Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
0
Helpful
3
Replies

IKE phase 1

Go to solution
Mohd Khairul Nizam
Level 4
Level 4

‎12-10-2014 06:39 AM

Existing config on ASA 5510:

crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

=====

i want to create another site to site vpn, the second site also using the same (pre-share,aes256, hash sha,group 5)

should i configure again using different policy number or it used the existing one.

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-10-2014 07:51 AM

You can share the crypto-config you have. So you don't need a new policy and if the second peer also uses the same Phase2-crypto, you also don't need another transform-set.

All you need is an additional sequence in the existing crypto map with (at least) "set peer", "set transform-set" and "match address".

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mohd Khairul Nizam

‎12-10-2014 02:52 PM

Does the new VPN terminate on the same interface as the first VPN? Then you have to use the same crypto map as there can only be one crypto map applied to each interface:

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer x.x.x.x 
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map 20 match address SG_cryptomap
crypto map VPN_map 20 set peer y.y.y.y
crypto map VPN_map 20 set transform-set xxxxxxxxxxxxxxxxx
crypto map VPN_map interface outside

 

In general, it just has to be a unique number per different destination-network.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎12-10-2014 07:51 AM

You can share the crypto-config you have. So you don't need a new policy and if the second peer also uses the same Phase2-crypto, you also don't need another transform-set.

All you need is an additional sequence in the existing crypto map with (at least) "set peer", "set transform-set" and "match address".

0 Helpful

Go to solution
Mohd Khairul Nizam
Level 4
Level 4
In response to Karsten Iwen

‎12-10-2014 02:37 PM

Ok got it.

if existing

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer x.x.x.x 
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map interface outside

==========

i would like to create 

crypto map SG_map bb match address SG_cryptomap
crypto map SG_map bb set peer y.y.y.y
crypto map SG_map bb set transform-set xxxxxxxxxxxxxxxxx
crypto map SG_map interface outside

i would like to know what no bb is?

can i use 20

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Mohd Khairul Nizam

‎12-10-2014 02:52 PM

Does the new VPN terminate on the same interface as the first VPN? Then you have to use the same crypto map as there can only be one crypto map applied to each interface:

crypto map VPN_map 10 match address VPN_cryptomap
crypto map VPN_map 10 set peer x.x.x.x 
crypto map VPN_map 10 set transform-set ESP-AES-256-SHA
crypto map VPN_map 20 match address SG_cryptomap
crypto map VPN_map 20 set peer y.y.y.y
crypto map VPN_map 20 set transform-set xxxxxxxxxxxxxxxxx
crypto map VPN_map interface outside

 

In general, it just has to be a unique number per different destination-network.

0 Helpful
Customers Also Viewed These Support Documents