Solved: VPN- IKE phase 1 configuration..

somnath21 · ‎09-04-2008

I have some confusion in VPN configuration..In my ASA below mentioned IKE -phase 1 parameter already configured.

crypto isakmp policy 1

authentication pre-share

encryption des

hash sha

group 2

lifetime 43200

crypto isakmp policy 9

authentication pre-share

encryption des

hash md5

group 1

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto isakmp policy 30

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

crypto isakmp nat-traversal 20

Last week I have configured one new L2L VPN. For IPSec phase, I have added the below mentioned lines..

crypto map toremote 20 match address remotevpn2

crypto map toremote 20 set peer x.x.x.x

crypto map toremote 20 set transform-set strong

crypto map toremote 20 set security-association lifetime seconds 28800

Now my question is crypto map seq no. 20 is not matched with any IKE phase 1 seq no (1,9,10,30) which is already configured. But the VPN is up and working fine. How it associate a particular IKE phase with IPsec?

If I want to configure a new VPN with different parameters in IKE phase 1like 3DES,SHA1,lifetime 86400 ,what are the configuration I have to do in IKE phase 1?

Regards,

som

grant.maynard · ‎09-04-2008

the isakmp policy number and the ipsec policy number do not need to match, either on your ASA or with the other end. They are two separate phases of the negotiation. The ASA will compare your policy with the far end's, starting at the lowest policy number, until a match is found.

I usually put the most secure policies first (i.e. with lowest policy number).

To create a new policy, just add it with a new policy number, wherever you want it in the order.

View solution in original post

grant.maynard · ‎09-04-2008

the isakmp policy number and the ipsec policy number do not need to match, either on your ASA or with the other end. They are two separate phases of the negotiation. The ASA will compare your policy with the far end's, starting at the lowest policy number, until a match is found.

I usually put the most secure policies first (i.e. with lowest policy number).

To create a new policy, just add it with a new policy number, wherever you want it in the order.

somnath21 · ‎09-04-2008

Hi,

In my ASA all crypto isakmp policy are configured with DES and SHA. Now I need to configure a new VPN with below mentioned parameters...

Encryption method Phase 1 3DES

Hash / Authentication Phase 1 SHA1

Encryption method Phase 2 3DES

Hash / Authentication Phase 2 SHA1

IPSec SA Lifetime in seconds 3600

IKE SA Lifetime in seconds 86400

DH group 2

please my configuration..

crypto isakmp policy 40

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ipsec transform-set ssss esp-3des esp-sha-hmac

crypto map toremote 60 match address abc

crypto map toremote 60 set peer x.x.x.x

crypto map toremote 60 set transform-set ssss

crypto map toremote 60 set security-association lifetime seconds 3600

crypto map toremote interface outside

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key #####

Is the above configuration is ok?? If I will not configure the new crypto isakmp policy (40), will it work?

regards,

som

grant.maynard · ‎09-04-2008

Som, the config you suggest is correct. And you do need to add "crypto isakmp policy 40".

somnath21 · ‎09-04-2008

Hi,

Yes I got it. Thank u very much.

regards,

som