cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
949
Views
0
Helpful
1
Replies

ASA: IPsec Proposal in the ASCII configuration

swscco001
Level 1
Level 1

Dear community members,

 

a customer have to regenerate a S2S-Tunnel (IKEv1) on his ASA runneing a 9.X release but the IPsec Proposal is still missing (see attached ASDM screen dump).

He has still an old ASCII configuration but he cannot find a IPsec Proposal in this configuration.

What command should specify the IPsec Proposal?

Thanks a lot!

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

There needs to be an IPsec proposal matching what the remote end is offering. Typically we use proposals such as:

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-256 esp-aes esp-sha-hmac 

If the other end needs different parameters for encryption or integrity, then they would need to be modified according on the ASA configuration to match.

 

If you have the option to have the other end change their parameters, it would be a good idea to change ISAKMP over to IKEv2 with more secure parameters. For Cisco ASA devices, NSA recommends IKEv2, since the IKEv1 implementation only supports SHA1. For instance:


IKEv2:

crypto ikev2 policy 1
encryption [aes-256|aes-gcm-256]
integrity [sha384|sha512]
group [16|20]


IPsec:

crypto ipsec ikev2 ipsec-proposal <proposal name>
protocol esp encryption [aes-256|aes-gcm-256]
protocol esp integrity [sha-384|sha512]

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: