Changing EZVPN IKE Phase 1 and 2 Policy

johnlloyd_13 · ‎01-29-2018

hi,

i need to update the IKE phase 1 and 2 policies to a stronger method on an IOS router acting as an EZVPN server. to my knowledge on the EZVPN server "pushes" the IKE P1 and P2 policy to remote client.

my question does changing the IKE P1 and P2 policy will cause a downtime? or will it just wait for the lifetime to die and re-establish using the new policy? i plan to lab this up soon but don't have the time to do it yet. i just want to get a quick feedback on this in the mean time

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5

no crypto isakmp policy 1 <<< WILL THIS CAUSE A DOWNTIME??

i also plan to update IKE P2/transform set policy. can i just overwrite the current P2 policy so i can re-use the current tranform set name (ESP-3DES-SHA) under the crypto ipsec profile? will it also cause a downtime on the EZVPN client?

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile MY-PROF
set security-association idle-time 86400
set transform-set ESP-3DES-SHA <<<
set isakmp-profile IKE-PROF

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 ah-sha256-hmac <<< CAN I JUST OVERWRITE? NO NEED TO NEGATE OR PUT A 'no' ON THIS COMMAND

GioGonza · ‎01-29-2018

Hello @johnlloyd_13,

According to your first question, normally they don´t cause a downtime this happens on the re-key process but I would recommend to change it once you have everything in place on the other side.

On the second question, YES you can overwrite the config and this will not affect the VPN that is established, the only thing to keep in mind is that it will use 3DES-SHA as long as the other side has it configured since it will try always the first option.

HTH

Gio