Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN Configuration

Hi Experts,

Good Day!

I'm a bit new regarding Cisco's VPN configuration in the ASA and I'm having a hard time to read the config syntax of the ASA's VPN. 

Can you please help me what is the meaning of the commands listed below because it has multiple entries of crypto ikev2 policies and I don't know which of those the tunnel is using.

 

SYNTAX:

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

Is this read top-down approach like an ACL? How the tunnel determine which of those policies to use once a user tries to establish a VPN connection?

 

Thank you for your great help!! :)

 

Regards,

 

Niks

1 ACCEPTED SOLUTION

Accepted Solutions

Is this read top-down

Is this read top-down approach like an ACL?

Correct, it is read top down until a match is found.  Once a match is found it will not check any of the other crypto policy entries.  If no match is found, the VPN connection attempt is dropped, and if you have debug enabled for crypto it will state something like "no acceptable attributes" (I don't remember the exact output).

How the tunnel determine which of those policies to use once a user tries to establish a VPN connection?

If we are talking RA VPN, then the end user PC will send an IKE proposal including all the encryption, hashing, DH groups...etc. that it supports.  The ASA will then inspect the proposal sent from the client and select a crypto suite that matches one proposed by the client.  Once both sides have agreed upon an encryption method, both the client and ASA check that their PSKs match. If they match then all is good and phase 1 is complete.  Now phase 2 starts.  The client and ASA agree on parameters that will encrypt the data traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
1 REPLY

Is this read top-down

Is this read top-down approach like an ACL?

Correct, it is read top down until a match is found.  Once a match is found it will not check any of the other crypto policy entries.  If no match is found, the VPN connection attempt is dropped, and if you have debug enabled for crypto it will state something like "no acceptable attributes" (I don't remember the exact output).

How the tunnel determine which of those policies to use once a user tries to establish a VPN connection?

If we are talking RA VPN, then the end user PC will send an IKE proposal including all the encryption, hashing, DH groups...etc. that it supports.  The ASA will then inspect the proposal sent from the client and select a crypto suite that matches one proposed by the client.  Once both sides have agreed upon an encryption method, both the client and ASA check that their PSKs match. If they match then all is good and phase 1 is complete.  Now phase 2 starts.  The client and ASA agree on parameters that will encrypt the data traffic.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to rate and select a correct answer
157
Views
0
Helpful
1
Replies
CreatePlease to create content