ASA 8.4 IPsec VPN - what's new

Blog

Feb 8, 2011 1:18 AM
Feb 8th, 2011

Introduction:

As many of you are aware ASA 8.4 has been released recently.

It contains many long awaited features, among them many changes/improvements to IPsec VPN.

A few days later I received an IM from a friend asking me, what happened to IPsec in 8.4.

He indicated two links, both are configuration guide for 8.3 and 8.4 for L2L VPN on ASA.

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/site2sit.html#wp1042828
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html#wp1042828

Of course first thing one notices is that there is no longer "isakmp" keyword, it was substituted by "ikev1".

ASA 8.4 changes for IPsec.

To avoid further confusion I decided to write about (hopefully) all the new things in ASA 8.4 IPsec VPN:

1) Your previous configuration will be automatically migrated to new one and upgrade notes saved to flash:

Reading from flash...
!!
INFO: MIGRATION - Saving the startup configuration to file

INFO: MIGRATION - Startup configuration saved to file 'flash:8_3_2_0_startup_cfg.sav'
*** Output from config line 4, "ASA Version 8.3(2) "
...
Cryptochecksum (unchanged): a99898c2 d4adba0a 7a776c89 b01c73e1
The flash device is in use by another task.
Type help or '?' for a list of available commands.
bsns-asa5505-19>
INFO: MIGRATION - Saving the startup errors to file 'flash:upgrade_startup_errors_201102080820.log'

2) The parser accepts old style configuration and changes it to new configuration.

bsns-asa5505-19# sh run crypto
bsns-asa5505-19# conf t
bsns-asa5505-19(config)# crypto isakmp policy 10
bsns-asa5505-19(config-ikev1-policy)# authentication pre-share
bsns-asa5505-19(config-ikev1-policy)# hash sha
bsns-asa5505-19(config-ikev1-policy)# group 5
bsns-asa5505-19(config-ikev1-policy)# enc aes
bsns-asa5505-19(config-ikev1-policy)# exit
bsns-asa5505-19(config)# sh run crypto
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

3) ASA 8.4 introduces support for both IKEv1 and IKEv2 LAN-to-LAN tunnels.

Both configuration should co-exist.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html#wp1042828

More about IKEv2 in my recent post:

https://supportforums.cisco.com/community/netpro/security/vpn/blog/2010/12/22/ike-version-2-at-a-glance


4) ASA 8.4 introduces support for IKEv2 remote access.

Please be aware that so far (unlike IOS) we only support Anyconnect 3.0 as remote access client (8th Feb  2011)

IOS has been known to work with windows 7.

Also, per RFC remote access clients now require certificates as authentication method.

5) For L2L tunnels ASA can switch between IKEv2 and IKEv1 configuration on fault detected.

IKEv2 should be preferred way if both configurations exists on detecting a configuration fault ASA will switch to IKEv1.

This is governed by tunnel manager.

Tunnel manager operation can by spied on by using:

 debug crypto ike-common

6) Changes under tunnel group. To support asymmetric authentication and both IKEv1 and IKEv2 we had to change things under tunnel-groups:

bsns-asa5505-19(config)# tunnel-group 192.2.0.2 type ipsec-l2l
bsns-asa5505-19(config)# tunnel-group 192.2.0.2 ipsec-att
bsns-asa5505-19(config-tunnel-ipsec)# ikev1 ?

tunnel-group-ipsec mode commands/options:
  pre-shared-key       Associate a pre-shared key with the connection policy
  trust-point          Select the trustpoint that identifies the cert to be
                       sent to the IKE peer
  user-authentication  Set the IKEv1 user authentication method
bsns-asa5505-19(config-tunnel-ipsec)# ikev2 ?

tunnel-group-ipsec mode commands/options:
local-authentication   Configure the local authentication method for IKEv2
                         tunnels
  remote-authentication  Configure the remote authentication method required of
                         the remote peer for IKEv2 tunnels

7) To accommodate IKEv1 and IKEv2 as initialization methods we hade to change the crypto CLI.

Note that your previous configuration will very often have "ikev1" keyword added.

bsns-asa5505-19(config)# crypto ipsec  transform-set TRA2 esp-3des esp-sha-hmac
bsns-asa5505-19(config)# sh run crypto ipsec
crypto ipsec ikev1 transform-set TRA2 esp-3des esp-sha-hmac

And...

bsns-asa5505-19(config)# crypto map MAP 10 set transform-set TRA2
bsns-asa5505-19(config)# sh run crypto map
crypto map MAP 10 set peer 192.2.0.2
crypto map MAP 10 set ikev1 transform-set TRA2

8) Configuring Anyconnect 3.0 remote access with IKEv2.

Anyconnect still support and works as usual with SSL, but gives you an option on top to configured IKEv2 as an alternative means to connect to ASA.

If you are considering to test this and you're configuring it for the first time, please use the ASDM 6.4.x wizard to create the configuration.

You will avoid many pitfalls.

Summary

In essence the configuration didn't change much.

Certain CLIs needed to be adapted to support both IKEv1 and IKEv2.

Old CLI can still be used and it's translated on the fly to new style configuration.

ASDM 6.4 works quite well with new CLI and is powerful tool to deploy new configurations, especially for Anyconnect IKEv2 support.

Further reading/links:

- For release notes of ASA 8.4 go to:

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html

- ASA 8.4 CLI config guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html

- ASA 8.4 ASDM configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config.html

Feedback/comments/flames:

Leave a comment to this post.

Average Rating: 5 (2 ratings)

Comments

Difan Zhao Mon, 04/11/2011 - 12:06

I'm still struggling with the NAT configuration changes with the 8.3 release... Now I have one more task to adapt to the new IKE configuration... I guess I won't have weekend anymore for this year lol

Thank you Marcin for the post! It clarifies many questions that I have on the IKEv2.

golly_wog Wed, 04/20/2011 - 13:52

Marcin,

Cheers mate, antoher top doc!

I wasn't aware of this command, debug crypto ike-common, I'll have a play next week :-)

Actions

Login or Register to take actions

This Blog

Posted February 8, 2011 at 1:18 AM
Stats:
Comments:3 Avg. Rating:5
Views:31292   
Shares:0
Categories: ASA
+

Related Content

Blogs Leaderboard