topic Re: ASA Dynamic VPN policy in Network Security

ASA Dynamic VPN policy

manvik — Sat, 11 Mar 2023 06:56:13 GMT

I have a DC ASA running Dynamic VPN tunnels. In the config I can see many crypto ikev1 policy 1 - like crypto ikev1 policy 10, crypto ikev1 policy 20

All has different DH group, hash etc.

When a remote/branch device authenticates to this DC ASA, which policy would it choose.

Re: ASA Dynamic VPN policy

MHM Cisco World — Sat, 11 Mar 2023 07:12:53 GMT

show vpn-sessiondb l2l detail
this can give you a hint about the IPsec encrypt/hash used

Re: ASA Dynamic VPN policy

Rob Ingram — Sat, 11 Mar 2023 07:57:25 GMT

@manvik When the remote branch initiates the IKE negotiation, that peer sends all of its IKE policies to the remote peer (hub), and the remote peer tries to find a match. The remote peer checks all of the peer's policies against each of its configured policies in priority order (highest priority first) until it discovers a match. The lower the priority number, the higher the priority

Re: ASA Dynamic VPN policy

manvik — Sat, 11 Mar 2023 08:25:14 GMT

Thank you, in command "crypto ikev1 policy 10",
is 10 the priority

Re: ASA Dynamic VPN policy

MHM Cisco World — Sat, 11 Mar 2023 08:28:41 GMT

policy priority select the order of search, until now there is no way to find which policy Peer use except by using debug,
the issue is that phaseI ALL policies send in one message to peer, and Peer reply with accept one, and this can detect as I mention above via debug.
sorry there is no any show help you in this case.

Re: ASA Dynamic VPN policy

Rob Ingram — Sat, 11 Mar 2023 08:35:49 GMT

@manvik yes in your example 10 is the priority of the IKE policy.

"show crypto ikev1 sa" (or "show crypto ikev2 sa" when using IKEv2) would help you determine what algorithms where used per peer to establish the IKE SA, it won't tell you which policy number was matched, but you'd be able to determine that yourself from the encryption, hashing, group etc in use.