Networks Training

  • About
  • My Books
  • IP Tools
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • Tech News
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Cisco ASA Firewall Configuration / Cisco ASA IKEv1 and IKEv2 Support for IPSEC

Cisco ASA IKEv1 and IKEv2 Support for IPSEC

Edited By Harris Andrea

IETF proposed an updated Internet Key Exchange (IKE) protocol, called IKEv2, which is used to simplify and improve the legacy IKE protocol (IKEv1).

Cisco ASA introduced support for IPSEC IKEv2 in software version 8.4(1) and later. In this ASA version, IKEv2 was added to support IPsec IKEv2 connections for AnyConnect and LAN-to-LAN VPN implementations.

Of course, legacy IKEv1 is still supported and is widely used in almost all VPN configurations up to now.

In this article I will show the differences between the commands used in ASA versions prior to 8.4(1) with commands used in versions 8.4(1) and later.

ASA version prior to 8.4(1)

Let’s start with a basic IPSEC Lan-to-Lan VPN configuration for ASA versions prior to 8.4(1). Note that the following are just a part of the commands required for successful Lan-to-Lan VPN.

The following are the commands which have some differences with the commands used in version 8.4(1) and later.

crypto ipsec transform-set espSHA3DESproto esp-3des esp-sha-hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
pre-shared-key *****

ASA version 8.4(1) and later

MORE READING:  Cisco ASA Firewall Management Interface Configuration (with Example)

Now let’s see how the IPSEC Lan-to-Lan VPN commands are changed in ASA version 8.4(1) and later. In red color you see the commands which are changed:

crypto ipsec ikev1 transform-set espSHA3DESproto esp-3des esp-sha-hmac

crypto map IPSEC 10 match address VPN-TO-REMOTE
crypto map IPSEC 10 set pfs
crypto map IPSEC 10 set peer 100.100.100.2
crypto map IPSEC 10 set ikev1 transform-set espSHA3DESproto
crypto map IPSEC interface outside

crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

tunnel-group 100.100.100.2 type ipsec-l2l
tunnel-group 100.100.100.2 ipsec-attributes
ikev1 pre-shared-key *****

The Table below shows a site by site comparison of commands for even older ASA versions. The leftmost column shows commands for ASA versions lower than 7.2(1). The middle column shows the commands in versions higher than 7.2(1) and lower than 8.4(1). The right column shows the commands from 8.4(1) and higher.

Table with Cisco ASA versions and command differences regarding Site-to-Site IPSEC VPN commands:

MORE READING:  Cisco ASA Identity Firewall

 

ASA version < 7.2(1)

7.2(1)<ASA version<8.4(1)

ASA version  > 8.4(1)

isakmp policy [policy #] crypto isakmp policy [policy #] crypto ikev1 policy [policy #]
isakmp enable [interface-name] crypto isakmp enable [interface-name] crypto ikev1 enable [interface-name]
isakmp identity address crypto isakmp identity address crypto isakmp identity address
crypto ipsec transform-set crypto ipsec transform-set crypto ipsec ikev1 transform-set
tunnel-group name ipsec-attributes
  pre-shared-key xxxxxxx
tunnel-group name ipsec-attributes
  pre-shared-key xxxxxxx
tunnel-group name ipsec-attributes
  ikev1 pre-shared-key xxxxxxx

 

Spread the love

Related Posts

  • Prevent Spoofing Attacks on Cisco ASA using RPF
  • Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
  • Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
  • Cisco ASA Firewall Management Interface Configuration (with Example)
  • How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)

Filed Under: Cisco ASA Firewall Configuration

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

By subscribing to our email list you will be receiving technical tutorials and industry news from time-to-time. You can unsubscribe at any time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Bengt Åkerberg says

    April 24, 2012 at 9:51 pm

    Thank You for the update.

    Best Regards Bengt Åkerberg

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2026 | Privacy Policy | Terms and Conditions | Contact | Amazon Disclaimer | Delivery Policy