Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1886
Views
5
Helpful
2
Replies

ASA vpn site-to-site isakmp question

Go to solution
giuseppe parlato
Level 1
Level 1

‎04-16-2016 07:44 AM

Hello,

it has been asked me to configure on ASA a new vpn site-to-site. For this vpn I should set :

crypto isakmp identity address
crypto isakmp enable outside

.. from my configuration crypto isakmp identity is auto and crypto isakmp is not enabled on any interface. I have many vpn with ike enabled on outside interface. My question is : why should I enable isakmp on outside interface and mostly can it create disruptions to ike vpn that are already in place ?

Furthermore either group-policy or tunnel-group it has been asked me to configure, both have not ike indication. Never seen this kind of vpn configuration before, something new.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-16-2016 09:18 PM

Hi Giuseppe,

The command crypto isakmp enable outside has been changed to crypto ikev1 enable outside in newer ASA versions so you do not need to enable this.

You also do not need to configure crypto isakmp identity address as it is set to auto.

This command tells that the tunnel would be negotiated on the basis of IP address but since it is set to auto it will on it own do that so no need to specify this command.

Yes you can create a new group policy and tunnel group for this new tunnel and it should have no impact on the other working tunnels.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

View solution in original post

2 Replies 2

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-16-2016 09:18 PM

Hi Giuseppe,

The command crypto isakmp enable outside has been changed to crypto ikev1 enable outside in newer ASA versions so you do not need to enable this.

You also do not need to configure crypto isakmp identity address as it is set to auto.

This command tells that the tunnel would be negotiated on the basis of IP address but since it is set to auto it will on it own do that so no need to specify this command.

Yes you can create a new group policy and tunnel group for this new tunnel and it should have no impact on the other working tunnels.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

Go to solution
giuseppe parlato
Level 1
Level 1
In response to Aditya Ganjoo

‎04-18-2016 01:14 AM

Thanks for your answer Aditya but is it correct they didn't asked me to configure IKE either in group policy or tunnel group configuration?

Let me add a question : it has been also asked to configure a crypto isakmp policy but maybe (as you wrote) it's just the same as crypto ike policy ?

ps. I'm talking about configuring vpn to AWS.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents