Cisco Cisco ASA 5505 Adaptive Security Appliance 문제 해결 가이드
After the command is entered, the current IKEv1 configurations are not deleted. Instead both IKEv1
and IKEv2 configurations run in parallel and on the same crypto map. You can do this manually as
well. When both IKEv1 and IKEv2 run in parallel, this allows an IPsec VPN initiator to fallback from
IKEv2 to IKEv1 when a protocol or configuration issue exists with IKEv2 that can lead to connection
attempt failure. When both IKEv1 and IKEv2 run in parallel, it also provides a rollback mechanism
and makes migration easier.
and IKEv2 configurations run in parallel and on the same crypto map. You can do this manually as
well. When both IKEv1 and IKEv2 run in parallel, this allows an IPsec VPN initiator to fallback from
IKEv2 to IKEv1 when a protocol or configuration issue exists with IKEv2 that can lead to connection
attempt failure. When both IKEv1 and IKEv2 run in parallel, it also provides a rollback mechanism
and makes migration easier.
•
When both IKEv1 and IKEv2 run in parallel, ASA uses a module called tunnel manager/IKE common
on the initiator to determine the crypto map and IKE protocol version to use for a connection. The
ASA always prefers to initiate IKEv2, but if it cannot, it falls back to IKEv1.
on the initiator to determine the crypto map and IKE protocol version to use for a connection. The
ASA always prefers to initiate IKEv2, but if it cannot, it falls back to IKEv1.
•
Multiple peers used for redundancy is not supported with IKEv2 on the ASA. In IKEv1, for
redundancy purposes, one can have more than one peer under the same crypto map when you enter
the set peer command. The first peer will be the primary and if it fails, the second peer will kick in.
Refer to Cisco bug ID CSCud22276 (registered customers only) , ENH: Multiple Peers support for
IKEv2.
redundancy purposes, one can have more than one peer under the same crypto map when you enter
the set peer command. The first peer will be the primary and if it fails, the second peer will kick in.
Refer to Cisco bug ID CSCud22276 (registered customers only) , ENH: Multiple Peers support for
IKEv2.
•
Migration Process
Configuration
In this example, IKEv1 VPN that uses Pre−Shared Key (PSK) authentication exists on the ASA.
Note: The configuration shown here is only relevant to the VPN tunnel.
ASA Configuration with a Current IKEv1 VPN (Before Migration)
ASA−2(config)# sh run
ASA Version 8.4(2)
!
hostname ASA−2
!
crypto ipsec IKEv1 transform−set goset esp−3des esp−sha−hmac
crypto map vpn 12 match address NEWARK
crypto map vpn 12 set pfs group5
crypto map vpn 12 set peer <peer_ip−address>
crypto map vpn 12 set IKEv1 transform−set goset
crypto map vpn interface outside
crypto isakmp disconnect−notify
crypto IKEv1 enable outside
crypto IKEv1 policy 1
authentication pre−share
encryption 3des
hash sha
group 5
lifetime 86400
!
tunnel−group <peer_ip−address> type ipsec−l2l
tunnel−group <peer_ip−address> ipsec−attributes
IKEv1 pre−shared−key *****
isakmp keepalive threshold 10 retry 3
ASA IKEv2 Configuration (After Migration)
Note: Changes marked in bold italics.
ASA−2(config)# migrate l2l
ASA−2(config)# sh run
ASA Version 8.4(2)
!
hostname ASA−2