Solved: Thank you so much for your

eigrpy · ‎07-07-2015

Hi, When I review configuration of point-to-point VPN, I have a question. The ASA has three p-to-p VPN in the configuration. So, there are also three tunnel-groups in there. My question is how each VPN associate crypto policy with tunnel-group ? In anther word, which crypto policy associated with which tunnel-group ? Thank you.

Puneesh Chhabra · ‎07-07-2015

These are phase 1 policies, they work from top to bottom. When you try to negotiate the tunnel between two peers, in the background they send you all your policies and whichever matches first (top to bottom) is used.

For eg.

If your peer device is using (3des, md5, pre-share and group 2), it will match policy 1 and rest of the policies will not be checked.

Regards,

Puneesh

View solution in original post

Puneesh Chhabra · ‎07-07-2015

Both tunnel group and crypto map has peer address. So any request/response from that peer will be catered by its respective crypto map and tunnel group.

Regards,

Puneesh

eigrpy · ‎07-07-2015

Thank you so much for your reply.

In ASA, it does not has peer address under "crypto ikev1 policy". Please see it below. The only difference between them to identify is their policy number. In below example, there are two policy, and their number are 1, and 10. I do not see tunnel-group or crypto map are associated with these policy number.

-------------------------------------

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 28800

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

Puneesh Chhabra · ‎07-07-2015

These are phase 1 policies, they work from top to bottom. When you try to negotiate the tunnel between two peers, in the background they send you all your policies and whichever matches first (top to bottom) is used.

For eg.

If your peer device is using (3des, md5, pre-share and group 2), it will match policy 1 and rest of the policies will not be checked.

Regards,

Puneesh

eigrpy · ‎07-07-2015

Thank you so much for your explanation. I think you are right. That also means that several tunnel-groups can share one crypto policy as long as other endpoints' crypto policy can match the common crypto policy in this side ASA, right ?

Puneesh Chhabra · ‎07-07-2015

Yes that is correct

If you want to see which policy is negotiated in the tunnel, issue the following command:

show crypto isakmp sa detail

Regards,

Puneesh

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

eigrpy · ‎07-07-2015

Sometime there are a lot VPNs in one ASA. There are several components for one VPN. such as, crypto policy, ACL, crypto ipsec, crypto map, which includes peer. Among them, only tunnel-group and crypto map decide specific VPN. Other rest of them can be shared through their name or number, right ?

Puneesh Chhabra · ‎07-07-2015

Yes, you are correct.

Regards,

Puneesh

If you find the answer helpful, please mark it as correct so others can benefit from the discussion.

eigrpy · ‎07-08-2015

Thank you for your excellent explanation !

How to associate crypto policy with tunnel-group ?