Solved: Site-To-Site VPN | ISAKMP

zekebashi · ‎01-31-2019

Hello,

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_site2site.html#28546

I am having a hard time understanding the difference between the "cypto ikeve2 policy xxxx" and "crypto ipsec ikev2 proposal xxx".

The Cisco documentation doesn't explain how the two are associated. Can someone clarify?

Thanks in advance, ~zK

Rob Ingram · ‎02-01-2019

The IKEv2 Policies are not referenced anywhere. they just need to be present. Unlike the IPSec proposal which is referenced in the crypto map.

View solution in original post

Kasun Bandara · ‎01-31-2019

Hi I guess below link will give good idea on this..

http://resources.intenseschool.com/configuring-ikev2-on-cisco-ios-1-understanding-ikev2/

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

zekebashi · ‎02-01-2019

Thanks! I appreciate the input.

Best, ~zK

socratesp1980 · ‎02-01-2019

In a nutshell proposal is the set of transforms (encryption and integrity althorithms basically) used to negotiate a secure connection with the "other end".

Policy is the set of proposals that are going to be used by the two parties in order to find a comonly acceptable proposal for the communication

Hope this helps

zekebashi · ‎02-01-2019

Thank you!

This is very helpful.

Best, ~zK

Rob Ingram · ‎02-01-2019

Hi,

crypto ikev2 policy xxxxx = IKEv2 SA
crypto ipsec ikev2 protocol = IPSec SA

IKEv2 SA - is used for control plane, to establish a secure channel between 2 peers. This creates 1 bi-directional IKEv2 SA tunnel, though which the IPSec SA is negotiated and 2 un-directional IPSec SAs are established. The IPSec SA is used for data plane, which is used to transfer your data securely.

IKEv2 SA is negotiated first, without establishing an IKEv2 SA there will be no IPSec SA and therefore no tunnel.

HTH

zekebashi · ‎02-01-2019

Thanks for the input. This is helpful!

So, when create a an IKEv2 policy and IKEv2 proposal, where does each get referenced or associated? Let's take this the below config, for example:

Where in the config are the IKEv2 policies used/associated?

The IKEv2 ipsec-proposal is referenced in or associated with the "crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES25" but I don't see the IKEv2 policies referenced or associated anywhere else in this config!

!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!

!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
!
!
crypto map MAP_0 1 match address ACL_abc
crypto map MAP_0 1 set pfs
crypto map MAP_0 1 set peer x.x.x.x
crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES256
!
!
crypto map MAP_0 interface outside
!
!
group-policy HQ_To_Loc_01 internal
group-policy HQ_To_Loc_01 attributes
vpn-tunnel-protocol ikev2
split-tunnel-all-dns disable
!
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy HQ_To_Loc_01
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key abcdefgxxxxxxxx
ikev2 local-authentication pre-shared-key abcdefgxxxxxxxx
!

Best, ~zK

Rob Ingram · ‎02-01-2019

The IKEv2 Policies are not referenced anywhere. they just need to be present. Unlike the IPSec proposal which is referenced in the crypto map.

zekebashi · ‎02-01-2019

Great! That's the answer I was looking for!

Best, ~zK