IOS: crypto isakmp policy 10 encr 3des !hash sha <<< Not visible since it is default authentication pre-share group 2 lifetime 1200
ASA: #show run crypto isakmp crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 86400
IOS: #show crypto isakmp policy Protection suite of priority 20 encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
ASA: crypto map crymap 10 set security-association lifetime seconds 7200 crypto map crymap 10 set security-association lifetime kilobytes 2147483647
IOS: crypto map crymap 10 ipsec-isakmp set security-association lifetime seconds 7200 set security-association lifetime kilobytes 2147483647
If either of these two devices are performing NAT, then the Crypto ACL needs to be exempted from NAT.
8.2 and Prior Versions:
The interface behind which the interesting LAN for VPN (Local Proxy identity exists), we will need to configure either a NAT exemption statement (preferred) or an identity NAT statement (not so preferred, but will work just fine):
Note: Route-lookup is optional, and is due to a behavior change in route-lookup sequence from 8.4.1 and prior to 8.4.2 and beyond.
Most Common NAT implementation will have:
ip nat inside
interface Gig0/0: ip nat outside
ip nat inside source list 1 interface interface Gig0/0 overload
Note: If route-map is used in place of (access-)list, modify the ACL that the route-map is based upon.
Nat exemption approach would be:
1. Write an extended ACL first
Existing ACL (Leave it in the config for now):
ip access-list standard 1 permit 184.108.40.206 0.0.0.255
Complementing Extended ACL would be: ip access-list extended 101 permit ip 220.127.116.11 0.0.0.255 any
2. Incorporate NAT-Exemption Logic in the extended ACL .i.e deny the VPN flow from getting NAT'ed, for access-list 101 is a selection ACL.
ip access-list extended 101 1 deny ip 18.104.22.168 0.0.0.255 10.1.1.0 0.0.0.255
now 'show access-list 101': #show access-list 101 Extended IP access list 101 1 deny ip 22.214.171.124 0.0.0.255 10.1.1.0 0.0.0.255 10 permit ip 126.96.36.199 0.0.0.255 any
Key is to make sure that the deny statement goes to the top
3. Use the exetended ACL in the NAT statement first:
ip nat inside source list 101 interface interface Gig0/0 overload
4. Now remove the old NAT Statement:
no ip nat inside source list 1 interface interface Gig0/0 overload
>>> This will warn you with a question indicating whether you would like to remove the dynamic NAT entried created by this nat statement. Answer 'yes'
5. With that you may remove the old standard ACL, if it is not being used anywhere else in the config:
no ip access-list standard 1
VPN Status and Statistics:
Now the first packet that matches the interesting traffic passing through the device will bring the Tunnel up (One bidirectional Phase-1 SA, and Two unidirectional Phase-2 SAs)
ASA: Check Config: show run crypto show run crypto isakmp show run crypto ipsec show run crypto map
Check Tunnel Status: show crypto isakmp sa show crypto ipsec sa
IOS: Check Config: show run | sec crypto show crypto isakmp policy show crypto map
Check Tunnel Status: show crypto isakmp sa show crypto ipsec sa show crypto session detail