cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


205
Views
10
Helpful
2
Replies
Highlighted
Contributor

Best way to remove 1 proposal from crypto map config that references a few on ASA?

I have the following in my crypto map configs on an ASA for an IPSEC tunnel:

crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256 prop3

 

As you can see there are 4 proposals referenced I believe when the other side of tunnel/peer only has 1 proposal I believe prop3.

If I just remove all proposals and just leave prop 3 it will temporarily break the tunnel connection correct?

Is the best way to do it just to do:

no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256 prop3

crypto map out_map 1 set ikev2 ipsec-proposal prop3

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Best way to remove 1 proposal from crypto map config that references a few on ASA?

Hi,
If the VPN is established and with active IPSec SA then removing the proposals should not break the connection. You should double check the active SA "show crypto ipsec sa" and confirm the algorithms in use and just make sure they match prop3.

As with any change in production, do it in a change window and have a roll back plan.

HTH
Beginner

Re: Best way to remove 1 proposal from crypto map config that references a few on ASA?

you can just remove proposals which you dont need, just like this "no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256" it should keep the prop3 as it is.

But make sure the tunnels don't use them just as @RJI  said.

Please rate comments and support
with regards,
Venkat
2 REPLIES 2
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Best way to remove 1 proposal from crypto map config that references a few on ASA?

Hi,
If the VPN is established and with active IPSec SA then removing the proposals should not break the connection. You should double check the active SA "show crypto ipsec sa" and confirm the algorithms in use and just make sure they match prop3.

As with any change in production, do it in a change window and have a roll back plan.

HTH
Beginner

Re: Best way to remove 1 proposal from crypto map config that references a few on ASA?

you can just remove proposals which you dont need, just like this "no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256" it should keep the prop3 as it is.

But make sure the tunnels don't use them just as @RJI  said.

Please rate comments and support
with regards,
Venkat