cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
754
Views
0
Helpful
3
Replies

Cisco ASA 5515 IKE Phase1 and IKE Phase 2 question

Dear community,

I have a customer that we have a VPN tunnel with. Since the customer is upgrading their network infrastructure there are new demands for the new VPN tunnel between my Cisco ASA 5515 and their firewall.

Here are the demands:

 

IKE Phase 1

Initiator: Main Mode

IKE Phase 2

Perfect Forward Secrecy (PFS): NO

Encryption

AES-256

Encryption

AES-256

Authentication

SHA256

Authentication

SHA256

Diffie-Hellman Group

14 (2048 bits)

Encapsulation

ESP

SA Lifetime (sec)

86400

SA Lifetime (sec)

3600

 

When i look at the Cisco ASA documentation it seems that IKE Phase 1 no problems there. However for the IKE Phase 2 i am not able to find if it is possible to have those settings that the customer requires.

Many thanks for the help in advanced.

3 Replies 3

Hi,
I assume you are referring to SHA-256 is not being configurable in IKEv1 Phase 2?
In which case you would need to use IKEv2 instead, you would need to ensure the peer firewall is also using IKEv2.

HTH

Hi there,
Thanks for the answer.
Yes, you are assuming right.
I have been reading and searching on internet after I send this question, and I understand that IKEv2 needs to be used. Please correct me if I am wrong.
Now the only thing that I am not able to see if it is possible to adjust for IKEv2 in IKE Phase 2 is the SA Lifetime (sec), is this possible to be done?

Yes you need to use IKEv2 and yes the lifetime is configurable with the command "crypto map MAP 1 set security-association lifetime seconds XXXXX".
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: