Hi Mike,

Mike D · ‎11-03-2016

Hi guys.

I'm hoping this is a really obvious one.

On older versions of the ASA you can select, for example during the VPN Wizard, exactly which DH Group and proposals you wished to use etc.

I'm currently looking at a VPN on version 8.4 and it appears that the full set of IKE proposals is used for all VPN across Phase 1.

It is also not clear to me how to adjust the proposals for Phase 2.

Can anyone help clarify? Or is it all assumed to be automatic now?

Many thanks.

Mie

Kanwaljeet Singh · ‎11-03-2016

Hi Mike,

They are set of standard proposals pre-configured. You can create another one if you think that existing one's will not match the proposal sent by peer.

ciscoasa(config-ikev1-policy)# crypto ikev1 policy 30
ciscoasa(config-ikev1-policy)# ?

crypto ikev1 policy configuration commands:
authentication Set authentication method (pre-share or rsa-sig)
encryption      Set encryption algorithm (des, 3des, aes-128, aes-192, or
                  aes-256)
exit            Exit from crypto ikev1 policy configuration mode
group           Set Diffie-Hellman group (1,2 or 5)
hash            Set hash algorithm (md5 or sha1)
help            Help for crypto ikev1 policy configuration commands
lifetime        Set IKEV1 SA lifetime (seconds)
no              Negate a command or set its defaults
<cr>

Regards,

Kanwal

Note: Please mark answers if they are helfpul.

Mike D · ‎11-04-2016

Thanks Kanwal.

I can see the IKE Policy proposals listed, but it is not clear how to force an IKE Policy for a particular peer.

For the IPsec Proposal the list can be amended and a single proposal entered.

But the the IKE Policy its not clear how to define a single policy for a connection.

If that makes sense.

Thanks again.

Mike

Kanwaljeet Singh · ‎11-04-2016

Hi Mike,

You don't need to. It will automatically select from the list the one which matches with peer.

You can see that if you run "debug crypto ikev1" and "debug crypto ipsec"

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Mike D · ‎11-04-2016

Ok thanks.

But if you have a Cisco ASA at both sides how could you force a particular IKE Policy for a single peer?

Thanks again.

Mike

Kanwaljeet Singh · ‎11-04-2016

Hi Mike,

When IKE negotiations begin, the peer that initiates the negotiation sends all of its policies to the remote peer, and the remote peer tries to find a match. The remote peer checks all of the peer's policies against each of its configured policies in priority order (highest priority first) until it discovers a match.

Note: The lower the priority number, the higher the priority.

A match exists when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the ASA uses the shorter lifetime.

So basically you can manipulate priorities and create one policy with priority which would match all parameters with your peer. Since parameters are unique it will not match any other policy even if they processed first due to their lower priority. But most secure have higher priority too.

Hope this helps.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

ASA IKE/IPSEC Proposal