This discussion is locked

Ask the Expert: FlexVPN and Internet Key Exchange Version 2 (IKEv2)

Unanswered Question
Jan 14th, 2013

Jay Young-TaylorWith Jay Young-Taylor

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  FlexVPN and IKEv2 with Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  FlexVPN and IKEv2 with Jay Young-Taylor.  Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions. .  Feel free to ask questions on comparison between IKEv1 and IKEv2, What functions does IOS and ASA support, how does DMVPN and FlexVPN interoperate, or any related questions.

Remember to use the rating system to let Jay know if you have received an adequate response. 

 

Jay might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community discussion forum shortly after the event.  This event lasts through January 25, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
jorgegmrs Tue, 01/15/2013 - 09:57

Helo Jay,

I have a quick question.

Since the IPsec client (EZVPN) client is being phased out is FlexVPN it's replacement?

Thank you

Jorge

Jay Young Tue, 01/15/2013 - 10:03

Jorge,

A multi-part answer:

a)  The IPsec client (EZVPN) desktop client is indeed being phased out.  AnyConnect is it's replacement.

   i)  Anyconnect has multiple connection types (SSL or IKEv2)

   ii)  Anyconnect can connect to an IOS headend or an ASA headend with either

   iii) FlexVPN is the configuration method to support Anyconnect (or native Windows 7 IKEv2 client) IKEv2 connections to IOS headends.

b) EZVPN client on IOS devices (called EZVPN remote) is still available but this type of configuration can be supported by FlexVPN.

Hope that helps.

-Jay

Marcman-Cisco Fri, 01/18/2013 - 01:51

Hello Jay,

concerning to AnyConnect:

-     are there benefits or recommendations to change from SSL to IKEv2 ?

-     is IKEv2 as simple in use as SSL (e.g. communication over Proxy) ?

-     is vpn session with IKEv2 more secure than vpn via SSL ?

Thank you

Marcus

Jay Young Fri, 01/18/2013 - 06:44

Marcus,

There are pro's and con's for both technologies (SSL and IKEv2).  One isn't 'more' secure than the other, just different ways of establishing and carrying data in a secure fashion.  In general unless you have a requirement to use IPsec (and along with it IKE) I would generally recommend using Anyconnect with SSL.  For enterprise deployments the SSL client works very well and has some advantages over IKEv2 (software updating, connecting through proxies, work through firewalls that block everything but http and https [hotels/airports]).  There are some features with IKEv2 that SSL doesn't have (Suite-B encryption, able to use the native Windows 7 client, OpenSWAN client, able to use ASR1000 as a headend).

Hope that helps.

-Jay

mayrojas Fri, 01/25/2013 - 14:20

Hello Jay,

Is there any good documentation on how to troubleshoot Ikve2? On the routers, the debugs for Ikev1 were really easy to read. On the ASA, the logs pretty much told you where was the issue, are there similar methods to troubleshoot in Ikev2?

Mike Rojas.

Jay Young Mon, 01/28/2013 - 08:22

Maykol,

Sorry for the delay in getting back to you here.  Currently we are building some documents that clearly describe line by line (well, paragraph by paragraph) what is occurring in the finite state machine and what information is exchanged in the protocol.  The articles have been writtne and are going through internal review before posting to cisco.com.  We should have them out shortly.

You can enable "debug crypto ikev2", "debug crypto ikev2 packet", and/or "debug crypto ikev2 error" and follow the packet flow.  The debugs themselves have been re-written a couple of times to make the action/work flow more human readable and in plain english.  It should be easier to understand with the later 15.1 - 15.2 code versions.

The debugs are broken up based on us sending a packet (look for "Tx Packet") and recieving a packet (loof for "Rx Packet").  In addition you can keep track of a single session by looking at the initator and responder (IKEv2) spi.  Those values will never change during the session life time.

-Jay

Actions

Login or Register to take actions

This Discussion

Posted January 14, 2013 at 1:25 PM
Stats:
Replies:6 Avg. Rating:5
Views:2490 Votes:0
Shares:0

Related Content

Discussions Leaderboard