cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6518
Views
10
Helpful
4
Replies

Help with ipsec parameters

captkloss
Level 1
Level 1

I have received ipsec parameters for phase 1/2 from a non-ASA customer:

 

Phase 1

authentication-method

pre-shared-keys

authentication-algorithm

sha-256 (384)

encryption-algorithm

aes-192-cbc (256)

dh-group

group2

lifetime-seconds

28800

 

Phase 2

authentication-algorithm

sha-256

encryption-algorithm

aes-192-cbc (256)

protocol

esp

lifetime-seconds

3600

perfect-forward-secrecy keys

none

 

 

Can you help with creating corresponding transform-set and crypto policy?

 

Thanks!

1 Accepted Solution

Accepted Solutions

Hey,

If the other party say they are using IKEv1 that is not going to work since the ASA doesn´t support sha256 for IKEv1 policies, just IKEv2. The other party needs to verify this information in order to configure the right commands on the ASA, here is a link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#78391

Gio

View solution in original post

4 Replies 4

GioGonza
Level 4
Level 4

Hello @captkloss

 

Before any suggestion is made, can you specify if this VPN tunnel is IKEv1 or IKEv2?. 

 

Have a good one!

 

Gio

Hello, 

 

The other party claims they use ikev1 - however i cant see an option to match sha256 using ikev1.... so i'm bit confused...

Hey,

If the other party say they are using IKEv1 that is not going to work since the ASA doesn´t support sha256 for IKEv1 policies, just IKEv2. The other party needs to verify this information in order to configure the right commands on the ASA, here is a link for reference: https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#78391

Gio

GioGonza
Level 4
Level 4
Hello @captkloss,

Before any suggestion is made, can you specify if this VPN tunnel is IKEv1 or IKEv2?.

Have a good one!

Gio