Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

General Router VPN setup

Hello experts,

I need to connect a VPN with my cisco router to a Cisco Asa version 7.2

I need some guidance to see if this configuration looks about right because I'm confused with the phases 1 & 2:

Phase 1 - Required

PROTOCOL encryption: IPSEC

DIFFE - HELLMAN: GRUPO2

Encrypt algorithm: 3DES

Hashing: SHA

Lifetime: 86400 SEGUNDOS

MODe: MAIN

-- I configured:

crypto isakmp key testkey address 1.1.1.1 no-xauth

crypto isakmp policy 21

encr 3des

authentication pre-share

group 2

* sha doesn't appear because I read it is default

* the lifetime is not appearing

----------------------

Phase 2 - Required

Encapsulation: ESP

Encryption: 3DES

Authentication: SHA

PFS: Group2

Lifetime: 8 Hours

LIfetimeKB: 4608000

-- I configured:

crypto ipsec transform-set test esp-3des esp-sha-hmac

crypto map 3desmap 17 ipsec-isakmp

set peer 1.1.1.1

set transform-set test

set pfs group2

match address acltest

My questions:

1- Is Transform-set phase 2?

2- where do I configure the lifetime of 8 hours?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: General Router VPN setup

the transform set is phase 2 (and the isakmp policy is phase 1).

You can set lifetime under the isakmp policy. I believe you can leave it as is, and during negotiation if the two peers differ on lifetimes, it should choose the smallest value.

1 REPLY
Gold

Re: General Router VPN setup

the transform set is phase 2 (and the isakmp policy is phase 1).

You can set lifetime under the isakmp policy. I believe you can leave it as is, and during negotiation if the two peers differ on lifetimes, it should choose the smallest value.

110
Views
0
Helpful
1
Replies
CreatePlease login to create content