vpn on asa and isakmp questions - is there a way to 'not' use the ordered policy map 9.1 code

George Wolf · ‎09-17-2015

I have a 5585 and a problem going to a user on a zytel firewall. He says because im sending him too much in my SA (even though I've changed the policy he wants ie. aes 256 sha /28800 to the highest priority on the map so the ASA uses that one first.

Is there no way to get around the multipolicy on the cisco as with the customer zytel firewall he can specifically choose only 1 phase 1 he wants and not have a map. I'd like to set the cisco to only use the policy I wantthe way I can on phase 2. meaning I don't have a phase 2 map of policies I can set it on the tunnel. That way I'll know he's only getting the isakmp policy he's expecting. He says he sees me sending him a lot more in an SA then he'd expect but I don't know exactly how that policy works... does it send the first policy and if that doesnt work then the cisco sends the next ordered policy etc or does it send it all out in one big packet and hope his firewall picks one.

anyway, is possible to send a specific isakmp policy am I bound only to the policy map that the Cisco uses?

any help appreciated George

George

pjain2 · ‎09-21-2015

when one side is the initiator, it sends all the phase 1 policies configured on its end to the remote end and the remote end selects the first policy that matches on its side from those received policies.

this is the way it is designed

is this what you are looking for?

George Wolf · ‎09-22-2015

no , isn't there a way to set and enforce the isakmp policy? other firewalls can select only 1 thing like aes 256 sha, even the adsm leads you to believe you can pick the policy to enforce it but doesn't let you??

it's odd why would I want to let the iskmp be dictated by the remote side? Phase 2 doesn't run policy based you can set it... Is there no way to set Phase 1 like other firewalls?