https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830507#M173410 <P>You can run both versions at the same time. And that's quite a normal situation as it will often be impossible to migrate all VPNs at the same time. Though you'll most likely end up running IKEv1 with some peers and IKEv2 with others.</P> Wed, 13 Jan 2016 11:51:46 GMT Karsten Iwen 2016-01-13T11:51:46Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830501#M173399 <P>hi,</P> <P>i've been asked to replace our current "weaker" IKE phase 1 and phase 2 policies from 3DES to AES.</P> <P>we have active S2S VPNs that are currently using 3DES and was thinking a way to implement this with minimal downtime (or completely lock out remote access).</P> <P>could someone please advise if my thinking is correct? other suggestions are most welcome.</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>HQ ASA:</STRONG></SPAN></P> <P>no&nbsp;crypto isakmp policy x &nbsp; &lt;&lt;&lt; REMOVE WEAK POLICIES</P> <P>crypto isakmp policy 10</P> <P>&nbsp;authentication pre-share<BR />&nbsp;encryption aes<BR />&nbsp;hash sha<BR />&nbsp;group 2&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; IS GROUP 5 BETTER?<BR />&nbsp;lifetime 43200</P> <P>crypto isakmp policy 65535&nbsp;&nbsp;&nbsp; &lt;&lt;&lt; RETAIN A "CATCH-ALL" PHASE 1 POLICY<BR />&nbsp;authentication pre-share<BR />&nbsp;encryption 3des<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 86400</P> <P></P> <P>crypto ipsec transform-set TSET esp-aes esp-sha-hmac&nbsp;&nbsp; &lt;&lt;&lt; SHOULD I NEED A "CATCH-ALL" IKE PHASE 2 POLICY?</P> <P></P> <P><SPAN style="text-decoration: underline;"><STRONG>REMOTE ASA</STRONG></SPAN></P> <P>reload in 10</P> <P>no&nbsp;crypto isakmp policy x &nbsp; &lt;&lt;&lt; REMOVE WEAK POLICIES; WILL THIS CUT ME OFF?</P> <P>crypto isakmp policy 10</P> <P>&nbsp;authentication pre-share<BR />&nbsp;encryption aes<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 43200</P> <P>crypto isakmp policy 65535<BR />&nbsp;authentication pre-share<BR />&nbsp;encryption 3des<BR />&nbsp;hash sha<BR />&nbsp;group 2<BR />&nbsp;lifetime 86400</P> <P></P> <P>crypto ipsec transform-set TSET esp-aes esp-sha-hmac</P> <P></P> <P>clear crypto isakmp sa (ISSUE ON HQ ASA AFTERWARDS)</P> Tue, 12 Mar 2019 07:08:09 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830501#M173399 johnlloyd_13 2019-03-12T07:08:09Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830502#M173402 <P>Hi John,</P> <P>Here is my suggestion.</P> <P>1. Create new crypto policy with different encry/hash and number on both end devices.</P> <P>ex: S2S: (group 5 preferred)</P> <P><SPAN>crypto isakmp policy 20</SPAN></P> <P><SPAN>authentication pre-share<BR /><SPAN>encryption aes&nbsp;</SPAN><BR /><SPAN>&nbsp;hash sha</SPAN><BR /><SPAN>&nbsp;group 5 &nbsp;&nbsp;</SPAN><BR /><SPAN>&nbsp;lifetime 43200</SPAN></SPAN></P> <P><SPAN>For remote access:</SPAN></P> <P><SPAN>crypto isakmp policy 65000</SPAN></P> <P><SPAN>authentication pre-share<BR /><SPAN>encryption aes&nbsp;</SPAN><BR /><SPAN>&nbsp;hash sha</SPAN><BR /><SPAN>&nbsp;group 2 &nbsp;&nbsp;</SPAN><BR /><SPAN>&nbsp;lifetime <SPAN>86400</SPAN></SPAN></SPAN></P> <P><SPAN><SPAN></SPAN></SPAN></P> <P><SPAN><SPAN>Transform:</SPAN></SPAN></P> <P><SPAN><SPAN>crypto ipsec transform-set NEWSET esp-aes esp-sha-hmac &nbsp;(for site to site and remote)</SPAN></SPAN></P> <P><SPAN><SPAN>Make sure you have remote access (SSH to outside interface) to outside interface of far end ASA.</SPAN></SPAN></P> <P><SPAN><SPAN>1. Change the Transform set on both ends. You will loose&nbsp;connectivity&nbsp;to remote end may have to clear existing tunnel (vpn-sessiondb l2l logoff &lt;ipaddress&gt;).</SPAN></SPAN></P> <P><SPAN><SPAN>2. Make sure VPN tunnel establishes (run extended ping from one end to other end subnet).</SPAN></SPAN></P> <P>3. Remove policy#10 and Policy #65535. ASAs will negotiate with new parameters.</P> <P>Make sure you have a maintenance window for this work. I do not see a need to reload ASAs.</P> <P></P> <P>hth</P> <P>MS&nbsp;</P> <P><SPAN><SPAN></SPAN></SPAN></P> <P><SPAN><SPAN></SPAN></SPAN></P> Wed, 13 Jan 2016 04:19:07 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830502#M173402 mvsheik123 2016-01-13T04:19:07Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830503#M173404 <P>In fact it's even easier:</P> <OL> <LI>Add the better Phase1 policy with a lower number.</LI> <LI>configure the new transform-set and place&nbsp;it in&nbsp;your crypto map "set transform-set" at the first place, leave the other transform-set in place.</LI> <LI>The next time the tunnel is rebuild or cleared, the ASAs should use the new settings. If something goes wrong, the old settings are still in place.</LI> <LI>When you confirmed that you are using the new settings, you can remove the old settings that are not needed any more.</LI> </OL> Wed, 13 Jan 2016 08:18:43 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830503#M173404 Karsten Iwen 2016-01-13T08:18:43Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830504#M173405 <P>hi karsten,</P> <P>in your step 3, do i need to force SA tear down/up (do a clear crypto isa sa)?</P> Wed, 13 Jan 2016 08:39:31 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830504#M173405 johnlloyd_13 2016-01-13T08:39:31Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830505#M173407 <P>You don't have to, you also can just wait. But if you have a window where you can accept a small traffic disruption, then you can clear it and directly see if it uses the new settings.</P> Wed, 13 Jan 2016 08:54:50 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830505#M173407 Karsten Iwen 2016-01-13T08:54:50Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830506#M173409 <P>hi karsten,</P> <P>thanks and will keep that in mind! just another quick one, i've got a mix of gen1 (using IKEv1) and next gen (IKEv2) ASA FWs. can i use IKEv1 and IKEv2 simultaneously on my HQ ASA?</P> <P>or is ASA limited to a single version of IKE applied on the 'outside' ASA interface?</P> Wed, 13 Jan 2016 11:47:40 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830506#M173409 johnlloyd_13 2016-01-13T11:47:40Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830507#M173410 <P>You can run both versions at the same time. And that's quite a normal situation as it will often be impossible to migrate all VPNs at the same time. Though you'll most likely end up running IKEv1 with some peers and IKEv2 with others.</P> Wed, 13 Jan 2016 11:51:46 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830507#M173410 Karsten Iwen 2016-01-13T11:51:46Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830508#M173412 <P>hi karsten,</P> <P>thanks for clearing my doubts!</P> <P>i need to lab this up if i got the time <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 13 Jan 2016 12:15:00 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/2830508#M173412 johnlloyd_13 2016-01-13T12:15:00Z https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/3417198#M173413 For the curious, the "reload 10" command on the remote ASA is just a fail-safe in case the tunnel doesn't come up after the changes...then you just need to sit tight for a few minutes and the device will reload with the previously saved config. Tue, 17 Jul 2018 22:27:55 GMT https://community.cisco.com/t5/network-security/changing-asa-ike-policies/m-p/3417198#M173413 starman 2018-07-17T22:27:55Z