Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1927
Views
10
Helpful
5
Replies

ikev2 policy

elite2010
Level 3
Level 3

‎04-07-2020 01:11 PM

Hi, 

I edited  the default policy  for ikev2 ( it is done for ipsec site to site vpn policy )

The below is before editing 

crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400

 

and the below is after editing 

 

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400

 

currently I have only one ipsec site to site vpn 

the above change will impact anything 

 

what does it mean by the below , the above change will affect the below operation 

crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2

 

Thanks 

 

 

 

0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎04-07-2020 01:27 PM

The changes you made are ikev2 policy you in order to keep your existing tunnel up and running do this.

 

crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256

!

doing this you will keep your existing running tunnel up and running.

 

 

 

 

 

crypto ikev2 enable Outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint2

 

to answer you question here 

please do not forget to rate.

elite2010
Level 3
Level 3
In response to Sheraz.Salim

‎04-07-2020 08:59 PM

Hi,

Sorry I did not get what you mean by the below 

 

crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256

 

Thanks 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎04-08-2020 05:22 AM

Hi,

 

   As you have a single IKEv2 policy, this will be used for all IKEv2 IPsec sessions terminated on the ASA, both Remote Access and Site2Site. The present crypto ikev2 commands, don't relate to your IKEv2 changed policy. The first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface.

 

Regards,

Cristian Matei.

elite2010
Level 3
Level 3
In response to Cristian Matei

‎04-08-2020 12:01 PM

Hi @Cristian Matei 

 

Hi,

crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256

 

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400

 

The policy will cause any performance degrade  since we are  using aes-256 encryption 

 

i am using cisco asa 5585 ssp-10 ,what is the recommendation 

and how to check the performance degrade 

 

2) 

@Cristian Matei  said "  the first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface" 

It means  the changes in the policy won't affect any of the commands in the previous post 

Thanks

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to elite2010

‎04-09-2020 01:24 AM

Hi,

 

   1. You'll get better performance with AES as opposed to 3DES.

   2. Correct, the IKEv2 policy changes don't influence the presented commands.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card