Solved: Re: Help with ipsec parameters

captkloss · ‎08-28-2017

I have received ipsec parameters for phase 1/2 from a non-ASA customer:

Phase 1

authentication-method	pre-shared-keys
authentication-algorithm	sha-256 (384)
encryption-algorithm	aes-192-cbc (256)
dh-group	group2
lifetime-seconds	28800

Phase 2

authentication-algorithm	sha-256
encryption-algorithm	aes-192-cbc (256)
protocol	esp
lifetime-seconds	3600
perfect-forward-secrecy keys	none

Can you help with creating corresponding transform-set and crypto policy?

Thanks!

GioGonza · ‎08-31-2017

Hey,

If the other party say they are using IKEv1 that is not going to work since the ASA doesn´t support sha256 for IKEv1 policies, just IKEv2. The other party needs to verify this information in order to configure the right commands on the ASA, here is a link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#78391

Gio

View solution in original post

GioGonza · ‎08-30-2017

Hello @captkloss,

Before any suggestion is made, can you specify if this VPN tunnel is IKEv1 or IKEv2?.

Have a good one!

Gio

captkloss · ‎08-30-2017

Hello,

The other party claims they use ikev1 - however i cant see an option to match sha256 using ikev1.... so i'm bit confused...

GioGonza · ‎08-31-2017

Hey,

If the other party say they are using IKEv1 that is not going to work since the ASA doesn´t support sha256 for IKEv1 policies, just IKEv2. The other party needs to verify this information in order to configure the right commands on the ASA, here is a link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#78391

Gio

GioGonza · ‎08-30-2017

Hello @captkloss,

Before any suggestion is made, can you specify if this VPN tunnel is IKEv1 or IKEv2?.

Have a good one!

Gio