cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
134
Views
0
Helpful
3
Replies
Highlighted

Cisco ASA 5515 IKE Phase1 and IKE Phase 2 question

Dear community,

I have a customer that we have a VPN tunnel with. Since the customer is upgrading their network infrastructure there are new demands for the new VPN tunnel between my Cisco ASA 5515 and their firewall.

Here are the demands:

 

IKE Phase 1

Initiator: Main Mode

IKE Phase 2

Perfect Forward Secrecy (PFS): NO

Encryption

AES-256

Encryption

AES-256

Authentication

SHA256

Authentication

SHA256

Diffie-Hellman Group

14 (2048 bits)

Encapsulation

ESP

SA Lifetime (sec)

86400

SA Lifetime (sec)

3600

 

When i look at the Cisco ASA documentation it seems that IKE Phase 1 no problems there. However for the IKE Phase 2 i am not able to find if it is possible to have those settings that the customer requires.

Many thanks for the help in advanced.

3 REPLIES 3
Highlighted
VIP Advisor

Re: Cisco ASA 5515 IKE Phase1 and IKE Phase 2 question

Hi,
I assume you are referring to SHA-256 is not being configurable in IKEv1 Phase 2?
In which case you would need to use IKEv2 instead, you would need to ensure the peer firewall is also using IKEv2.

HTH
Highlighted

Re: Cisco ASA 5515 IKE Phase1 and IKE Phase 2 question

Hi there,
Thanks for the answer.
Yes, you are assuming right.
I have been reading and searching on internet after I send this question, and I understand that IKEv2 needs to be used. Please correct me if I am wrong.
Now the only thing that I am not able to see if it is possible to adjust for IKEv2 in IKE Phase 2 is the SA Lifetime (sec), is this possible to be done?
Highlighted
VIP Advisor

Re: Cisco ASA 5515 IKE Phase1 and IKE Phase 2 question

Yes you need to use IKEv2 and yes the lifetime is configurable with the command "crypto map MAP 1 set security-association lifetime seconds XXXXX".