ipsec vpn map

Unanswered Question
May 6th, 2012
User Badges:

hello guys ,

i have started managing a asa 5510 firewall which is already having 10 ipsec tunnels , the problem i am facing is they are configured as "ipsec vpn map"

i have attached sample config . , i am finding it difficult to understand the parameters used in each tunnel as the configration seems bit complex to me ,  if possible can anyone advice how it works .



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Shone_Aleksey Sun, 05/06/2012 - 10:43
User Badges:

Hello, amit!

In config that attached:

crypto map vpn_map 10 match address acl_z

crypto map vpn_map 10 set pfs

crypto map vpn_map 10 set peer z.z.z.z

crypto map vpn_map 10 set ikev1 transform-set ESP-AES-256-SHA

crypto map vpn_map 10 set security-association lifetime seconds 28800

crypto map vpn_map 10 set security-association lifetime kilobytes 2147483647

1. vpn_map - name of ipsec vpn map. That map already applyed to outside interface.

2. match address acl_z - defined "interested" traffic that encrypted and sent to vpn tunnel. On other side  acl must be "mirrored".

3. set peer z.z.z.z - defined peer ip-address. The tunnel establish with this address.

4. set ikev1 transform-set ESP-AES-256-SHA - select transformation (encryption parameters for that tunnel (must be the same on both peers. ikev1 - version of isakmp protocol. ESP-AES-256-SHA - name of set of parameters. tranformset already defined in config earler (on top).

5. security-association lifetime - threshold values for start secret keys changing in tunnel. for  enchance security.

6.  set pfs for more security. (optional)

For each peer (tunnel), vpn_map subset should be created, therefor in config you see:

crypto map vpn_map 10


crypto map vpn_map 20


crypto map vpn_map 30.

and map threated from smallest to higthest order number. First traffic that matched to access-list will be send to apopriated vpn peer and tunnel will be establish.

Next config section include:

tunnel-group a.a.a.a type ipsec-l2l

tunnel-group a.a.a.a ipsec-attributes

ikev1 pre-shared-key

That create tunnel-group a.a.a.a with type of tunnel set to  "ipsec-l2l" (Site-to-Site)

a.a.a.a - name of the tunnel-group. For ipsec-l2l must be ip-address of the peer on other side of that tunnel.

Then there tunnel's attributes.


For more info:


amit bhatnagar Sun, 05/06/2012 - 14:50
User Badges:

thanks shone ,

i have few doubts

1) the below config transform set name says ikev1 what it stands for , is it for ipsec or isakmp parameters

as i belive in ipsec tunnel we have to give parameters for for both phases .

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

2) below config has lifetime which one is for ipsec and which fr isakmp

crypto map vpn_map 10 set security-association lifetime seconds 28800

crypto map vpn_map 10 set security-association lifetime kilobytes 2147483647

3)in below config which is also in attachment earlier , the parameters says two sets confused why is it like this

crypto map vpn_map 46 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5

appreciate the help

Shone_Aleksey Mon, 05/07/2012 - 06:16
User Badges:

1. ikev1 - IKEv1 transform sets for IPSec not for isakmp.


   Understanding IKEv1 Transform Sets and IKEv2 Proposals

An IKEv1 transform set or an IKEv2 proposal is a combination of security protocols and algorithms that define how the ASA protects data. During IPsec SA negotiations, the peers must identify a transform set or proposal that is the same at both peers. The ASA then applies the matching transform set or proposal to create an SA that protects data flows in the access list for that crypto map.

With IKEv1 transform sets, you set one value for each parameter. For IKEv2 proposals, you can configure multiple encryption and authentication types and multiple integrity algorithms for a single proposal. The ASA orders the settings from the most secure to the least secure and negotiates with the peer using that order. This allows you to potentially send a single proposal to convey all the allowed combinations instead of the need to send each allowed combination individually as with IKEv1.

The ASA tears down the tunnel if you change the definition of the transform set or proposal used to create its SA. See "Clearing Security Associations" for further information.


2. both for ipsec data encription

"  Changing IPsec SA Lifetimes

You can change the global lifetime values that the ASA uses when negotiating new IPsec SAs. You can override these global lifetime values for a particular crypto map.

IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; the keys time out together to require the key to refresh. Each SA has two lifetimes: timed and traffic-volume. An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the ASA drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the ASA requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains.


3. for selecting between tranform-sets when negotiation ipsec parameters. first matched for both peers is elected for encription.

Thanks for grade answer   

amit bhatnagar Mon, 05/07/2012 - 07:27
User Badges:

thanks for detalied reply . i have 3 more queries sorry for being pain .

1)in case of below config it means that ikev1 and ikev2 both will be checked and any of the three parameters will work for ipsec phase 2

crypto map vpn_map 115 set ikev1 transform-set ESP-AES-256-SHA

crypto map vpn_map 115 set ikev2 ipsec-proposal AES-256 AEC-192 AES 3DES DES

2)what about the isakmp parameters where tunnel will pick it up from as i cant find it .

3) in the transform set like below example we dont see any mapping to vpn_map , how transform set will know which vpn-map it has to use this key for vpn-map 10 , vpn-map-45 , vpn-map 115 etc .

tunnel-group d.d.d.d type ipsec-l2l

tunnel-group d.d.d.d ipsec-attributes

ikev1 pre-shared-key

thanks in advance

Shone_Aleksey Mon, 05/07/2012 - 12:50
User Badges:

1. When AnyConnect client initiate connection to server, ikev2 used. Typicaly use ikev1. In first case by config listed tranformset elected between two transform sets.

3. yes that's right.


amit bhatnagar Mon, 05/07/2012 - 13:53
User Badges:

another one please is any conecct vpn different from client to site vpn .




This Discussion