Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two ASA IPVPN tunnel

Dear

I am using below policy for two site to site VPN.  May I know the policy number and group number like below will affect the tunnel priority ?  What is the actual function of that policy number and group number ?

crypto isakmp policy 5

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes

hash md5

group 1

lifetime 86400

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Two ASA IPVPN tunnel

group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.

Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.

HTH

Rick

Hall of Fame Super Silver

Two ASA IPVPN tunnel

Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.

And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.

HTH

Rick

4 REPLIES
Hall of Fame Super Silver

Two ASA IPVPN tunnel

group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.

Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.

HTH

Rick

Hall of Fame Super Silver

Two ASA IPVPN tunnel

I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered.

HTH

Rick

New Member

Two ASA IPVPN tunnel

one more question.  what is the meaning of the number in crypto map like below.  is that number need to be match of the policy number ?

crypto map TESTING 10 match address vpn_testiing

crypto map TESTING 10 set peer 123.123.123.123

crypto map TESTING 10 set transform-set ESP-3DES-SHA

Hall of Fame Super Silver

Two ASA IPVPN tunnel

Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.

And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.

HTH

Rick

385
Views
0
Helpful
4
Replies
CreatePlease login to create content