07-07-2015 07:44 AM
Hi, When I review configuration of point-to-point VPN, I have a question. The ASA has three p-to-p VPN in the configuration. So, there are also three tunnel-groups in there. My question is how each VPN associate crypto policy with tunnel-group ? In anther word, which crypto policy associated with which tunnel-group ? Thank you.
Solved! Go to Solution.
07-07-2015 05:19 PM
These are phase 1 policies, they work from top to bottom. When you try to negotiate the tunnel between two peers, in the background they send you all your policies and whichever matches first (top to bottom) is used.
For eg.
If your peer device is using (3des, md5, pre-share and group 2), it will match policy 1 and rest of the policies will not be checked.
Regards,
Puneesh
07-07-2015 09:03 AM
Both tunnel group and crypto map has peer address. So any request/response from that peer will be catered by its respective crypto map and tunnel group.
Regards,
Puneesh
07-07-2015 10:15 AM
Thank you so much for your reply.
In ASA, it does not has peer address under "crypto ikev1 policy". Please see it below. The only difference between them to identify is their policy number. In below example, there are two policy, and their number are 1, and 10. I do not see tunnel-group or crypto map are associated with these policy number.
-------------------------------------
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
07-07-2015 05:19 PM
These are phase 1 policies, they work from top to bottom. When you try to negotiate the tunnel between two peers, in the background they send you all your policies and whichever matches first (top to bottom) is used.
For eg.
If your peer device is using (3des, md5, pre-share and group 2), it will match policy 1 and rest of the policies will not be checked.
Regards,
Puneesh
07-07-2015 06:15 PM
Thank you so much for your explanation. I think you are right. That also means that several tunnel-groups can share one crypto policy as long as other endpoints' crypto policy can match the common crypto policy in this side ASA, right ?
07-07-2015 06:19 PM
Yes that is correct
If you want to see which policy is negotiated in the tunnel, issue the following command:
show crypto isakmp sa detail
Regards,
Puneesh
If you find the answer helpful, please mark it as correct so others can benefit from the discussion.
07-07-2015 07:03 PM
Sometime there are a lot VPNs in one ASA. There are several components for one VPN. such as, crypto policy, ACL, crypto ipsec, crypto map, which includes peer. Among them, only tunnel-group and crypto map decide specific VPN. Other rest of them can be shared through their name or number, right ?
07-07-2015 08:18 PM
Yes, you are correct.
Regards,
Puneesh
If you find the answer helpful, please mark it as correct so others can benefit from the discussion.
07-08-2015 05:55 AM
Thank you for your excellent explanation !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide