12-06-2013 06:17 AM - edited 03-11-2019 08:13 PM
Dear
I am using below policy for two site to site VPN. May I know the policy number and group number like below will affect the tunnel priority ? What is the actual function of that policy number and group number ?
crypto isakmp policy 5
authentication pre-share
encryption aes
hash md5
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash md5
group 1
lifetime 86400
Solved! Go to Solution.
12-06-2013 06:32 AM
group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.
Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.
HTH
Rick
12-06-2013 07:14 AM
Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.
And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.
HTH
Rick
12-06-2013 06:32 AM
group is used in these configurations to specify the Diffe Hellman group. The peer of each of the connections apparently needs to use a different Diffe Hellman group to negotiate its keys.
Understanding the function of the policy number will indirectly lead to an answer to the question about priority. The policy number allows you to create more than one ISAKMP policy and to uniquely identify each policy. You might want multiple policies because one connection needs one set of parameters and another connection needs a different set of parameters. In your example there need to be 2 policies because one connection needs to specify Diffe Hellman group 2 and the other connection needs to specify Diffe Hellman group 1. When there is an attempt to initiate a connection the ASA will evaluate each of the configured policies until it finds one that matches the requirements of the peer device. So there is not really any priority other than specifying the order in which the policies will be evaluated.
HTH
Rick
12-06-2013 06:41 AM
I am glad that my answer was helpful. Thank you for using the rating system to mark this question as answered.
HTH
Rick
12-06-2013 06:42 AM
one more question. what is the meaning of the number in crypto map like below. is that number need to be match of the policy number ?
crypto map TESTING 10 match address vpn_testiing
crypto map TESTING 10 set peer 123.123.123.123
crypto map TESTING 10 set transform-set ESP-3DES-SHA
12-06-2013 07:14 AM
Interesting question. I am glad to say that it has an easy answer. The number in the map is to allow for multiple entries in the map and to uniquely identify each entry. So it is very similar to the number in the isakmp policy. Like the isakmp policy the ASA will organize the map according to the sequence numbers and will evaluate new connection attempts to the map in numerical order. Other than this there is no sense of priority in the map numbers.
And no there is not any need to match the map number to the policy number. In fact it is common that multiple map entries might use the same isakmp policy so there is potentially a many to one relationship between the map numbers and the policy numbers.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide