IKEv2 Site to Site VPN between FortiVM and ASAv

Steps to configure IKEv2 Site to Site VPN between FortiVM and ASAv

  1. IKEv2 which only use 4 messages to establish secure peer use less bandwidth than IKE (Main Mode use 9 messages)
  2. IKEv2 is more secure and stable with lot of features, like NAT-T, EAP for Remote Access than IKEv1

Refer to the Difference Between IKEv1 and IKEv2

A. IKEv2 in FortiVM

  1. We are using the same lab in IKEv1 Site to Site VPN between FortiOS and ASAvwith the same configuration for IP Address & Firewall policies
  2. Change IKEv1 to IKEv2 by changing the following
  • set ike-version 2
  • set dhgrp 19
FortiGate-VM64 # sh vpn ipsec phase1-interface
config vpn ipsec phase1-interface
    edit "VPN_IKEV1"
        set interface "port2"
        set ike-version 2
        set peertype any
        set proposal des-sha1 des-sha256
        set dhgrp 19
        set remote-gw 10.10.10.254
        set psksecret ENC ixzIGoHVsuDc51lq0ydtNfgiZgsCZnmB0dYxFxXPfUhxaR3PxvA1i5epYHUCjmWKLgDzY9v4ZN+wOfDFWJpQszCAn2kvrB9wNz3+X6EEZJv/cFkNvUY07IrGZFJqbuCgzUpy8mqxPuUS+cDxTUhpkCRvgiVSjss61IT+7MeVUIXk7fts7ZMv2x+LVhxJWQsOgY9/uQ==
    next
end

FortiGate-VM64 # sh vpn ipsec phase2-interface
config vpn ipsec phase2-interface
    edit "VPN_IKEV1"
        set phase1name "VPN_IKEV1"
        set proposal des-md5 des-sha1
        set dhgrp 19
        set src-addr-type name
        set dst-addr-type name
        set keylifeseconds 86400
        set src-name "PROD_LAN"
        set dst-name "DR_LAN"
    next
end

B. IKEv2 in ASAv
1. Enable IKEv2 on outside interface

crypto ikev2 enable outside
  1. Enable ikev2 local & remote authentication with pre-shared-key in existing 30.30.30.254 tunnel group
ASAv(config)# tunnel-group 30.30.30.254 ipsec-attributes

ASAv(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key P@ssw0rd
INFO: You must configure ikev2 local-authentication pre-shared-key
      or certificate to complete authentication.
ASAv(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key P@ssw0rd
  1. Create a ikev2 policy
crypto ikev2 policy 30
    encryption des
    integrity sha256
    group 19
    lifetime seconds 86400
  1. Creare a ikev2 ipsec-proposal
crypto ipsec ikev2 ipsec-proposal ikev2-set 
     protocol esp encryption des
    protocol esp integrity sha-1
  1. Remove the crypto map for IKEv1_map
no crypto map IKEv1_map 1 match address NO-NAT-FG
no crypto map IKEv1_map 1 set pfs group5
no crypto map IKEv1_map 1 set peer 30.30.30.254
no crypto map IKEv1_map 1 set ikev1 transform-set ikev1-set
no crypto map IKEv1_map interface outside
  1. Add crypto map for ikev2-map
crypto map ikev2-map 1 match address NO-NAT-FG
crypto map ikev2-map 1 set pfs group19
crypto map ikev2-map 1 set peer 30.30.30.254
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-set
crypto map ikev2-map interface outside

IKEv2 tunnel is up in ASAv
FortiVM-ikev2-01

IKEv2 tunnel is up in FortiVM
FortiVM-ikev2-02

ubuntu server (10.10.8.10) can ping to WIN10 PC (30.30.8.10) successfully FortiVM-IKEv1-01

WIN10 PC (30.30.8.10) can ping to ubuntu server (10.10.8.10) successfully FortiVM-IKEv1-02

Leave a Comment