Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2350
Views
10
Helpful
2
Replies

Best way to remove 1 proposal from crypto map config that references a few on ASA?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎08-22-2019 06:41 PM - edited ‎02-21-2020 09:25 AM

I have the following in my crypto map configs on an ASA for an IPSEC tunnel:

crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256 prop3

 

As you can see there are 4 proposals referenced I believe when the other side of tunnel/peer only has 1 proposal I believe prop3.

If I just remove all proposals and just leave prop 3 it will temporarily break the tunnel connection correct?

Is the best way to do it just to do:

no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256 prop3

crypto map out_map 1 set ikev2 ipsec-proposal prop3

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-23-2019 12:43 AM

Hi,
If the VPN is established and with active IPSec SA then removing the proposals should not break the connection. You should double check the active SA "show crypto ipsec sa" and confirm the algorithms in use and just make sure they match prop3.

As with any change in production, do it in a change window and have a roll back plan.

HTH

View solution in original post

Go to solution
venkat_n7
Level 1
Level 1

‎08-24-2019 03:01 PM

you can just remove proposals which you dont need, just like this "no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256" it should keep the prop3 as it is.

But make sure the tunnels don't use them just as @Rob Ingram  said.

Please rate comments and support
with regards,
Venkat

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-23-2019 12:43 AM

Hi,
If the VPN is established and with active IPSec SA then removing the proposals should not break the connection. You should double check the active SA "show crypto ipsec sa" and confirm the algorithms in use and just make sure they match prop3.

As with any change in production, do it in a change window and have a roll back plan.

HTH

Go to solution
venkat_n7
Level 1
Level 1

‎08-24-2019 03:01 PM

you can just remove proposals which you dont need, just like this "no crypto map out_map 1 set ikev2 ipsec-proposal prop1 prop2 aes256" it should keep the prop3 as it is.

But make sure the tunnels don't use them just as @Rob Ingram  said.

Please rate comments and support
with regards,
Venkat
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card