09-04-2008 02:34 AM
I have some confusion in VPN configuration..In my ASA below mentioned IKE -phase 1 parameter already configured.
crypto isakmp policy 1
authentication pre-share
encryption des
hash sha
group 2
lifetime 43200
crypto isakmp policy 9
authentication pre-share
encryption des
hash md5
group 1
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 20
Last week I have configured one new L2L VPN. For IPSec phase, I have added the below mentioned lines..
crypto map toremote 20 match address remotevpn2
crypto map toremote 20 set peer x.x.x.x
crypto map toremote 20 set transform-set strong
crypto map toremote 20 set security-association lifetime seconds 28800
Now my question is crypto map seq no. 20 is not matched with any IKE phase 1 seq no (1,9,10,30) which is already configured. But the VPN is up and working fine. How it associate a particular IKE phase with IPsec?
If I want to configure a new VPN with different parameters in IKE phase 1like 3DES,SHA1,lifetime 86400 ,what are the configuration I have to do in IKE phase 1?
Regards,
som
Solved! Go to Solution.
09-04-2008 04:41 AM
the isakmp policy number and the ipsec policy number do not need to match, either on your ASA or with the other end. They are two separate phases of the negotiation. The ASA will compare your policy with the far end's, starting at the lowest policy number, until a match is found.
I usually put the most secure policies first (i.e. with lowest policy number).
To create a new policy, just add it with a new policy number, wherever you want it in the order.
09-04-2008 04:41 AM
the isakmp policy number and the ipsec policy number do not need to match, either on your ASA or with the other end. They are two separate phases of the negotiation. The ASA will compare your policy with the far end's, starting at the lowest policy number, until a match is found.
I usually put the most secure policies first (i.e. with lowest policy number).
To create a new policy, just add it with a new policy number, wherever you want it in the order.
09-04-2008 05:04 AM
Hi,
In my ASA all crypto isakmp policy are configured with DES and SHA. Now I need to configure a new VPN with below mentioned parameters...
Encryption method Phase 1 3DES
Hash / Authentication Phase 1 SHA1
Encryption method Phase 2 3DES
Hash / Authentication Phase 2 SHA1
IPSec SA Lifetime in seconds 3600
IKE SA Lifetime in seconds 86400
DH group 2
please my configuration..
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ipsec transform-set ssss esp-3des esp-sha-hmac
crypto map toremote 60 match address abc
crypto map toremote 60 set peer x.x.x.x
crypto map toremote 60 set transform-set ssss
crypto map toremote 60 set security-association lifetime seconds 3600
crypto map toremote interface outside
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
pre-shared-key #####
Is the above configuration is ok?? If I will not configure the new crypto isakmp policy (40), will it work?
regards,
som
09-04-2008 07:00 AM
Som, the config you suggest is correct. And you do need to add "crypto isakmp policy 40".
09-04-2008 08:53 PM
Hi,
Yes I got it. Thank u very much.
regards,
som
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide