Hi All, curious as to how the ASA negotiates encryption and hash values when using the ASDM site-to-site wizard. The wizard appears to allow all possible combinations so if both sides are setup using the wizard defaults, are the agreed upon phase1/2 encryption and hash values random or is there some logic to what they select? Reason I ask is because I noticed one tunnel is using AES256 while a different tunnel is using 3DES. Both are ASA to ASA and both were setup using the ASDM site to site wizard. Also, does it make more sense to limit both sides to a specific value?
You would actually need to choose the same encryption and hash value to match the remote side of the tunnel. If there is no matching encryption or hash policy, then the VPN tunnel would not be established.
So prior to configuring site-to-site tunnel, you would need to ensure that you have the same encryption and hash value agreed upon and configured on both end.
Thanks for the detailed explanation Karsten. So let me ask this... For a site to site vpn that needs optimal throughput with minimal security, what phase 1 / 2 parameters make the most sense? Secondly, how would one enforce that the site to site tunnel only use that set of parameters via ASDM? Do I simply edit and remove all parameters except what I want to use under Configuration / Site-To-Site VPN / Advanced / Crypto Maps and IPSec Proposals (Transform Sets) ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...