Solved: Changing ASA IKE Policies

johnlloyd_13 · ‎01-12-2016

hi,

i've been asked to replace our current "weaker" IKE phase 1 and phase 2 policies from 3DES to AES.

we have active S2S VPNs that are currently using 3DES and was thinking a way to implement this with minimal downtime (or completely lock out remote access).

could someone please advise if my thinking is correct? other suggestions are most welcome.

HQ ASA:

no crypto isakmp policy x <<< REMOVE WEAK POLICIES

crypto isakmp policy 10

authentication pre-share
encryption aes
hash sha
group 2 <<< IS GROUP 5 BETTER?
lifetime 43200

crypto isakmp policy 65535 <<< RETAIN A "CATCH-ALL" PHASE 1 POLICY
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set TSET esp-aes esp-sha-hmac <<< SHOULD I NEED A "CATCH-ALL" IKE PHASE 2 POLICY?

REMOTE ASA

reload in 10

no crypto isakmp policy x <<< REMOVE WEAK POLICIES; WILL THIS CUT ME OFF?

crypto isakmp policy 10

authentication pre-share
encryption aes
hash sha
group 2
lifetime 43200

crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

clear crypto isakmp sa (ISSUE ON HQ ASA AFTERWARDS)

mvsheik123 · ‎01-12-2016

Hi John,

Here is my suggestion.

1. Create new crypto policy with different encry/hash and number on both end devices.

ex: S2S: (group 5 preferred)

crypto isakmp policy 20

authentication pre-share
encryption aes
hash sha
group 5
lifetime 43200

For remote access:

crypto isakmp policy 65000

authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

Transform:

crypto ipsec transform-set NEWSET esp-aes esp-sha-hmac (for site to site and remote)

Make sure you have remote access (SSH to outside interface) to outside interface of far end ASA.

1. Change the Transform set on both ends. You will loose connectivity to remote end may have to clear existing tunnel (vpn-sessiondb l2l logoff <ipaddress>).

2. Make sure VPN tunnel establishes (run extended ping from one end to other end subnet).

3. Remove policy#10 and Policy #65535. ASAs will negotiate with new parameters.

Make sure you have a maintenance window for this work. I do not see a need to reload ASAs.

hth

MS

View solution in original post

Karsten Iwen · ‎01-13-2016

In fact it's even easier:

Add the better Phase1 policy with a lower number.
configure the new transform-set and place it in your crypto map "set transform-set" at the first place, leave the other transform-set in place.
The next time the tunnel is rebuild or cleared, the ASAs should use the new settings. If something goes wrong, the old settings are still in place.
When you confirmed that you are using the new settings, you can remove the old settings that are not needed any more.

View solution in original post

mvsheik123 · ‎01-12-2016

Hi John,

Here is my suggestion.

1. Create new crypto policy with different encry/hash and number on both end devices.

ex: S2S: (group 5 preferred)

crypto isakmp policy 20

authentication pre-share
encryption aes
hash sha
group 5
lifetime 43200

For remote access:

crypto isakmp policy 65000

authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400

Transform:

crypto ipsec transform-set NEWSET esp-aes esp-sha-hmac (for site to site and remote)

Make sure you have remote access (SSH to outside interface) to outside interface of far end ASA.

1. Change the Transform set on both ends. You will loose connectivity to remote end may have to clear existing tunnel (vpn-sessiondb l2l logoff <ipaddress>).

2. Make sure VPN tunnel establishes (run extended ping from one end to other end subnet).

3. Remove policy#10 and Policy #65535. ASAs will negotiate with new parameters.

Make sure you have a maintenance window for this work. I do not see a need to reload ASAs.

hth

MS

starman · ‎07-17-2018

For the curious, the "reload 10" command on the remote ASA is just a fail-safe in case the tunnel doesn't come up after the changes...then you just need to sit tight for a few minutes and the device will reload with the previously saved config.

Karsten Iwen · ‎01-13-2016

In fact it's even easier:

Add the better Phase1 policy with a lower number.
configure the new transform-set and place it in your crypto map "set transform-set" at the first place, leave the other transform-set in place.
The next time the tunnel is rebuild or cleared, the ASAs should use the new settings. If something goes wrong, the old settings are still in place.
When you confirmed that you are using the new settings, you can remove the old settings that are not needed any more.

johnlloyd_13 · ‎01-13-2016

hi karsten,

in your step 3, do i need to force SA tear down/up (do a clear crypto isa sa)?

Karsten Iwen · ‎01-13-2016

You don't have to, you also can just wait. But if you have a window where you can accept a small traffic disruption, then you can clear it and directly see if it uses the new settings.

johnlloyd_13 · ‎01-13-2016

hi karsten,

thanks and will keep that in mind! just another quick one, i've got a mix of gen1 (using IKEv1) and next gen (IKEv2) ASA FWs. can i use IKEv1 and IKEv2 simultaneously on my HQ ASA?

or is ASA limited to a single version of IKE applied on the 'outside' ASA interface?

Karsten Iwen · ‎01-13-2016

You can run both versions at the same time. And that's quite a normal situation as it will often be impossible to migrate all VPNs at the same time. Though you'll most likely end up running IKEv1 with some peers and IKEv2 with others.

johnlloyd_13 · ‎01-13-2016

hi karsten,

thanks for clearing my doubts!

i need to lab this up if i got the time :)