Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
614
Views
3
Helpful
5
Replies

ASA Dynamic VPN policy

Go to solution
manvik
Level 3
Level 3

‎03-10-2023 10:56 PM

I have a DC ASA running Dynamic VPN tunnels. In the config I can see many crypto ikev1 policy 1 - like crypto ikev1 policy 10, crypto ikev1 policy 20

All has different DH group, hash etc.

When a remote/branch device authenticates to this DC ASA, which policy would it choose.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-10-2023 11:57 PM

@manvik When the remote branch initiates the IKE negotiation, that peer sends all of its IKE policies to the remote peer (hub), and the remote peer tries to find a match. The remote peer checks all of the peer's policies against each of its configured policies in priority order (highest priority first) until it discovers a match. The lower the priority number, the higher the priority

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎03-10-2023 11:12 PM

show vpn-sessiondb l2l detail 
this can give you a hint about the IPsec encrypt/hash used

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎03-10-2023 11:57 PM

@manvik When the remote branch initiates the IKE negotiation, that peer sends all of its IKE policies to the remote peer (hub), and the remote peer tries to find a match. The remote peer checks all of the peer's policies against each of its configured policies in priority order (highest priority first) until it discovers a match. The lower the priority number, the higher the priority

Go to solution
manvik
Level 3
Level 3

‎03-11-2023 12:25 AM

Thank you, in command "crypto ikev1 policy 10", 
is 10 the priority

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to manvik

‎03-11-2023 12:35 AM

@manvik yes  in your example 10 is the priority of the IKE policy.

"show crypto ikev1 sa" (or "show crypto ikev2 sa" when using IKEv2) would help you determine what algorithms where used per peer to establish the IKE SA, it won't tell you which policy number was matched, but you'd be able to determine that yourself from the encryption, hashing, group etc in use.

Go to solution
MHM Cisco World
VIP
VIP

‎03-11-2023 12:28 AM

policy priority select the order of search, until now there is no way to find which policy Peer use except by using debug,
the issue is that phaseI ALL policies send in one message to peer, and Peer reply with accept one, and this can detect as I mention above via debug. 
sorry there is no any show help you in this case.  

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card