cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
4
Replies

C2921 to Cisco ASA site-to-site IPSEC VPN

bryantsteve
Level 1
Level 1

I am attempting to establish VPN  to two separate sites via interface crypto map using DH 5 key encryption for site 1 and DH 14 for site 2  by defining two policies 10 for DH5, and 20 for DH 14  . I can successfully establish IPSEC VPN with both  site1 and site2  using DH 5.   I cannot get past Phase I ISAKMP when I request site 2 attempt to use DH 14, only site 1 specifying DH 5 is established (The background here is DH 14 is mandated by DoD, site 1  ASA VPN is not able to support, site 2 ASA VPN can so minimally trying to establish site2 with DH 14).  Is it possible to do this given the following router config?

!

crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
!
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 14

!

crypto ipsec transform-set abcd  esp-aes 256 esp-sha-hmac
 mode tunnel

!

crypto isakmp key xxxxxxx  address 1.1.1.1
crypto isakmp key yyyyy  address 2.2.2.2

!

crypto map vpn1 10 ipsec-isakmp
 set peer 1.1.1.1

descrip site1
 set transform-set abdc
 set pfs group5
 match address 101

crypto map vpn1  20 ipsec-isakmp
 set peer 2.2.2.2

descrip  site2
 set transform-set abdc
 set pfs group14
 match address 103

!

interface GigabitEthernet0/0

crypto map vpn1

!

The ASA VPN is an off site appliance which I do not control, site2 which is the desired DH 14  is ASA5512 ASA.9.5(2)

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

Unless both sides support DH14, and both are configured for it - it is not going to work.

Hi Philip, thanks for your response,  -so from a single router I should be able to establish a site to site VPN to each site with  a different isakmp policy (DH 5 /DH 14) if  the policies  match up during the peer negotiation it should work right?   

Correct.

bryantsteve
Level 1
Level 1

The issue was versions of IKE protocol. In order to configure DH group 14 key size, the ASA5515 had to use IKE2, I was still using IKEV1 on the router side.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: