06-16-2016 02:04 PM - edited 02-21-2020 08:51 PM
I am attempting to establish VPN to two separate sites via interface crypto map using DH 5 key encryption for site 1 and DH 14 for site 2 by defining two policies 10 for DH5, and 20 for DH 14 . I can successfully establish IPSEC VPN with both site1 and site2 using DH 5. I cannot get past Phase I ISAKMP when I request site 2 attempt to use DH 14, only site 1 specifying DH 5 is established (The background here is DH 14 is mandated by DoD, site 1 ASA VPN is not able to support, site 2 ASA VPN can so minimally trying to establish site2 with DH 14). Is it possible to do this given the following router config?
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 14
!
crypto ipsec transform-set abcd esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto isakmp key xxxxxxx address 1.1.1.1
crypto isakmp key yyyyy address 2.2.2.2
!
crypto map vpn1 10 ipsec-isakmp
set peer 1.1.1.1
descrip site1
set transform-set abdc
set pfs group5
match address 101
crypto map vpn1 20 ipsec-isakmp
set peer 2.2.2.2
descrip site2
set transform-set abdc
set pfs group14
match address 103
!
interface GigabitEthernet0/0
crypto map vpn1
!
The ASA VPN is an off site appliance which I do not control, site2 which is the desired DH 14 is ASA5512 ASA.9.5(2)
06-16-2016 03:22 PM
Unless both sides support DH14, and both are configured for it - it is not going to work.
06-17-2016 06:03 AM
Hi Philip, thanks for your response, -so from a single router I should be able to establish a site to site VPN to each site with a different isakmp policy (DH 5 /DH 14) if the policies match up during the peer negotiation it should work right?
06-17-2016 09:46 PM
Correct.
07-11-2016 09:33 AM
The issue was versions of IKE protocol. In order to configure DH group 14 key size, the ASA5515 had to use IKE2, I was still using IKEV1 on the router side.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: