Solved: Re: Doubt about Phase 1 and Phase 2 encryption and authentication.

ciscolover · ‎09-12-2017

Hi all,

I have an IPSEC tunnel created. I have some doubts about encryption and authentication of phase 1 and phase 2.

With show crypto isakmp policy 10 I can see:

Encryption algoritm DES
Has MD5
Authentication Method Preshared KEY.

I think this is phase 1 and Is negotiated bith DES for encryption.

My doubt is about phase 2. What is the encryption and authentication method for phase 2. The same of phase 1? Or another? I have a transform set with esp-des esp-md5-hmac. Maybe esp-des is the encryption method for phase 2 and esp-md5-hmac the authentication method? Or not?

What is the encryption and authentication of my phase 2 tunnel? Thanks ¡¡¡

Pawan Raut · ‎09-12-2017

the transform set is the encryption and auth method for phase 2.

on ASA you can verify the phase 1 and phase 2 parameter using below coomand

sh vpn-sessiondb l2l

Regards,

Pawan (CCIE#52104)

Kindly rate for helpful post

View solution in original post

Pawan Raut · ‎09-12-2017

the transform set is the encryption and auth method for phase 2.

on ASA you can verify the phase 1 and phase 2 parameter using below coomand

sh vpn-sessiondb l2l

Regards,

Pawan (CCIE#52104)

Kindly rate for helpful post

ciscolover · ‎09-12-2017

Thanks for your reply.

I would like to create the tunnel with a FW (fortigate) and a CISCO 1841. I'm configuring the CISCO 1841.

The client configures the FW and for phase 2 indicates this:

Encryption AES256

Authentication SHA256.

I don't find exactly this encryption and authentication method in the transform set options. Maybe the correct is this? I cant' find esp-sha and the 256 option...

crypto ipsec transform-set test esp-aes 256 esp-sha-hmac

Pawan Raut · ‎09-12-2017

Thats correct