cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


327
Views
5
Helpful
8
Replies
Participant

Site-To-Site VPN | ISAKMP

Hello,

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_site2site.html#28546

 

I am having a hard time understanding the difference between the "cypto ikeve2 policy xxxx" and "crypto ipsec ikev2 proposal xxx".

 

The Cisco documentation doesn't explain how the two are associated. Can someone clarify?

 

Thanks in advance, ~zK

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-To-Site VPN | ISAKMP

The IKEv2 Policies are not referenced anywhere. they just need to be present. Unlike the IPSec proposal which is referenced in the crypto map.
8 REPLIES 8
Enthusiast

Re: Site-To-Site VPN | ISAKMP

Participant

Re: Site-To-Site VPN | ISAKMP

Thanks! I appreciate the input.

Best, ~zK
Beginner

Re: Site-To-Site VPN | ISAKMP

In a nutshell proposal is the set of transforms (encryption and integrity althorithms basically) used to negotiate a secure connection with the "other end".

 

Policy is the set of proposals that are going to be used by the two parties in order to find a comonly acceptable proposal for the communication

 

Hope this helps

Participant

Re: Site-To-Site VPN | ISAKMP

Thank you!

 

This is very helpful.

 

Best, ~zK

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-To-Site VPN | ISAKMP

Hi,

crypto ikev2 policy xxxxx = IKEv2 SA
crypto ipsec ikev2 protocol = IPSec SA

IKEv2 SA - is used for control plane, to establish a secure channel between 2 peers. This creates 1 bi-directional IKEv2 SA tunnel, though which the IPSec SA is negotiated and 2 un-directional IPSec SAs are established. The IPSec SA is used for data plane, which is used to transfer your data securely.

IKEv2 SA is negotiated first, without establishing an IKEv2 SA there will be no IPSec SA and therefore no tunnel.

HTH
Highlighted
Participant

Re: Site-To-Site VPN | ISAKMP

Thanks for the input. This is helpful!

 

So, when create a an IKEv2 policy and IKEv2 proposal, where does each get referenced or associated? Let's take this the below config, for example: 

 

Where in the config are the IKEv2 policies used/associated?

The IKEv2 ipsec-proposal is referenced in or associated with the "crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES25" but I don't see the IKEv2 policies referenced or associated anywhere else in this config!

!
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
!
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
!
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
!

!
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
!
!
crypto map MAP_0 1 match address ACL_abc
crypto map MAP_0 1 set pfs
crypto map MAP_0 1 set peer x.x.x.x
crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES256
!
!
crypto map MAP_0 interface outside
!
!
group-policy HQ_To_Loc_01 internal
group-policy HQ_To_Loc_01 attributes
 vpn-tunnel-protocol ikev2
 split-tunnel-all-dns disable
!
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
 default-group-policy HQ_To_Loc_01
tunnel-group x.x.x.x ipsec-attributes
 ikev2 remote-authentication pre-shared-key abcdefgxxxxxxxx
 ikev2 local-authentication pre-shared-key  abcdefgxxxxxxxx
!

 

Best, ~zK

VIP Advocate RJI VIP Advocate
VIP Advocate

Re: Site-To-Site VPN | ISAKMP

The IKEv2 Policies are not referenced anywhere. they just need to be present. Unlike the IPSec proposal which is referenced in the crypto map.
Participant

Re: Site-To-Site VPN | ISAKMP

Great! That's the answer I was looking for!

Best, ~zK