Site-to-site VPN using IKEv2 - how?

JabbingGesture · March 11, 2025, 2:46pm

Here it is :

interface Tunnel1
 nameif vti_aws_xxx
 ip address 169.254.x.x 255.255.255.252
 tunnel source interface xxx
 tunnel destination 52.213.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AWS
!
interface Tunnel2
 nameif vti_aws_yyy
 ip address 169.254.y.y 255.255.255.252
 tunnel source interface xxx
 tunnel destination 52.72.x.x
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile AWS
!
route vti_aws_xxx 10.0.0.0 255.255.0.0 169.254.x.x 100
route vti_aws_yyy 10.0.0.0 255.255.0.0 169.254.y.y 200
!
crypto ikev2 policy 5
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 lifetime seconds 28800
!
crypto ipsec ikev2 ipsec-proposal AES-256
 protocol esp encryption aes-256
 protocol esp integrity sha-256
crypto ipsec profile AWS
 set ikev1 transform-set ESP-AES-256-SHA
 set pfs group14
 set security-association lifetime seconds 3600
!
group-policy IKEv2-Policy internal
group-policy IKEv2-Policy attributes
 vpn-tunnel-protocol ikev1 ikev2
!
tunnel-group 52.213.x.x type ipsec-l2l
tunnel-group 52.213.x.x general-attributes
 default-group-policy IKEv2-Policy
tunnel-group 52.213.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key xxxxx
 ikev2 local-authentication pre-shared-key xxxxx
!
tunnel-group 52.72.x.x type ipsec-l2l
tunnel-group 52.72.x.x general-attributes
 default-group-policy IKEv2-Policy
tunnel-group 52.72.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key xxxxx
 ikev2 local-authentication pre-shared-key xxxxx

JabbingGesture · March 11, 2025, 2:46pm

Thanks for the advice, will try that!

Regarding the performance issue, that it is only found when using PFS group 14 on phase 2. With PFS group 5, I have a normal behavior.

j-dev · March 11, 2025, 2:46pm

You are an angel from the heavens above.

j-dev · March 11, 2025, 2:46pm

Gotcha. Thanks for that. Maybe I’ll try it with my home Meraki FW and see what happens. I have to do this next week and want to be confident that it will work.

skbun · March 11, 2025, 2:46pm

I edited the VTI configuration to demonstrate both tunnels in play as active-active. And, obviously, if people find instability or problems in the long term with the basic setup above, I’d want to know their findings!

skbun · March 11, 2025, 2:46pm

And one MORE edit made, based on the finding that with phase1 using DH14, and phase 2 using PFS DH5, the tunnels drop at each rekey interval.

Changing this to phase 1 DH14 and phase 2 DH14, the tunnels now stay up after each phase2 rekey interval.