01-12-2016 06:35 PM - edited 03-12-2019 12:08 AM
hi,
i've been asked to replace our current "weaker" IKE phase 1 and phase 2 policies from 3DES to AES.
we have active S2S VPNs that are currently using 3DES and was thinking a way to implement this with minimal downtime (or completely lock out remote access).
could someone please advise if my thinking is correct? other suggestions are most welcome.
HQ ASA:
no crypto isakmp policy x <<< REMOVE WEAK POLICIES
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2    <<< IS GROUP 5 BETTER?
 lifetime 43200
crypto isakmp policy 65535    <<< RETAIN A "CATCH-ALL" PHASE 1 POLICY
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ipsec transform-set TSET esp-aes esp-sha-hmac <<< SHOULD I NEED A "CATCH-ALL" IKE PHASE 2 POLICY?
REMOTE ASA
reload in 10
no crypto isakmp policy x <<< REMOVE WEAK POLICIES; WILL THIS CUT ME OFF?
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 43200
crypto isakmp policy 65535
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
clear crypto isakmp sa (ISSUE ON HQ ASA AFTERWARDS)
Solved! Go to Solution.
01-12-2016 08:19 PM
Hi John,
Here is my suggestion.
1. Create new crypto policy with different encry/hash and number on both end devices.
ex: S2S: (group 5 preferred)
crypto isakmp policy 20
authentication pre-share
encryption aes 
 hash sha
 group 5   
 lifetime 43200
For remote access:
crypto isakmp policy 65000
authentication pre-share
encryption aes 
 hash sha
 group 2   
 lifetime 86400
Transform:
crypto ipsec transform-set NEWSET esp-aes esp-sha-hmac (for site to site and remote)
Make sure you have remote access (SSH to outside interface) to outside interface of far end ASA.
1. Change the Transform set on both ends. You will loose connectivity to remote end may have to clear existing tunnel (vpn-sessiondb l2l logoff <ipaddress>).
2. Make sure VPN tunnel establishes (run extended ping from one end to other end subnet).
3. Remove policy#10 and Policy #65535. ASAs will negotiate with new parameters.
Make sure you have a maintenance window for this work. I do not see a need to reload ASAs.
hth
MS
01-13-2016 12:18 AM
In fact it's even easier:
01-12-2016 08:19 PM
Hi John,
Here is my suggestion.
1. Create new crypto policy with different encry/hash and number on both end devices.
ex: S2S: (group 5 preferred)
crypto isakmp policy 20
authentication pre-share
encryption aes 
 hash sha
 group 5   
 lifetime 43200
For remote access:
crypto isakmp policy 65000
authentication pre-share
encryption aes 
 hash sha
 group 2   
 lifetime 86400
Transform:
crypto ipsec transform-set NEWSET esp-aes esp-sha-hmac (for site to site and remote)
Make sure you have remote access (SSH to outside interface) to outside interface of far end ASA.
1. Change the Transform set on both ends. You will loose connectivity to remote end may have to clear existing tunnel (vpn-sessiondb l2l logoff <ipaddress>).
2. Make sure VPN tunnel establishes (run extended ping from one end to other end subnet).
3. Remove policy#10 and Policy #65535. ASAs will negotiate with new parameters.
Make sure you have a maintenance window for this work. I do not see a need to reload ASAs.
hth
MS
07-17-2018 03:27 PM
01-13-2016 12:18 AM
In fact it's even easier:
01-13-2016 12:39 AM
hi karsten,
in your step 3, do i need to force SA tear down/up (do a clear crypto isa sa)?
01-13-2016 12:54 AM
You don't have to, you also can just wait. But if you have a window where you can accept a small traffic disruption, then you can clear it and directly see if it uses the new settings.
01-13-2016 03:47 AM
hi karsten,
thanks and will keep that in mind! just another quick one, i've got a mix of gen1 (using IKEv1) and next gen (IKEv2) ASA FWs. can i use IKEv1 and IKEv2 simultaneously on my HQ ASA?
or is ASA limited to a single version of IKE applied on the 'outside' ASA interface?
01-13-2016 03:51 AM
You can run both versions at the same time. And that's quite a normal situation as it will often be impossible to migrate all VPNs at the same time. Though you'll most likely end up running IKEv1 with some peers and IKEv2 with others.
01-13-2016 04:15 AM
hi karsten,
thanks for clearing my doubts!
i need to lab this up if i got the time :)
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide