Loading

Anypoint VPN IKEv2 Configuration for Cisco ASA devices using Static routing

Publiceringsdatum: Aug 6, 2025
Uppgift

GOAL

The standard configuration files for all VPN devices represent the minimum accepted values, meaning IKEv1. This article provides the IKEv2 configuration steps for Anypoint VPN with Cisco ASA devices, using static routing. For IKEv2 with dynamic routing, refer to: Anypoint VPN IKEv2 Configuration for Cisco ASA devices using BGP routing

Note: IKEv2 is supported with route-based VPNs only. This means you must be running ASA version 9.7.1 or later, which adds support for the required Virtual Tunnel Interface (VTI).

Important: This Knowledge Article aims to provide basic guidelines for configuring Anypoint VPN with Cisco ASA devices. The contents of the article are to be used at your own risk and are provided as-is. For further information on configuring Cisco ASA devices, please reach out to Cisco support. 
 

Steg
Note: Labels are defined in capital letters, and should be adjusted to match your device configuration. For example, in crypto ikev2 enable OUTSIDE replace OUTSIDE with the name of the outside interface of your ASA.

1. Internet Key Exchange (IKE) Configuration

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters. This policy is defined as number 200, but you may change this sequence number to avoid conflicts with any existing configurations.
  • This sample configuration represents the minimum requirement of AES128, SHA1, and DH Group 2.
  • You may modify the configuration to take advantage of AES256, SHA256, or DH groups 2, 14-18, 22, 23, and 24.
  • The lifetime value should remain the same (28000s / 7hrs 50 min).
  • The public IP address of your VPN device must be a static address.
crypto ikev2 enable OUTSIDE

crypto ikev2 policy 200
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 28000

2. IPsec Configuration

The IPSec proposal and profile defines the encryption, authentication, and IPSec mode parameters.
  • You may modify the configuration to take advantage of AES256, SHA256, or DH groups 2, 14-18, 22, 23, and 24.
  • PFS must be enabled
  • The lifetime value should remain the same (3000s / 50min).
crypto ipsec ikev2 ipsec-proposal MULESOFT
 protocol esp encryption aes-128
 protocol esp integrity sha

crypto ipsec profile MULESOFT
 set ikev2 ipsec-proposal MULESOFT
 set pfs group 2
 set security-association lifetime seconds 3000
The Tunnel Group defines the Pre Shared Key for tunnel endpoint authentication.
  • IPsec Dead Peer Detection must be enabled to generate periodic messages that keep the Security Association (SA) operational.
  • Replace the IP addresses and <PSK> with the values assigned to your tunnels.
tunnel-group 198.51.100.1 type ipsec-l2l
tunnel-group 198.51.100.1 ipsec-attributes
 isakmp keepalive threshold 10 retry 10
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>

tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
 isakmp keepalive threshold 10 retry 10
 ikev2 remote-authentication pre-shared-key <PSK>
 ikev2 local-authentication pre-shared-key <PSK>
Additional IPsec parameters are set here. These are global parameters that may impact other IPsec associations
  • The clear-df command instructs the router to clear the "Don't Fragment" bit from packets that must be fragmented, enabling fragmentation. 
  • The replay window-size command configures the window for accepting out of order IPSec packets. A larger window can be helpful if too many packets are dropped due to reordering while in transit between gateways.
crypto ipsec df-bit clear-df OUTSIDE

crypto ipsec security-association replay window-size 128

3. Configure Tunnel Interfaces

These commands configure the logical interface. All traffic routed to the tunnel interface will be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.
  • The tunnel source must be set to the interface name of your ASA device.
  • The tunnel protection command associates the interface with the IPsec SA.
  • You must configure both tunnels on your VPN device.
  • Replace the IP addresses and tunnel destinations with the values assigned to your tunnels.
interface Tunnel1
 name-if TUNNEL-1
 ip address 169.254.11.2 255.255.255.252
 tunnel source interface OUTSIDE
 tunnel destination 198.51.100.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MULESOFT

interface Tunnel2
 name-if TUNNEL-2
 ip address 169.254.12.2 255.255.255.252
 tunnel source interface OUTSIDE
 tunnel destination 203.0.113.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MULESOFT

4. Configure Static Routes

Your ASA needs to define a static route for the VPC CIDR block so this traffic is sent over the tunnel interface.
The command syntax is: route if_name dest_ip mask gateway_ip [distance]
  • The dest_ip and mask are the destination network, or the VPC CIDR block. In this example, the CIDR block assigned to the VPC is 10.10.0.0/16
  • The gateway_ip is the next-hop address, or the Point-to-Point IP address assigned to the MuleSoft end of the tunnel.
  • The distance determines the route preference. A route with a lower distance will have precedence.
route TUNNEL-1 10.10.0.0 255.255.0.0 169.254.11.1 100

route TUNNEL-2 10.10.0.0 255.255.0.0 169.254.12.1 200

5. Verification

  • To view the state of the phase 1 Security Association (SA), use the  show crypto ikev2 sa command on the ASA.
  • To view the state of the phase 2 SA, use the show crypto ipsec sa command on the ASA.

6. Troubleshoot

The ASA debugs for tunnel negotiation are:
  • debug crypto ikev2 protocol
  • debug crypto ikev2 platform
Important: Changing the debug levels on the ASA may increase log verbosity. Please refer to the Cisco documentation for further guidance.
Knowledge-artikelnummer

001117056

 
Laddar
Salesforce Help | Article