Configuring Cisco ASA IKEv2 Site-to-Site VPN 

Hey Edi, thank you, I'm glad that my videos have helped you. Thank you for showing your support.

Thank you and thank you for watching, I'm glad that it helped

No problem, thank you for watching!

No problem, thank you for watching.

No problem, glad it helped.

Glad it helped, thank you for watching!

@@NetworkWizkid One question for you, if you have multiple ikev2 policies (lets say 10 with different parms) will tunnels choose the best that fits the requirements of the other end during negotiation phase 1 negotiation?

@@1manairband I believe the selection works on the priority of the IKEv2 policy. This is done when you configure the IKEv2 policy and specify the priority number, for example: crypto ikev2 policy 10 - The number 10 is the priority in this case (the lower the number, the higher the priority). I hope that helps (11:30 in the video)

@@NetworkWizkid I did catch that in your video but I was just curious if it worked from top down or bottom up. If priority 1 policy didn't match then would it match priority 2 if that was a better match based on settings?

Yes, I mean it would all depend on the policy used on the other side...if the stars align and we have x2 exact same policies but one has a higher priority then the higher one will be selected.

Did you resolve it in the end? I've recently been apart of some work where VPN's haven't been working how we'd expect them to on the ASA too :-/

@@NetworkWizkid I did resolve it by reapplying the encryption key for both nodes that were main FW and branch FW. It was just a bandaid until my MX84 and MX67 Firewall deployment was done.

At least you got it working bro! I plan on doing more videos with different technologies forming VPNs too in the future.

@@NetworkWizkid That would be great 👍 keep it up. I like videos like this!

Thank you for the support brother!

Thank you Kenny! It's going well, I finish soon and then I'm thinking about going on to do a PhD.

Thank you for watching. Please subscribe if you've found the content useful. The commands that you might be looking for are: show crypto ikev2 sa (if using IKEv2) show crypto ipsecsa show crypto isakmp sa

Thank you Frank. You can view the configuration on my website: networkwizkid.com/2021/09/15/video-configuring-cisco-asa-ikev2-site-to-site-vpns/ Hope that helps and thank you for watching.

Congratulations and I'm glad to hear that you want to study for the CCNP Security. In this video, I am using EVE-NG; I hope that helps.

@@NetworkWizkid I believe I need Cisco images to create the lab but I am not sure where I can them. Do you know where I can find the needed images your EVE-NG? Do I have to purchase a license?

You can find some of them online by searching. Others you may need to have a Cisco account in order to download the software that you need. Most can run off evaluations.

I think it should work. Maybe check the IKEv2 Site-to-Site VPN documentation for further clarity or check out the following link that might help: community.cisco.com/t5/routing/configure-site-to-site-vpn-with-dynamic-ip-on-one-side/td-p/3846935

Glad it worked for you and thank you for watching. I haven't yet but I have made a note and will try and produce some content around this. If you've subscribed, you'll be notified of any new videos that I upload.

@@NetworkWizkid Bro I’m gonna subscribe for you. Your videos very helpful 👍

I have a stand-alone FTD running on my environment, how can I add another FTD from the inside network to FMC?

Hey, check out this video: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-v_uZ9GbICBk.html

Lets take the following scenario as an example: You managed two sites; the corporate office and a smaller branch site. You have been asked to come up with a way to allow access to a corporate office FTP server from the branch site. Now, NAT could be a possibility by simply creating a static NAT policy but at the same time branch traffic to the FTP server is exposed (a good reference here: digitalguardian.com/blog/what-ftp-security-securing-ftp-usage#:~:text=FTP%20was%20not%20built%20to,among%20other%20basic%20attack%20methods.) This is just one example of why a site-to-site VPN would be the better option as it would address confidentiality, integrity and availability concerns. I hope that helps.

Hey, thank you for watching and reaching out. Have you double-checked your ACL's for your interesting traffic? It may be worth posting your configuration into our Discord community so that we can take a look. Here is the link: discord.gg/au9a8DnsQh

A virtual machine in EVE-NG. You can replace it with a PC or other networking device.

@@NetworkWizkid The lab at my job has a switch in place of the vm or PC. Can this configuration still work? I tried it and failed. Please help

If you configured the switch as a L3 device, then so long as routing is in place you should be able to get it to work.

@@NetworkWizkid Both 9200 L's are not configured as L3. The error I'm getting when trying to see the routes are "gateway of last resort is not set"

That's why you are getting the message you are seeing. The switch needs to be able to route the traffic to the destination. Maybe the easier option would be to place a device behind the switch to route to the default gateway and then configure the interesting traffic on the router.