Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN iskam policy phase1

Hi guy, for me, i don understand clearly relate to policy iskam in ASA. So i raise this topic up to ask
who experience more years with VPN. Assume that I already configure VPN site to site to my branch office in my ASA 5510. and my next goal is to configure VPN remote access for this ASA also. but what my question would to ask you is : in my vpn site to site, i created iskam policy already, so in my vpn remote access, need to create it again or not ?

5 REPLIES

Hi , IPSec is primary

Hi ,

 

IPSec is primary protocol used in L2L and Remote Access VPN deployment.
If you are using IPsec Remote Access VPN , you dont need to create new ISAKMP policies.
For SSL based Remote Access VPN , ISAKMP policies are not needed as they are part of IPSec VPN.

 

Here is the document that you can refer :-
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html


Regards,
Dinesh Moudgil

P.S Please rate helpful posts.

New Member

Hi, Actually, I configure

Hi, Actually, I configure remote access on protocol IPsec. so if in protocol ipsec, we have no need
to create iskam policy phase1 again right ??

Cisco Employee

Remember that IKEv1 policy

Remember that IKEv1 policy defines:

- authentication method (PSK/RSA)

- encryption 

- hashing 

- DH group 

If all of those agree for remote access and l2l then you do not need add new policies. 

IKEv2 policies instead have sets of acceptable algorithms in a single policy (devices pick the "best" from proposed). 

Hi, If you are using IPSec as

Hi,

 

If you are using IPSec as Remote Access VPN protocol , then you dont have to create new isakmp profiles unless the ones present are not negotiating with the client.
Hope that helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

New Member

yeah thank i will try with

yeah thank i will try with your exploitation.

33
Views
0
Helpful
5
Replies