Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
346
Views
0
Helpful
6
Replies

Site to site vpn

adamgibs7
Level 6
Level 6

‎03-26-2018 12:03 PM - edited ‎02-21-2020 07:33 AM

Dears,

My IKEv2 tunnel is not coming up with the below settings , on my end I have a asa and the remote end is check point , I want to know the below is correct configuration or there should be some change,

 

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256----- this will match will sha512 lower setting or I shld lower it down aes 192

protocol esp integrity sha-512-------------I want to know this can match with AES 256 above or I shld lower it down

 

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-384

 

 

crypto ikev2 policy 1

encryption aes-256

integrity sha512

group 20 21

prf sha512

lifetime seconds 86400

 

 

crypto ikev2 policy 2

encryption aes-192

integrity sha384

group 20 21

prf sha384

lifetime seconds 86400

Labels:
0 Helpful
6 Replies 6

GioGonza
Level 4
Level 4

‎03-26-2018 01:49 PM

Hello @adamgibs7

 

It seems to be OK but the other side needs to match what you configured, can you attach the crypto configuration also?

 

HTH

Gio

0 Helpful

adamgibs7
Level 6
Level 6
In response to GioGonza

‎03-27-2018 12:41 AM

 

 

Things are failing for me on these setting not able to form the VPN, but the problem is I m not able to collect the debug logs of vpn y these are failing when the debugs are enabled and when the vpn interesting traffic is initiated the terminal session gets disconnected.

 

any smart idea to enable imp debugs logs to see y it is failing

 

I have enabled

debug crypto ikev2 protocol 127

debug crypto ikev2 platform 127

 

 

0 Helpful

cshannahan
Level 1
Level 1

‎03-27-2018 11:43 AM

Is it failing on phase1 or phase 2?  Did you enable the debugs for ike etc?  Make sure the other side is the same and you both have PFS set the same.

0 Helpful

adamgibs7
Level 6
Level 6
In response to cshannahan

‎03-28-2018 07:18 AM

Dear

Is there anybody has built VPN with check-point with compatible settings,

the main problem is I m not able to collect the logs ??

 

thanks

0 Helpful

cshannahan
Level 1
Level 1
In response to adamgibs7

‎03-28-2018 07:20 AM

Who controls the other end? Do you manage both firewalls?
0 Helpful

adamgibs7
Level 6
Level 6
In response to cshannahan

‎03-28-2018 07:23 AM - edited ‎03-28-2018 07:24 AM

no I don't manage,

 

1 question cani have a multiple proposals like below or I have to create separate seperate??

 

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256 aes-192

protocol esp integrity sha-512 sha-384

 

crypto ikev2 policy 1

encryption aes-256 aes-192

integrity sha512 sha384

group 20 21

prf sha512

lifetime seconds 86400

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card