Solved: Re: ISR Access-List to match IKEv2 (DMVPN)

Ronit Bhattacharjee · ‎07-18-2023

We have some routers running Hub and Spoke DMVPN. Currently, we use the below ACL inbound on the Internet facing interface to secure the interface and allow only DMVPN.

We have a mandate to migrate from IKEv1 to IKEv2. Will the ACL still be valid? If not, can anyone suggest what lines I need to modify?

object-group network DMVPN-HUBS
host x.x.x.x
host y.y.y.y
!
object-group network NTP-SERVERS
host 95.81.173.8
host 81.128.218.110
!
ip access-list extended Internet_In
permit gre object-group DMVPN-HUBS any
permit esp object-group DMVPN-HUBS any
permit udp object-group DMVPN-HUBS eq isakmp any
permit udp object-group DMVPN-HUBS any eq isakmp
permit udp object-group NTP-SERVERS eq ntp any
deny ip any any log
!

MHM Cisco World · ‎07-18-2023

IKEv1 and IKEv2 use same UDP port.
nothing need to change for your ACL

View solution in original post

MHM Cisco World · ‎07-18-2023

Both IKEv1 and IKEv2 have phase1 with different in Message number and some attribute exchange between peers.
ISAKMP is same as if you use UDP/500

View solution in original post

MHM Cisco World · ‎07-18-2023

IKEv1 and IKEv2 use same UDP port.
nothing need to change for your ACL

Ronit Bhattacharjee · ‎07-18-2023

Thanks, so the below lines will match it?
permit udp object-group DMVPN-HUBS eq isakmp any
permit udp object-group DMVPN-HUBS any eq isakmp

I was asking because I assumed Ikev2 doesn't use isakmp anymore, because the command "show cry isakmp sa" doesn't work anymore with Ikev2

MHM Cisco World · ‎07-18-2023

Both IKEv1 and IKEv2 have phase1 with different in Message number and some attribute exchange between peers.
ISAKMP is same as if you use UDP/500

Ronit Bhattacharjee · ‎07-18-2023

Thank you for the quick solution

MHM Cisco World · ‎07-18-2023

You are so welcome