12-17-2015 01:16 PM
Hi,
I have few VPN's configured on my ASA and i want to edit one VPN crypto policy(encryption) can anyone tell me how can i can identify specific VPN among VPN's which i have.
12-17-2015 02:14 PM
A show run crypto map will list all your crypto maps. Each crypto map will have a peer associated with it. Match the peer with it's crypto map.
crypto map outside_map 1 match address outside_cryptomap_yankees
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 169.254.64.45
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set ikev2 pre-shared-key *****
crypto map outside_map 1 set security-association lifetime seconds 60
crypto map outside_map 3 match address outside_cryptomap_mets
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 198.51.52.53
crypto map outside_map 3 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 3 set ikev1 pre-shared-key *****
12-17-2015 05:05 PM
Hi Collin,
I got the crypto map which is configured but am unable to pull the policy where all encryption and hash values are defined. I want to modify encryption from aes-128 to aes-256 so if i can find the policy then i can change it.
12-17-2015 05:51 PM
show run crypto ikev1 will show all the configured phase 1 policies.
lso to know the tunnel is using which policies, you can run the command:
show vpn-sessiondb detail l2l and search for that peer ip
12-18-2015 09:10 AM
All,
Thanks! for inputs, i found the right policy and changed encryption to aes-256 but still i see anyconnect VPN users DTLS-tunnel showing AES-128, i did changed transform-set. Any inputs on this please.
12-17-2015 06:20 PM
Try show run crypto ipsec. It will list all the configured IPSec policies. From there you can either create a new one or use a pre-configured one-
crypto ipsec ikev1 transform-set I_LIKE_AES256 esp-aes-256 esp-sha-hmac
then apply to your crypto map-
crypto map outside_map 1 set ikev1 transform-set I_LIKE_AES256
You will then need to remove your old one (the command above will append it)
no crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: