commands:
address Specify IPv4 address of peer
description Specify a description of this peer
exit Exit from crypto ikev2 keyring peer sub mode
hostname Hostname of peer
identity Specify IKE identity to use
no Negate values of a command
pre-shared-key specify the pre-shared key
c800(config-ikev2-keyring-peer)#address ?
A.B.C.D IPv4 Address
X:X:X:X::X/<0-128> IPv6 prefix
c800(config-ikev2-keyring-peer)#address 89.123.4.5
c800(config-ikev2-keyring-peer)#pre-shared-key ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
local specify signing key
remote specify verifying key
c800(config-ikev2-keyring-peer)#pre-shared-key local cisco123
c800(config-ikev2-keyring-peer)#pre-shared-key remote cisco123
c800(config-ikev2-keyring-peer)#exit
c800(config-ikev2-keyring)#exit
c800(config)#crypto ikev2 profile ?
WORD Name of IKEv2 Profile
c800(config)#crypto ikev2 profile IKEV2-PROFILE
% IKEv2 profile MUST have match identity or match certificate statements
c800(config-ikev2-profile)#?
IKEv2 profile commands:
aaa Specify AAA related configs
authentication Set authentication method
description Specify a description of this profile
dpd Enable IKE liveness check for peers
exit Exit from crypto ikev2 profile sub mode
identity Specify IKE identity to use
ivrf I-VRF of the profile
keyring Specify keyring to use
lifetime Set lifetime for ISAKMP security association
match Match values of peer
nat NAT-transparency
no Negate a command or set its defaults
pki Specify certificate authorities to trust
virtual-template Specify the virtual-template for dynamic interface creation.
c800(config-ikev2-profile)#match ?
address IP address
certificate Peer certificate attributes
fvrf fvrf of the profile
identity IKE identity
c800(config-ikev2-profile)#match identity ?
remote Remote identity
c800(config-ikev2-profile)#match identity remote ?
address IP Address(es)
email Fully qualified email string
fqdn Fully qualified domain name string
key-id key-id opaque string
c800(config-ikev2-profile)#match identity remote address ?
A.B.C.D IP address prefix
X:X:X:X::X/<0-128> IPv6 address/prefix-length
c800(config-ikev2-profile)#match identity remote address 89.123.4.5 ?
A.B.C.D specify mask
<cr>
c800(config-ikev2-profile)#match identity remote address 89.123.4.5 255.255.255.255
c800(config-ikev2-profile)#authentication ?
local Set local authentication method
remote Set remote authentication method
c800(config-ikev2-profile)#authentication local ?
ecdsa-sig ECDSA Signature
pre-share Pre-Shared Key
rsa-sig Rivest-Shamir-Adleman Signature
c800(config-ikev2-profile)#authentication local pre-share
c800(config-ikev2-profile)#authentication remote pre-share
c800(config-ikev2-profile)#keyring ?
WORD Keyring name
aaa AAA based pre-shared keys
c800(config-ikev2-profile)#keyring IKEV2-KEYRING ?
<cr>
c800(config-ikev2-profile)#keyring IKEV2-KEYRING
c800(config-ikev2-profile)#exit
c800(config)#crypto ipsec transform-set ?
WORD Transform set tag
c800(config)#crypto ipsec transform-set IKEV2-TSET ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-3des ESP transform using 3DES(EDE) cipher (168 bits)
esp-aes ESP transform using AES cipher
esp-des ESP transform using DES cipher (56 bits)
esp-gcm ESP transform using GCM cipher
esp-gmac ESP transform using GMAC cipher
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-null ESP transform w/o cipher
esp-seal ESP transform using SEAL cipher (160 bits)
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes ?
128 128 bit keys.
192 192 bit keys.
256 256 bit keys.
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 ?
ah-md5-hmac AH-HMAC-MD5 transform
ah-sha-hmac AH-HMAC-SHA transform
ah-sha256-hmac AH-HMAC-SHA256 transform
ah-sha384-hmac AH-HMAC-SHA384 transform
ah-sha512-hmac AH-HMAC-SHA512 transform
comp-lzs IP Compression using the LZS compression algorithm
esp-md5-hmac ESP transform using HMAC-MD5 auth
esp-sha-hmac ESP transform using HMAC-SHA auth
esp-sha256-hmac ESP transform using HMAC-SHA256 auth
esp-sha384-hmac ESP transform using HMAC-SHA384 auth
esp-sha512-hmac ESP transform using HMAC-SHA512 auth
<cr>
c800(config)#crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
c800(cfg-crypto-trans)#exit
c800(config)#crypto map CMAP_IKEV2 ?
<1-65535> Sequence to insert into crypto map entry
client Specify client configuration settings
gdoi Configure crypto map gdoi features
isakmp Specify isakmp configuration settings
isakmp-profile Specify isakmp profile to use
local-address Interface to use for local address for this crypto map
redundancy High availability options for this map
c800(config)#crypto map CMAP_IKEV2 10 ?
gdoi GDOI
ipsec-isakmp IPSEC w/ISAKMP
ipsec-manual IPSEC w/manual keying
<cr>
c800(config)#crypto map CMAP_IKEV2 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
c800(config-crypto-map)#?
Crypto Map configuration commands:
default Set a command to its defaults
description Description of the crypto map statement policy
dialer Dialer related commands
exit Exit from crypto map configuration mode
match Match values.
no Negate a command or set its defaults
qos Quality of Service related commands
reverse-route Reverse Route Injection.
set Set values for encryption/decryption
c800(config-crypto-map)#set ?
identity Identity restriction.
ikev2-profile Specify ikev2 Profile
ip Interface Internet Protocol config commands
isakmp-profile Specify isakmp Profile
nat Set NAT translation
peer Allowed Encryption/Decryption peer.
pfs Specify pfs settings
reverse-route Reverse Route Injection.
security-association Security association parameters
transform-set Specify list of transform sets in priority order
c800(config-crypto-map)#set peer ?
A.B.C.D IP address of peer
WORD Host name of the peer
c800(config-crypto-map)#set peer 89.123.4.5
c800(config-crypto-map)#set transform-set IKEV2-TSET
c800(config-crypto-map)#set ikev2-profile ?
WORD Name the ikev2 profile
c800(config-crypto-map)#set ikev2-profile IKEV2-PROFILE
c800(config-crypto-map)#match address ?
<100-199> IP access-list number
<2000-2699> IP access-list number (expanded range)
WORD Access-list name
c800(config-crypto-map)#match address 100
c800(config-crypto-map)#set security-association ?
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.
c800(config-crypto-map)#set security-association lifetime ?
kilobytes Volume-based key duration
seconds Time-based key duration
c800(config-crypto-map)#set security-association lifetime seconds ?
<120-86400> Security association duration in seconds
c800(config-crypto-map)#set security-association lifetime seconds 86400
c800(config-crypto-map)#end
c800#write memory
Building configuration...
[OK]
c800#show run | section crypto
crypto pki token default removal timeout 0
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-128
integrity sha1
group 14 5
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
crypto ikev2 keyring IKEV2-KEYRING
peer SVG2-CUSTFW01
address 89.123.4.5
pre-shared-key local cisco123
pre-shared-key remote cisco123
!
crypto ikev2 profile IKEV2-PROFILE
match fvrf any
match identity remote address 89.123.4.5 255.255.255.255
authentication local pre-share
authentication remote pre-share
keyring IKEV2-KEYRING
crypto isakmp keepalive 60
crypto ipsec transform-set IKEV2-TSET esp-aes 256 esp-sha256-hmac
crypto map CMAP_IKEV2 10 ipsec-isakmp
set peer 89.123.4.5
set security-association lifetime seconds 86400
set transform-set IKEV2-TSET
set ikev2-profile IKEV2-PROFILE
match address IKEV2-ACL
Then just swap the IKEv1 Crypto Map under the WAN interface during a scheduled downtime.
interface FastEthernet4
no crypto map CMAP_IKEv1
crypto map CMAP_IKEV2
I wasn't able to establish IKEv2 in the remote FW, so I ran some debug. I noticed that I forgot to apply the VPN class resource in the FW context.
VPN-FW# debug crypto ?
ca Set PKI debug levels
condition Set IPSec/ISAKMP debug filters
engine Set crypto engine debug levels
goid Set crypto map GOID debug levels
ke-common Set IKE common debug levels
ikev1 Set IKEV1 debug levels
ikev2 Set IKEV2 debug levels
ipsec Set IPSec debug levels
VPN-FW# debug crypto ikev2 ?
ha debug the ikev2 ha
platform debug the ikev2 platform
protocol debug the ikev2 protocol
timers debug the ikev2 timers
VPN-FW# debug crypto ikev2 protocol
%ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = CRYPTO_MAP. Map Sequence Number = 5.
%ASA-4-752011: IKEv1 Doesn't have a transform set specified
%ASA-4-751019:
Local:89.123.4.5:500 Remote:194.17.12.7:500 Username:Unknown IKEv2 Failed to obtain an Other VPN license. Maximum
license limit 0 exceeded.
FW/admin# changeto system
FW# configure terminal
FW(config)# context VPN-FW
FW(config-ctx)# member VPN-CLASS
I'm also unable to establish an IKEv2 SA with the remote device (checked multiple times) using "stronger" IKEv2 proposals, i.e. AES-256 and SHA-256. I suspect it might be a router IOS bug or unsupported "stronger" IKEv2 proposal, so I just used AES-128 and SHA-1 instead. I used the show crypto ikev2 sa command to verify IKEv2 SA.
800#debug crypto ikev2 ?
detail debug level 5 - all other details, including state transition
error debug level 1 - debug messages signalling an error
event debug level 3 - description of packet, contents and policy matching
packet debug level 4 - packet dump debugging
terse debug level 2 - message exchange debugs
<cr>
800#debug crypto ikev2 detail
Apr 24 18:06:33.143: IKEv2:New ikev2 sa request admitted
Apr 24 18:06:33.143: IKEv2:Incrementing incoming negotiating sa count by one
Apr 24 18:06:33.143: SA Next payload: KE, reserved: 0x0, length: 652
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 4
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
Apr 24 18:06:33.147: IKEv2: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 2, Protocol id: IKE, SPI size: 0, #trans: 4
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
Apr 24 18:06:33.147: IKEv2: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 44
Proposal: 3, Protocol id: IKE, SPI size: 0, #trans: 4
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA256
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA256
Apr 24 18:06:33.147: IKEv2: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
Apr 24 18:06:33.147:
Apr 24 18:06:33.147: IKEv2: last proposal: 0x2, reserved: 0x0, length: 52
Proposal: 4, Protocol id: IKE, SPI size: 0, #trans: 5
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 12
type: 1, reserved: 0x0, id: AES-CBC
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 2, reserved: 0x0, id: SHA1
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 3, reserved: 0x0, id: SHA96
Apr 24 18:06:33.147: IKEv2: last transform: 0x3, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_2048_MODP/Group 14
Apr 24 18:06:33.147: IKEv2: last transform: 0x0, reserved: 0x0: length: 8
type: 4, reserved: 0x0, id: DH_GROUP_1536_MODP/Group 5
Apr 24 18:08:35.111: IKEv2:Couldn't find matching SA
Apr 24 18:08:35.111: IKEv2:Detected an invalid IKE SPI
Apr 24 18:08:35.111: IKEv2:Couldn't find matching SA
Apr 24 18:08:35.111: IKEv2:A supplied parameter is incorrect
800#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 161.51.1.20/500 89.123.4.5/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/2665 sec
IPv6 Crypto IKEv2 SA
