Re: How FTD selects IKE policy

mahiragil · ‎07-28-2022

Got a question why some P 1 S2S tunnels had a lifetime of 28800 even if policy configured when setting up the tunnel are 86400.
Started digging and it seems to do with IKEvX1/2 policy priority, where if there is multiple policies, the one with lowest priority with be tested for match first.

My question is, will a tunnel
1: First try the selected policy, and if policy doesn't match witch remote peer, test other policies based on priority?
2: Try policy with lowest priority first, ignoring your selected policy?

If case 2 are correct, will selecting a policy only matter when picking policies of the same priority?

Rob Ingram · ‎07-28-2022

@mahiragil IKE lifetimes are determined differently between version 1 and 2. In IKEv2 if the two peers have different lifetime policies, the shorter lifetime will be used.

To establish the IKE SA, the initiator will propose the algorthims to use, the responder will select the proposal the both mutually support and send this back to the initiator.

MHM Cisco World · ‎07-28-2022

I do small lab,
R1-R2

in R1 have two policy
policy 5 (en 3des)
policy 10 (en des)

in R2 have two policy
policy 10 (en des)
policy 15 (en 3des)

and then debug isakmp
what get
R1 send two proposal to R2
for policy 5 and then 10

the R2 check the proposal with lowest priority first then check the second proposal with lowest priority (10) and match found.

for your case try add ISAKMP profile and add match identity, this make you sure that IPsec select right proposal and also you can sure the lifetime will be what you config under the policy.