Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help ikev1 => ikev2 migration IOS

hi,

I use ikev1 in my hub and spokes (25 spokes) ipsec vpn (in using VTI), and I would like some help to switch in ikev2

I found some documentation but I'm not sure it is ok for me. I use x509 certificate.

See a piece of my config in ikev1 :

==================================

crypto pki trustpoint Test

...

crypto isakmp policy 10

auth rsa-sig

encr aes 256

hash md5

group 5

crypto isakmp identity dn

crypto isakmp keepalive 60 10

!

crypto ipsec security-association lifetime seconds 28800

!

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac

!

crypto ipsec profile vpn

set security-association replay window-size 1024

set transform-set ESP-AES-256-MD5

set pfs group5

!

!

interface Tunnel0

description site1

ip unnumbered GigabitEthernet0/1

ip mtu 1390

ip tcp adjust-mss 1350

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination xxxxxxxxxx

tunnel protection ipsec profile vpn

!

interface Tunnel1

description site2

ip unnumbered GigabitEthernet0/1

ip mtu 1438

ip tcp adjust-mss 1398

tunnel source GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel destination yyyyyyyyyyy

tunnel protection ipsec profile vpn

!

...

====================================

of course in switching in ikev2 I will upgrade with strongest encryption/auth/group.

If you can paste me the conf in ikev2 from my ikev1 source, I'm very interested.

Thank you very much.

Regards

Nicolas

3 REPLIES
Cisco Employee

help ikev1 => ikev2 migration IOS

Nicolas,

Your adapted configuration could look something like

crypto ikev2 keyring KEY

peer Remote

  address 0.0.0.0 0.0.0.0

  pre-shared-key cisco

!

crypto ikev2 profile PRO

match identity remote address 0.0.0.0

authentication local pre-share

authentication remote pre-share

keyring KEY

crypto ipsec security-association lifetime seconds 28800

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes 256 esp-md5-hmac

crypto ipsec profile vpnv2

set security-association replay window-size 1024

set transform-set ESP-AES-256-MD5

set pfs group5

set ikev2-profile PRO

Obviously this configuration is for pre shared key, to switch it to RSA you just need to change setting in the profile.

What you should be cautious about is sharing IKEv1 and IKEv2 on same source interfaces, if you can use a different tunnel source for IKEv1 and IKEv2 this would be ideal for software version which might be a bit older.

M.             

New Member

help ikev1 => ikev2 migration IOS

Hi Marcin,

thanks for your answer.

You say : "Obviously this configuration is for pre shared key, to switch it to RSA you just need to change setting in the profile."... and what about "crypto ikev2 keyring KEY", we are forced to use "pre-shared-key" here ?

+ in my original configuration, I use "crypto isakmp identity dn", I can't see it on your configuration ?

thanks

nicolas

Cisco Employee

help ikev1 => ikev2 migration IOS

NIcolas,

As mentioned, you need to change settings in IKEv2 profile to exchieve similar result.

For example

crypto ikev2 profile cert_profile

  authentication local rsa-sig

  authentication remote rsa-sig

  pki trustpoint TEST

  identity local dn !or fqdn?

  match identity remote ...

M.

679
Views
0
Helpful
3
Replies
CreatePlease to create content