Solved: ASA VPN- IKEv2 phase 2 timeout CLI command?

jmaxwellUSAF · ‎12-21-2022

Hello folks.

In the below ASA VPN config, when creating, and then defining the IPsec policy...

((Create the ISAKMP policy))
#crypto ikev2 policy 1
#encryption aes-cbc-128
#integrity sha-128
#group 5
#prf sha-128
#lifetime seconds 86400

((Define the IPsec policy))
#crypto ipsec ikev2 ipsec-proposal MYCOMPANY-proposal-1
#protocol esp encryption aes-128
#protocol esp integrity sha-512
# ((do i simply add here the timeout for phase 2, and is this correct syntax-- "lifetime 28000"? If I am not understanding something here, may you please explain?))

I ask this because in the cisco ASA manual it does not mention the need (or ability) to specify a phase 2 timeout.

__________

Secondly, the client asks that the transform set "esp-aes-128-sha-hmac" be used; however, the Cisco ASA manual only examples the above config ((Define the IPsec policy)) without "hmac".

May you please show the correct additional or new config snippet that will satisfy my client's request?

Thank you!!

Rob Ingram · ‎12-21-2022

@jmaxwellUSAF the default lifetime is 28000 already. To manually configure - crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes {number | unlimited}}

SHA-1 should be the HMAC variant, just not explictly defined in the CLI.

View solution in original post

MHM Cisco World · ‎12-21-2022

cisco high recommend not config lifetime for IKEv2.
so I prefer not.
for second point I will check.

Rob Ingram · ‎12-21-2022

@jmaxwellUSAF the default lifetime is 28000 already. To manually configure - crypto map map-name seq-num set security-association lifetime {seconds number | kilobytes {number | unlimited}}

SHA-1 should be the HMAC variant, just not explictly defined in the CLI.