Modern IKE and IPSec Configuration on Cisco ASA (Post-9.7)

With the rapid evolution of networking technologies, securing communications has become paramount. In this blog, we will explore how to configure Internet Key Exchange (IKE) and IPSec on Cisco ASA firewalls, particularly focusing on changes introduced after version 9.7. These updates enhance the configuration process, making it more intuitive and robust while maintaining the high level of security expected from enterprise-grade devices.

## Understanding IKE and IPSec

**IKE** is a hybrid protocol that facilitates the establishment of security associations (SAs) and authenticated keys necessary for securing data transmissions. It operates in two main phases:

1. **IKE Phase 1**: Establishes a secure, authenticated channel between peers (ISAKMP SA).

2. **IKE Phase 2**: Negotiates SAs for IPSec, providing keying material through a process known as Quick Mode.

## Key Features of ASA Post-9.7

Cisco ASA devices running software versions 9.7 and above have introduced several enhancements to the configuration of IKE and IPSec. These include:

- **Simplified Configuration Syntax**: Cisco has streamlined commands to make configuration easier and more logical.

- **Enhanced Security Options**: Additional algorithms and methods have been included to improve security.

- **Better Integration with External Systems**: Improved PKI integration for better certificate management.

## Configuring IKE on ASA

The configuration process for IKE on ASA is broken down into two methods: using Pre-Shared Keys (PSK) and using Public Key Infrastructure (PKI). Let’s take a closer look at both methods.

### I. Using Pre-Shared Keys (PSK)

1. **Define ISAKMP Policies**: This step involves creating a policy that dictates the parameters for IKE Phase 1.

   

   crypto ikev2 policy 10

    encryption aes-256

    integrity sha256

    group 14

    lifetime 86400

   

   In this example:

   - **Encryption**: We specify the encryption method (AES-256).

   - **Integrity**: SHA-256 is chosen for integrity checks.

   - **Group**: We select a Diffie-Hellman group for key exchange.

   - **Lifetime**: Specifies how long the SA will be valid.

2. **Configure the Pre-Shared Key**:

   

   tunnel-group <peer-ip> type ipsec-l2l

   tunnel-group <peer-ip> ipsec-attributes

    pre-shared-key <your-pre-shared-key>

   

   Replace `<peer-ip>` with the IP address of the remote peer and `<your-pre-shared-key>` with the actual key.

### II. Using Public Key Infrastructure (PKI)

1. **Generate an RSA Key Pair**:

   

   crypto key generate rsa usage-keys label <key-label> modulus 2048

   

   Replace `<key-label>` with a label for the key.

2. **Enroll with a Certificate Authority (CA)**:

   Configure the ASA to request a certificate from a CA:

   

   crypto ca trustpoint <trustpoint-name>

    enrollment url http://<CA-url>

    subject-name CN=<your-common-name>

   

3. **Configure ISAKMP Policy**:

   Similar to PSK but specify `rsa-sig` for authentication:

   

   crypto ikev2 policy 20

    encryption aes-256

    integrity sha256

    group 14

    lifetime 86400

   

4. **Bind the Certificate to the Tunnel Group**:

   

   tunnel-group <peer-ip> type ipsec-l2l

   tunnel-group <peer-ip> ipsec-attributes

    ikev2 certificate <key-label>

   

## Configuring IPSec (IKE Phase 2)

Once the IKE Phase 1 configuration is in place, the next step is to configure IPSec, which involves creating interesting traffic ACLs, defining transform sets, and binding these elements together in a crypto map.

1. **Create an Extended ACL**:

   This ACL defines the traffic that will be encrypted.

   

   access-list <acl-name> extended permit ip <source-ip> <source-wildcard> <destination-ip> <destination-wildcard>

   

2. **Create IPSec Transform Set**:

   This set specifies how the IPSec tunnel will encrypt and authenticate data.

   

   crypto ipsec ikev1 transform-set <transform-set-name> esp-aes-256 esp-sha-hmac

   

3. **Create a Crypto Map**:

   The crypto map binds the policy together:

   

   crypto map <map-name> 10 ipsec-isakmp

    set peer <peer-ip>

    set transform-set <transform-set-name>

    match address <acl-name>

   

4. **Apply the Crypto Map to an Interface**:

   Finally, apply the crypto map to the egress interface to enable IPSec.

   

   interface <interface-name>

   crypto map <map-name>

   

## Conclusion

With the enhancements introduced in ASA software versions 9.7 and later, configuring IKE and IPSec has become more efficient and secure. Whether using PSK or PKI, the streamlined processes allow for quick setups and robust security configurations.

For network administrators, adopting these updated methods not only enhances security posture but also ensures compatibility with modern networking standards. Always refer to Cisco’s latest documentation for updates and best practices as technologies continue to evolve.

Cisco ASA Key Management Changes After Version 9.7

Cisco ASA Security Evolution After Version 9.7

In the realm of network security, the evolution of protocols and techniques is vital to safeguarding data and communications. As technology advances, so do the methodologies for establishing secure connections, particularly in the context of virtual private networks (VPNs).

A significant milestone in this evolution was the introduction of ISAKMP (Internet Security Association and Key Management Protocol) and Oakley, which laid the groundwork for establishing secure communications.

However, Cisco's Adaptive Security Appliance (ASA) has undergone notable changes since version 9.7, shifting towards more advanced mechanisms that enhance security and efficiency in key management.

This article explores the key differences and improvements in the Cisco ASA post-9.7 environment.

---

ISAKMP and Oakley: The Legacy Protocols

Historically, ISAKMP (RFC 2408) served as a framework for managing Security Associations (SAs) and authenticating peers in IPsec implementations.

The Oakley protocol handled the secure key exchange process.

Oakley enabled the use of multiple Diffie-Hellman (DH) groups for generating shared cryptographic keys between peers.

Key Processes in Classic IPsec Deployment

• Peer Authentication
  • RSA Signatures
  • RSA Encrypted Nonces
  • Pre-Shared Keys (PSK)
• Key Agreement
  • Diffie-Hellman key exchange
  • Session key generation
• Security Association Management
  • Creation of SAs
  • Maintenance of encryption policies

Example Legacy ASA IKEv1 Configuration

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
 ikev1 pre-shared-key Cisco123

---

Verification Output Example

ASA# show crypto ikev1 sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0

Local IP        Remote IP        Status
198.51.100.1    203.0.113.2      QM_IDLE

---

Limitations of Legacy Protocols

• Higher number of negotiation messages
• Slower session establishment
• Limited resilience against DoS attacks
• Less efficient key rekeying
• Vulnerabilities to replay attacks

---

Evolution in Cisco ASA After Version 9.7

Cisco introduced several enhancements in ASA software after version 9.7 to modernize VPN security and improve operational efficiency.

---

1. Enhanced IKEv2 Support

Internet Key Exchange Version 2 (IKEv2) simplifies negotiation and reduces the number of messages exchanged during tunnel setup.

This results in:

• Lower latency
• Faster tunnel establishment
• Improved resistance to attacks

Example IKEv2 Policy Configuration

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400

---

2. Stronger Authentication Methods

Modern ASA versions support stronger authentication frameworks.

• Digital Certificates
• Public Key Infrastructure (PKI)
• Extended Authentication (XAuth)

Example Certificate Authentication Configuration

crypto ca trustpoint VPN-CA
 enrollment terminal
 subject-name CN=ASA-VPN
 keypair ASA-VPN-KEY

---

3. Simplified Configuration and Management

Cisco improved both the CLI structure and graphical interfaces in newer ASA versions.

Benefits include:

• Faster deployment of VPN policies
• Easier troubleshooting
• More organized configuration management

---

4. Integration with Cisco Umbrella and Advanced Threat Protection

Cisco ASA devices can integrate with Cisco Umbrella to provide DNS-layer security and threat intelligence.

Benefits:

• Cloud-based threat detection
• Malicious domain blocking
• Improved malware prevention

---

5. Improved Resilience with Perfect Forward Secrecy

Perfect Forward Secrecy (PFS) ensures that even if long-term encryption keys are compromised, past sessions remain secure.

This is achieved through ephemeral Diffie-Hellman exchanges.

Example PFS Configuration

crypto map OUTSIDE_MAP 10 set pfs group14

---

6. Support for Next-Generation Cryptography

Modern ASA versions support advanced cryptographic algorithms including:

• AES-GCM encryption
• SHA-2 hashing
• Stronger Diffie-Hellman groups

Example AES-GCM Configuration

crypto ipsec ikev2 ipsec-proposal AES-GCM-POLICY
 protocol esp encryption aes-gcm-256

---

CLI Verification Example

ASA# show crypto ikev2 sa

IKEv2 SAs:

Session-id: 1
Local Address : 198.51.100.1
Remote Address: 203.0.113.2
Status        : READY
Encryption    : AES-256
Integrity     : SHA256
DH Group      : 14

---

💡 Key Takeaways

• Legacy VPN deployments relied heavily on ISAKMP and Oakley.
• Cisco ASA post-9.7 emphasizes IKEv2 and stronger cryptography.
• Security improvements include:
  • Perfect Forward Secrecy
  • AES-GCM encryption
  • PKI-based authentication
• Integration with Cisco security platforms improves threat intelligence.
• Modern ASA configurations simplify VPN management and increase scalability.

---

Conclusion

The landscape of network security continues to evolve, and Cisco ASA has adapted to these changes effectively.

The transition from ISAKMP and Oakley to IKEv2 and advanced security protocols after version 9.7 represents a significant advancement in VPN key management and secure communications.

By adopting modern cryptographic techniques and integrating with advanced security platforms, Cisco ASA helps organizations maintain a strong defense against modern cyber threats.

Understanding these developments enables network administrators to implement stronger and more resilient security architectures.

---

---

Network Topology Example

This simplified topology shows a typical Site-to-Site VPN deployment using Cisco ASA.

Branch LAN (192.168.1.0/24) communicates securely with HQ LAN (192.168.2.0/24) through an encrypted tunnel across the public internet.

---

How VPN Packet Flow Works

Step 1 — Interesting Traffic Detection

Traffic matching the VPN ACL is identified as interesting traffic.

access-list VPN-TRAFFIC permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

Step 2 — IKE Phase 1 Negotiation

Peers authenticate and create a secure management channel.

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14

Step 3 — IKE Phase 2 / IPsec SA Creation

Data channel encryption parameters are negotiated.

crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha256

Step 4 — Secure Data Transmission

Packets are encrypted before being transmitted over the internet.

---

ASA VPN Troubleshooting Commands

These commands are essential for diagnosing VPN issues.

Check IKEv2 Security Associations

show crypto ikev2 sa

Check IPsec Tunnel Status

show crypto ipsec sa

Check VPN Session Database

show vpn-sessiondb l2l

Enable Debugging

debug crypto ikev2 protocol
debug crypto ipsec

Clear VPN Sessions

clear crypto ikev2 sa
clear crypto ipsec sa

---

ASA Legacy vs Modern VPN Comparison

Feature	Legacy (IKEv1)	Modern (IKEv2)
Handshake Messages	6 Messages	4 Messages
Mobility Support	No	Yes
DoS Protection	Limited	Improved
Rekey Efficiency	Lower	Higher
Security Algorithms	Basic	Modern Cryptography

---

---

Hands-On Practice Lab

Use the following practice scenario to test your understanding of configuring a Site-to-Site VPN using Cisco ASA.

Lab Scenario

• Branch LAN: 192.168.10.0/24
• HQ LAN: 192.168.20.0/24
• Branch ASA Public IP: 203.0.113.1
• HQ ASA Public IP: 198.51.100.1

Tasks

1. Create an IKEv2 policy
2. Configure an IPsec proposal
3. Create a crypto map
4. Apply the crypto map to the outside interface
5. Verify tunnel status

---

Click to Reveal Solution

Show Complete ASA VPN Configuration

Step 1 — Define Interesting Traffic

access-list VPN-TRAFFIC permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0

Step 2 — Configure IKEv2 Policy

crypto ikev2 policy 10
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 86400

Step 3 — Configure IPsec Proposal

crypto ipsec ikev2 ipsec-proposal VPN-PROPOSAL
 protocol esp encryption aes-256
 protocol esp integrity sha256

Step 4 — Configure Tunnel Group

tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key Cisco123
 ikev2 local-authentication pre-shared-key Cisco123

Step 5 — Configure Crypto Map

crypto map VPN-MAP 10 match address VPN-TRAFFIC
crypto map VPN-MAP 10 set peer 198.51.100.1
crypto map VPN-MAP 10 set ikev2 ipsec-proposal VPN-PROPOSAL
crypto map VPN-MAP interface outside

Step 6 — Enable IKEv2

crypto ikev2 enable outside

---

Verification Commands

show crypto ikev2 sa
show crypto ipsec sa
show vpn-sessiondb l2l

---

Example Output

ASA# show crypto ikev2 sa

Session-id: 1
Local Address : 203.0.113.1
Remote Address: 198.51.100.1
Status        : READY
Encryption    : AES-256
Integrity     : SHA256
DH Group      : 14

If the status shows READY, the tunnel is successfully established.

---

---

Related Articles

• Cisco ASA IKE Phase 1 Security Improvements After Version 9.7
• Cisco ASA Security Features After Version 9.7: A Complete Guide
• Modern Enhancements in Cisco ASA ACL Management and Object Grouping
• Simplified MAC Address Management in Cisco ASA Failover Post-9.7