04-07-2020 01:11 PM
Hi,
I edited the default policy for ikev2 ( it is done for ipsec site to site vpn policy )
The below is before editing
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
and the below is after editing
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400
currently I have only one ipsec site to site vpn
the above change will impact anything
what does it mean by the below , the above change will affect the below operation
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
Thanks
04-07-2020 01:27 PM
The changes you made are ikev2 policy you in order to keep your existing tunnel up and running do this.
crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256
!
doing this you will keep your existing running tunnel up and running.
crypto ikev2 enable Outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint2
to answer you question here
04-07-2020 08:59 PM
Hi,
Sorry I did not get what you mean by the below
crypto ikev2 policy 1
encryption aes-256
integrity sha sha256
group 5
prf sha sha256
lifetime seconds 86400encryption aes-256
Thanks
04-08-2020 05:22 AM
Hi,
As you have a single IKEv2 policy, this will be used for all IKEv2 IPsec sessions terminated on the ASA, both Remote Access and Site2Site. The present crypto ikev2 commands, don't relate to your IKEv2 changed policy. The first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface.
Regards,
Cristian Matei.
04-08-2020 12:01 PM
Hi,
crypto ipsec ikev2 ipsec-proposal AES-256
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256 sha
lifetime seconds 86400
The policy will cause any performance degrade since we are using aes-256 encryption
i am using cisco asa 5585 ssp-10 ,what is the recommendation
and how to check the performance degrade
2)
@Cristian Matei said " the first command enables AnyConnect specific required services (software updates, client profile download), while the second one specifies which certificate to be used for IKEv2 sessions terminated on the outside interface"
It means the changes in the policy won't affect any of the commands in the previous post
Thanks
04-09-2020 01:24 AM
Hi,
1. You'll get better performance with AES as opposed to 3DES.
2. Correct, the IKEv2 policy changes don't influence the presented commands.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide