Ikev2 on vMX to Cisco ASA

BaronCSE
Here to help

Ikev2 on vMX to Cisco ASA

Hi!

 

Is anyone using Ikev2 for vMX to ASA? If yes, did you have any issues?

3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Not from a VMX, but from a physical MX.

 

I think there was a restriction of only being able to have one subnet in the source and destination encryption domain.

CptnCrnch
Kind of a big deal
Kind of a big deal

Exactly this restriction was also hitting me when setting up my first 3rd party tunnel to Umbrella. Definitely something one has to take into consideration!

AlexP
Meraki Employee
Meraki Employee

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compar...

It's not that there can only be one subnet, it's that both sides need to be able to support building a single IPsec tunnel that encompasses each source and destination.

The upside is that this scales a lot better, and is far easier to troubleshoot. The downside is, some vendors have been having to play catchup to the IKEv2 standard, and still impose the "one pair per IPsec tunnel" rule that existed in IKEv1.

Last I heard, ASA was working on a new release that should resolve this, but I don't have any more info on what that looks like, or if it's out yet.

Get notified when there are additional replies to this discussion.