Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
10
Replies

IKE policies individually per tunnel

ANFA
Level 1
Level 1

‎08-16-2018 01:16 AM

Hello
Is there a way to give each tunnel its own IKE policy?
My problem is that I have created several, because we have many VPN partners.
If I now want to select the IKE policy for the Conection Profiles in the ASDM, I always get the message "IKE police global.It is shared by all IPsec connection profile". It happens again and again that the other side has different attitudes than at the end the ASA takes. This always leads to problems with the VPN tunnel. I would like to assign exactly one policy to the tunnels.
Does anyone know how this works? This is also possible with other renowned manufacturers.

 

Many Thanks

Labels:
0 Helpful
10 Replies 10

Mohammed al Baqari
Level 11
Level 11

‎08-16-2018 02:37 AM

IKE phase 1 policies are common for all ASAs.
0 Helpful

Karsten Iwen
VIP
VIP

‎08-16-2018 04:03 AM

The ASA already gives you the answer: All peers share the same sets of policies. And as long as the other side has a matching policy it should work. The only problem is that the ASA could negotiate a weaker policy that doesn't match your security-policy.

Two possible workarounds for that problem:

  1. Configure the VPN as "receive only". If the other side initiates the connection, it's your ASA that chooses the policy based on your configured priorities.
  2. Move all VPNs with old/legacy crypto to a dedicated/different VPN-Gateway and remove the weaker policies from your main VPN-Gateway.
0 Helpful

ANFA
Level 1
Level 1
In response to Karsten Iwen

‎08-16-2018 04:46 AM

Both solutions are not possible.
On the one hand, both sides must be able to build up the tunnel.
on the other hand, we often have different lifetime to different VPN partners. Here is often also the biggest problem that the ASA thinks a policy with other lift time takes even though the counterpart has set a completely different.

Is there no other possibility? For VPN Gateway from other manufacturers, I know that you can do everything per tunnel according to the settings.

0 Helpful

Karsten Iwen
VIP
VIP
In response to ANFA

‎08-16-2018 05:06 AM

Lifetimes are used as the smallest value of the matching policies in IKEv1. They don't have to be the same on both ends. And there shouldn't arise a problem of that; at least not a technical one.

I do not think that you can accomplish this with the ASA.

0 Helpful

ANFA
Level 1
Level 1
In response to Karsten Iwen

‎08-16-2018 05:10 AM

Unfortunately, we have often had technical problems with VPN Traffic due to different Lifetime

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to Karsten Iwen

‎08-16-2018 05:29 PM

Hi Karsten,

You are right when it's cisco both end. But I have seen problems with life
time when its different vendors (i faced this with juniper cisco combi)
0 Helpful

Karsten Iwen
VIP
VIP
In response to Mohammed al Baqari

‎08-17-2018 12:20 AM

Really? When setting up VPNs to third-parties, I never care about the different lifetime and never had problems that were related to these. Very strange ...

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to ANFA

‎08-16-2018 04:02 PM

What about migrating to ikev2. You can achieve it with ikev2
0 Helpful

ANFA
Level 1
Level 1
In response to Mohammed al Baqari

‎08-16-2018 11:13 PM

How would the procedure be with IKVv2?
There are global attitudes as well

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to ANFA

‎08-17-2018 02:18 AM

In IKEv2 you configure proposal with phase 1 parameters and assign it to
profile which maps the parameters to peer.
0 Helpful
Customers Also Viewed These Support Documents