In the previous post, I set up an IKEv1 tunnel between RTD-ASA and DMVPN-Hub2.
In this post, we'll change it to an IKEv2 tunnel. For this to work, we will need to have in place a certificate authority, and an NTP server. CA-Flex will perform both of these functions. The Cisco doc this is here: Cisco ASA to IOS Site-to-Site IKEv2 tunnel.
We start by adding a new loopback to CA-Flex and setting up the NTP service.
Configuring NTP on Cisco IOS
After a little time, the clock on the ASA synchronized:
The IOS router (DMVPN-Hub2) took a long time, probably around fifteen minutes or so. I checked and double-checked the settings, and then turned on logging, and debugged NTP (debug ntp all). Eventually, it got there:
I did find this useful article though explaining why it can take a while for NTP to update. Now we can set up CA-Flex to be a Certificate Authority (CA).
Configuring a CA on Cisco IOS.
IKEv2 likes certificates, so let's create a certificate server. It also likes pre-shared-keys, but the CA should prove more interesting.
Now we set up the routers for PKI. This bit was much harder than expected. I wrote this page twice while trying to get this to work, and in then end, I completely lost track of all the steps I took while troubleshooting, so please excuse the cut and paste job. I think part of the issue stems from trying to move from IKEv1 to IKEv2; the little remnants left behind made it messy. I think I'll do another post starting with a clean slate and see if it is smoother.
Below we have the configurations for the ASA and the router.
ASA to IOS IKEv2 tunnel with PKI
ASA config:
IOS config:
So, there we have all the configs, we probably have more than we need, probably not using all of them, and it has not been a good learning experience. I would have certainly failed this bit in the lab exam. The next step is, therefore, to remove all the tunnel configs, and start from scratch. Repetition is good for the memory, and then I can properly lay out all the steps, along with explanations.
I got the desired result:
This is not enough, though, there is not enough time (or the help of Google) in the lab to blunder through. So, I will wipe the configs and start again. Until I get it right.