topic Re: ikev2 policy in Network Security

ikev2 policy

elite2010 — Tue, 07 Apr 2020 20:11:21 GMT

Hi,

I edited the default policy for ikev2 ( it is done for ipsec site to site vpn policy )

The below is before editing

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400

and the below is after editing

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400

currently I have only one ipsec site to site vpn

the above change will impact anything

what does it mean by the below , the above change will affect the below operation

crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2

Thanks

Re: ikev2 policy

Sheraz.Salim — Tue, 07 Apr 2020 20:27:11 GMT

The changes you made are ikev2 policy you in order to keep your existing tunnel up and running do this.

crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256

doing this you will keep your existing running tunnel up and running.

crypto ikev2 enable Outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint2

to answer you question here

Re: ikev2 policy

elite2010 — Wed, 08 Apr 2020 03:59:20 GMT

Hi,

Sorry I did not get what you mean by the below

crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256

Thanks

Re: ikev2 policy

Cristian Matei — Wed, 08 Apr 2020 12:22:05 GMT

Hi,

As you have a single IKEv2 policy, this will be used for all IKEv2 IPsec sessions terminated on the ASA, both Remote Access and Site2Site. The present crypto ikev2 commands, don't relate to your IKEv2 changed policy. The first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface.

Regards,

Cristian Matei.

Re: ikev2 policy

elite2010 — Wed, 08 Apr 2020 19:01:12 GMT

Hi @Cristian Matei

Hi,

crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400

The policy will cause any performance degrade since we are using aes-256 encryption

i am using cisco asa 5585 ssp-10 ,what is the recommendation

and how to check the performance degrade

@Cristian Matei said " the first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface"

It means the changes in the policy won't affect any of the commands in the previous post

Thanks

Re: ikev2 policy

Cristian Matei — Thu, 09 Apr 2020 08:24:00 GMT

Hi,

1. You'll get better performance with AES as opposed to 3DES.

2. Correct, the IKEv2 policy changes don't influence the presented commands.

Regards,

Cristian Matei.