thanks shone ,

i have few doubts

1) the below config transform set name says ikev1 what it stands for , is it for ipsec or isakmp parameters

as i belive in ipsec tunnel we have to give parameters for for both phases .

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

2) below config has lifetime which one is for ipsec and which fr isakmp

crypto map vpn_map 10 set security-association lifetime seconds 28800

crypto map vpn_map 10 set security-association lifetime kilobytes 2147483647

3)in below config which is also in attachment earlier , the parameters says two sets confused why is it like this

crypto map vpn_map 46 set ikev1 transform-set ESP-AES-256-SHA ESP-3DES-MD5

appreciate the help

if any one can please help me to understand

1. ikev1 - IKEv1 transform sets for IPSec not for isakmp.

"

   Understanding IKEv1 Transform Sets and IKEv2 Proposals

An IKEv1 transform set or an IKEv2 proposal is a combination of security protocols and algorithms that define how the ASA protects data. During IPsec SA negotiations, the peers must identify a transform set or proposal that is the same at both peers. The ASA then applies the matching transform set or proposal to create an SA that protects data flows in the access list for that crypto map.

With IKEv1 transform sets, you set one value for each parameter. For IKEv2 proposals, you can configure multiple encryption and authentication types and multiple integrity algorithms for a single proposal. The ASA orders the settings from the most secure to the least secure and negotiates with the peer using that order. This allows you to potentially send a single proposal to convey all the allowed combinations instead of the need to send each allowed combination individually as with IKEv1.

The ASA tears down the tunnel if you change the definition of the transform set or proposal used to create its SA. See "Clearing Security Associations" for further information.

"

2. both for ipsec data encription

"  Changing IPsec SA Lifetimes

You can change the global lifetime values that the ASA uses when negotiating new IPsec SAs. You can override these global lifetime values for a particular crypto map.

IPsec SAs use a derived, shared, secret key. The key is an integral part of the SA; the keys time out together to require the key to refresh. Each SA has two lifetimes: timed and traffic-volume. An SA expires after the respective lifetime and negotiations begin for a new one. The default lifetimes are 28,800 seconds (eight hours) and 4,608,000 kilobytes (10 megabytes per second for one hour).

If you change a global lifetime, the ASA drops the tunnel. It uses the new value in the negotiation of subsequently established SAs.

When a crypto map does not have configured lifetime values and the ASA requests a new SA, it inserts the global lifetime values used in the existing SA into the request sent to the peer. When a peer receives a negotiation request, it uses the smaller of either the lifetime value the peer proposes or the locally configured lifetime value as the lifetime of the new SA.

The peers negotiate a new SA before crossing the lifetime threshold of the existing SA to ensure that a new SA is ready when the existing one expires. The peers negotiate a new SA when about 5 to 15 percent of the lifetime of the existing SA remains.

"

3. for selecting between tranform-sets when negotiation ipsec parameters. first matched for both peers is elected for encription.

Thanks for grade answer   

thanks for detalied reply . i have 3 more queries sorry for being pain .

1)in case of below config it means that ikev1 and ikev2 both will be checked and any of the three parameters will work for ipsec phase 2

crypto map vpn_map 115 set ikev1 transform-set ESP-AES-256-SHA

crypto map vpn_map 115 set ikev2 ipsec-proposal AES-256 AEC-192 AES 3DES DES

2)what about the isakmp parameters where tunnel will pick it up from as i cant find it .

3) in the transform set like below example we dont see any mapping to vpn_map , how transform set will know which vpn-map it has to use this key for vpn-map 10 , vpn-map-45 , vpn-map 115 etc .

tunnel-group d.d.d.d type ipsec-l2l

tunnel-group d.d.d.d ipsec-attributes

ikev1 pre-shared-key

thanks in advance

the document shared earlier helped me in getting answer

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_site2site.html

thanks for help

still if i can get answer of 1st question will be helpul

for 3rd question it will be recognized by the group name which for ipsec tunnel we should always give peer ip , is that right ?

thanks for help 

1. When AnyConnect client initiate connection to server, ikev2 used. Typicaly use ikev1. In first case by config listed tranformset elected between two transform sets.

3. yes that's right.

THT

another one please is any conecct vpn different from client to site vpn .

regards

amit

AnyConnect - is name of new version Cisco VPN Client.