IKEv1 and IKEv2 between IOS router and ASA

I recently upgraded the IPSec tunnel running between a customer site and my ASA used for SNMP monitoring. The same customer was also having ADSL2 issues at another site so a spare ISR G1 (1841) router from my lab was deployed. Problem with the first generation ISR is that they do not support IKEv2. This post details IKEv1 setup on a 1841 and IKEv2 on a 887VA-M with both terminating on a ASA 5505.

Before we get lost in the configuration and explanation, these are the particulars:

TypeCMAPLocationSite codeGUAprivate LANpassword
IKEv21BitterneA1.2.3.410.16.0.0/16secr3t_A-B
HytheBsecr3t_B-A
IKEv12HytheB5.6.7.810.32.0.0/16secr3t_B-C
ChristchurchC
IKEv13BitterneA9.0.1.210.48.0.0/16secr3t_A-C
ChristchurchC

There is some shared configuration between IKE versions, this is listed below:

IOS

!
key config-key password-encrypt
password encryption aes
!
ip nat inside source route-map nonat interface Dialer0 overload
!
route-map nonat permit 10
  match ip address nonat-ACL
!

ASA

!
 object network network_inside
  subnet 10.16.10.0 255.255.255.0
!
object network hythe_network
  subnet 10.32.0.0 255.255.0.0
  description Hythe supernet
!
nat (inside,outside) source static network_inside network_inside destination static hythe_network hythe_network no-proxy-arp route-lookup
!
access-list VPN-TRAFFIC-A-B extended permit ip 10.16.0.0 255.255.0.0 10.32.0.0 255.255.0.0
access-list VPN-TRAFFIC-A-C extended permit ip 10.16.0.0 255.255.0.0 10.48.0.0 255.255.0.0
!
crypto map CMAP 1 match address VPN-TRAFFIC-A-B
crypto map CMAP 1 set peer 5.6.7.8
crypto map CMAP 3 match address VPN-TRAFFIC-A-C
crypto map CMAP 3 set peer 9.0.1.2
!
crypto map CMAP interface outside
!
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 9.0.1.2 type ipsec-l2l
!

IKEv1

IOS (Christchurch)

!
ip access-list extended nonat-ACL
  deny ip 10.48.0.0 0.0.255.255 10.16.0.0 0.0.255.255
  permit ip 10.48.0.0 0.0.255.255 any
!
ip access-list extended VPN-TRAFFIC-A-C
  permit ip 10.48.0.0 0.0.255.255 10.16.0.0 0.0.255.255
!
crypto isakmp policy 1
  encr aes 256
  authentication pre-share
  group 5
crypto isakmp key secr3t-A-C address 1.2.3.4
!
crypto ipsec transform-set ikev1_aes256 esp-aes 256 esp-sha-hmac
  mode tunnel
!
crypto map CRYPTO 3 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set ikev1_aes256
  match address VPN-TRAFFIC-A-C
!
interface Dialer0
  crypto map CRYPTO
!

ASA (Bitterne)

!
crypto ipsec ikev1 transform-set ikev1_aes256 esp-aes-256 esp-sha-hmac
!
crypto map CMAP 3 set ikev1 transform-set ikev1_aes256
!
crypto ikev1 enable outside
crypto ikev1 policy 1
  authentication pre-share
  encryption aes-256
  hash sha
  group 5
  lifetime 86400
!
tunnel-group 88.215.7.85 ipsec-attributes
  ikev1 pre-shared-key secre3t-A-C
!

IKEv2

IOS (Hythe)

!
crypto ikev2 proposal ikev2_aes256
  encryption aes-cbc-256
  integrity sha256
  group 20
!
crypto ikev2 policy 1
  match address local 1.2.3.4
  proposal ikev2_aes256
!
crypto ikev2 keyring KEYRING
  peer Bitterne
    address 1.2.3.4
    pre-shared-key local secr3t_B-A
    pre-shared-key remote secr3t_A-B
!
crypto ikev2 profile ikev2_profile01
  match address local 5.6.7.8
  match identity remote address 1.2.3.4 255.255.255.255
  authentication remote pre-share
  authentication local pre-share
  keyring local KEYRING
!
crypto ipsec transform-set ESP-AES-SHA esp-aes 256 esp-sha-hmac
  mode tunnel
!
crypto map CMAP 1 ipsec-isakmp
  set peer 1.2.3.4
  set transform-set ESP-AES-SHA
  set pfs group20
  set ikev2-profile ikev2_profile01
  match address VPN-TRAFFIC-A-B
!

ASA (Bitterne)

!
crypto ipsec ikev2 ipsec-proposal ikev2_aes256
  protocol esp encryption aes-256
  protocol esp integrity sha-1
!
crypto ikev2 policy 1
  encryption aes-256
  integrity sha256
  group 20
  prf sha256
  lifetime seconds 43200
!
crypto map CMAP 1 match address VPN-TRAFFIC-A-B
crypto map CMAP 1 set peer 5.6.7.8
crypto map CMAP 1 set ikev2 ipsec-proposal ikev2_aes256
!
crypto ikev2 enable outside
!
tunnel-group 5.6.7.8 ipsec-attributes
  ikev2 remote-authentication pre-shared-key secr3t_B-A
  ikev2 local-authentication pre-shared-key secr3t_A-B
!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: