cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
396
Views
0
Helpful
5
Replies

Identify crypto policy among list of VPN's

suresh.1275
Level 1
Level 1

Hi,

I have few VPN's configured on my ASA and i want to edit one VPN crypto policy(encryption) can anyone tell me how can i can identify specific VPN among VPN's which i have. 

5 Replies 5

Collin Clark
VIP Alumni
VIP Alumni

A show run crypto map will list all your crypto maps. Each crypto map will have a peer associated with it. Match the peer with it's crypto map.

crypto map outside_map 1 match address outside_cryptomap_yankees
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 169.254.64.45
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 60


crypto map outside_map 3 match address outside_cryptomap_mets
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 198.51.52.53
crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 3 set ikev1 pre-shared-key *****

Hi Collin,

I got the crypto map which is configured but am unable to pull the policy where all encryption and hash values are defined. I want to modify encryption from aes-128 to aes-256 so if i can find the policy then i can change it.

show run crypto ikev1 will show all the configured phase 1 policies.

lso to know the tunnel is using which policies, you can run the command:

show vpn-sessiondb detail l2l and search for that peer ip

All,

Thanks! for inputs, i found the right policy and changed encryption to aes-256 but still i see anyconnect VPN users DTLS-tunnel showing AES-128, i did changed transform-set. Any inputs on this please.

Try show run crypto ipsec. It will list all the configured IPSec policies. From there you can either create a new one or use a pre-configured one-

crypto ipsec ikev1 transform-set I_LIKE_AES256 esp-aes-256 esp-sha-hmac 

then apply to your crypto map-

crypto map outside_map 1 set ikev1 transform-set I_LIKE_AES256

You will then need to remove your old one (the command above will append it)

no crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: