S2S IKEV2 with Cisco ASA and vMX

BaronCSE
Here to help

S2S IKEV2 with Cisco ASA and vMX

Hi!

 

Can someone share IKEV2 configuration for Cisco ASA using IKEV2? I'm having a hard time making it work.


crypto ikev2 enable outside
crypto ikev2 policy 10
encryption aes-256
integrity sha
prf sha256
group 14
lifetime 28800


crypto ipsec ikev2 ipsec-proposal VPN-TRANSFORM
protocol esp encryption aes-256
protocol esp integrity sha


object-group network OBJ-REMOTE-END
network-object 10.1.1.0 255.255.255.0
network-object 10.2.2.0 255.255.255.0

object-group network ONPREM
network-object 10.10.10.0 255.255.255.0


access-list cryptomap_ikev2 extended permit ip object-group ONPREM object-group OBJ-REMOTE-END


tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key ikev2
ikev2 local-authentication pre-shared-key ikev2
isakmp keepalive disable


crypto map outside_map 10 match address cryptomap_ikev2
crypto map outside_map 10 set peer 1.1.1.1
crypto map outside_map 10 set ikev2 ipsec-proposal VPN-TRANSFORM
crypto map outside_map 10 set security-association lifetime seconds 3600

 

nat (inside,outside) source static ONPREM ONPREM destination static OBJ-REMOTE-END OBJ-REMOTE-END no-proxy-arp route-lookup

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

I see you are using multiple subnets for the remote end.  Try changing that to using a single subnet.

 

The MX expects to negotiate all the subnets to use in one go, in the initial SA.  The ASA expects to negotiate a single subnet in the initial SA, and then negotiate each additional subnet combination in a new SA.

Both methods are correct but incompatible.

 

I have heard the ASA in later software releases also implemented the MX method, but have not been able to verify that myself.

If you can't get newer ASA software you may be restricted to using a single subnet in the source encryption domain and a single subnet in the remote encryption domain (on the ASA side).

Hi Philip, thank you for sharing. I already changed it to a single subnet and it's still not working.

 

on phase 1 I noticed that the parameters for integrity in ASA is not available on Meraki, should I remove the integrity and also the authentication is not available on ASA.

PhilipDAth
Kind of a big deal
Kind of a big deal

I haven't done a VPN between an ASA and an MX for a long time and don't recall the settings I last used.

 

But the crypto settings will need to match exactly.

KarstenI
Kind of a big deal
Kind of a big deal

I would try to change the integrity of IKE and IPsec from SHA-1 to SHA256. First reason is that SHA-1 is outdated, Second reason is that I had problems with a different VPN-gateway when in IKEv2 the integrity algorithms and PRF differs. Not sure if that is also the case with the ASA and MX but it is worth a try.

Get notified when there are additional replies to this discussion.