As many of you are aware ASA 8.4 has been released recently.
It contains many long awaited features, among them many changes/improvements to IPsec VPN.
A few days later I received an IM from a friend asking me, what happened to IPsec in 8.4.
He indicated two links, both are configuration guide for 8.3 and 8.4 for L2L VPN on ASA.
Of course first thing one notices is that there is no longer "isakmp" keyword, it was substituted by "ikev1".
ASA 8.4 changes for IPsec.
To avoid further confusion I decided to write about (hopefully) all the new things in ASA 8.4 IPsec VPN:
1) Your previous configuration will be automatically migrated to new one and upgrade notes saved to flash:
Reading from flash...
INFO: MIGRATION - Saving the startup configuration to file
INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_2_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.3(2) "
Cryptochecksum (unchanged): a99898c2 d4adba0a 7a776c89 b01c73e1
The flash device is in use by another task.
Type help or '?' for a list of available commands.
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201102080820.log'
2) The parser accepts old style configuration and changes it to new configuration.
bsns-asa5505-19# sh run crypto
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# crypto isakmp policy 10
bsns-asa5505-19(config-ikev1-policy)# authentication pre-share
bsns-asa5505-19(config-ikev1-policy)# hash sha
bsns-asa5505-19(config-ikev1-policy)# group 5
bsns-asa5505-19(config-ikev1-policy)# enc aes
bsns-asa5505-19(config)# sh run crypto
crypto ikev1 policy 10
3) ASA 8.4 introduces support for both IKEv1 and IKEv2 LAN-to-LAN tunnels.
Both configuration should co-exist.
More about IKEv2 in my recent post:
4) ASA 8.4 introduces support for IKEv2 remote access.
Please be aware that so far (unlike IOS) we only support Anyconnect 3.0 as remote access client (8th Feb 2011)
IOS has been known to work with windows 7.
Also, per RFC remote access clients now require certificates as authentication method.
5) For L2L tunnels ASA can switch between IKEv2 and IKEv1 configuration on fault detected.
IKEv2 should be preferred way if both configurations exists on detecting a configuration fault ASA will switch to IKEv1.
This is governed by tunnel manager.
Tunnel manager operation can by spied on by using:
debug crypto ike-common
6) Changes under tunnel group. To support asymmetric authentication and both IKEv1 and IKEv2 we had to change things under tunnel-groups:
bsns-asa5505-19(config)# tunnel-group 18.104.22.168 type ipsec-l2l
bsns-asa5505-19(config)# tunnel-group 22.214.171.124 ipsec-att
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 ?
tunnel-group-ipsec mode commands/options:
pre-shared-key Associate a pre-shared key with the connection policy
trust-point Select the trustpoint that identifies the cert to be
sent to the IKE peer
user-authentication Set the IKEv1 user authentication method
bsns-asa5505-19(config-tunnel-ipsec)# ikev2 ?
tunnel-group-ipsec mode commands/options:
local-authentication Configure the local authentication method for IKEv2
remote-authentication Configure the remote authentication method required of
the remote peer for IKEv2 tunnels
7) To accommodate IKEv1 and IKEv2 as initialization methods we hade to change the crypto CLI.
Note that your previous configuration will very often have "ikev1" keyword added.
bsns-asa5505-19(config)# crypto ipsec transform-set TRA2 esp-3des esp-sha-hmac
bsns-asa5505-19(config)# sh run crypto ipsec
crypto ipsec ikev1 transform-set TRA2 esp-3des esp-sha-hmac
bsns-asa5505-19(config)# crypto map MAP 10 set transform-set TRA2
bsns-asa5505-19(config)# sh run crypto map
crypto map MAP 10 set peer 126.96.36.199
crypto map MAP 10 set ikev1 transform-set TRA2
8) Configuring Anyconnect 3.0 remote access with IKEv2.
Anyconnect still support and works as usual with SSL, but gives you an option on top to configured IKEv2 as an alternative means to connect to ASA.
If you are considering to test this and you're configuring it for the first time, please use the ASDM 6.4.x wizard to create the configuration.
You will avoid many pitfalls.
In essence the configuration didn't change much.
Certain CLIs needed to be adapted to support both IKEv1 and IKEv2.
Old CLI can still be used and it's translated on the fly to new style configuration.
ASDM 6.4 works quite well with new CLI and is powerful tool to deploy new configurations, especially for Anyconnect IKEv2 support.
- For release notes of ASA 8.4 go to:
- ASA 8.4 CLI config guide:
- ASA 8.4 ASDM configuration guide:
Leave a comment to this post.