cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
4
Replies

Two ASA IPVPN tunnel

alan-wong
Level 1
Level 1

Dear

I am using below policy for two site to site VPN.  May I know the policy number and group number like below will affect the tunnel priority ?  What is the actual function of that policy number and group number ?

crypto isakmp policy 5

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto isakmp policy 10

authentication pre-share

encryption aes

hash md5

group 1

lifetime 86400

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.

Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.

HTH

Rick

HTH

Rick

View solution in original post

Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.

And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.

HTH

Rick

HTH

Rick

View solution in original post

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.

Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.

HTH

Rick

HTH

Rick

I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered.

HTH

Rick

HTH

Rick

one more question.  what is the meaning of the number in crypto map like below.  is that number need to be match of the policy number ?

crypto map TESTING 10 match address vpn_testiing

crypto map TESTING 10 set peer 123.123.123.123

crypto map TESTING 10 set transform-set ESP-3DES-SHA

Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.

And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.

HTH

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: