01-31-2019 04:15 PM - edited 02-21-2020 08:44 AM
Hello,
I am having a hard time understanding the difference between the "cypto ikeve2 policy xxxx" and "crypto ipsec ikev2 proposal xxx".
The Cisco documentation doesn't explain how the two are associated. Can someone clarify?
Thanks in advance, ~zK
Solved! Go to Solution.
02-01-2019 10:28 AM
01-31-2019 10:35 PM
02-01-2019 11:41 AM
02-01-2019 01:23 AM
In a nutshell proposal is the set of transforms (encryption and integrity althorithms basically) used to negotiate a secure connection with the "other end".
Policy is the set of proposals that are going to be used by the two parties in order to find a comonly acceptable proposal for the communication
Hope this helps
02-01-2019 11:41 AM
Thank you!
This is very helpful.
Best, ~zK
02-01-2019 01:51 AM
02-01-2019 08:44 AM
Thanks for the input. This is helpful!
So, when create a an IKEv2 policy and IKEv2 proposal, where does each get referenced or associated? Let's take this the below config, for example:
Where in the config are the IKEv2 policies used/associated?
The IKEv2 ipsec-proposal is referenced in or associated with the "crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES25" but I don't see the IKEv2 policies referenced or associated anywhere else in this config!
!
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
!
!
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
!
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
!
!
crypto map MAP_0 1 match address ACL_abc
crypto map MAP_0 1 set pfs
crypto map MAP_0 1 set peer x.x.x.x
crypto map MAP_0 1 set ikev2 ipsec-proposal AES AES192 AES256
!
!
crypto map MAP_0 interface outside
!
!
group-policy HQ_To_Loc_01 internal
group-policy HQ_To_Loc_01 attributes
vpn-tunnel-protocol ikev2
split-tunnel-all-dns disable
!
!
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
default-group-policy HQ_To_Loc_01
tunnel-group x.x.x.x ipsec-attributes
ikev2 remote-authentication pre-shared-key abcdefgxxxxxxxx
ikev2 local-authentication pre-shared-key abcdefgxxxxxxxx
!
Best, ~zK
02-01-2019 10:28 AM
02-01-2019 10:52 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide