Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
971
Views
30
Helpful
6
Replies

IKEV1 is global

Go to solution
mautez_mah
Level 1
Level 1

‎04-21-2022 06:20 PM

Hi 

 

I was wondering When I am creating VPN S2S , for multiple peers ( each peers for a different site )
once I configure Phase 1 : will be the same algorithm for all peers, so I can't identify a specific algorithm for a specific peer ? 
what if add three rows with priorities 1 , 2, ,3 which one will be used, ?
again my question is : I need each peer to have a different algorithm in Phase 1 : can I do that? how? 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to mautez_mah

‎04-22-2022 04:54 AM

@mautez_mah When the 2 peers attempt communication, the peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the policies received from the other peer. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found. Think of priority as preferred.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-key-exch-ipsec.html

 

If you control all VPN peers, ideally you'd standardise on the same algorithms, therefore less policies to exchange and process until a match is found.

View solution in original post

6 Replies 6

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎04-21-2022 07:43 PM

Hi

 

ikev1 policy is based on authentication, encryption, hash, and Diffie-Hellman parameter values. So when both peers find a match with all values phase 1 will be negotiated. 

I don’t understand the use case to have 1 policy per peer but if you create multiple policies and have 1 different on each remote peer you would be able to achieve what you’re trying to do until you’ve reached all mix possibilities.

if i misunderstood your question, I’m sorry and can you elaborate please a little bit what you want to do exactly?

 

 Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
MHM Cisco World
VIP
VIP

‎04-22-2022 01:18 AM - edited ‎04-22-2022 01:20 AM

Yes you can use many rows each one with different priority, 
when Peer initiate IPSec the router search the Auth/Hash/Encrypt and if find match from one of raws you add.

3d01h: ISAKMP (0:1): processing SA payload. message ID = 0

3d01h: ISAKMP (0:1): found peer pre-shared key matching 209.165.200.227

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 1

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

ISAKMP (0:1): Hash algorithm offered does not match policy!

ISAKMP (0:1): atts are not acceptable. Next payload is 0

=RouterB=

ISAKMP (0:1): Checking ISAKMP transform 1 against priority 65535 policy

ISAKMP:      encryption 3DES-CBC

ISAKMP:      hash MD5

ISAKMP:      default group 1

ISAKMP:      auth pre-share

ISAKMP:      life type in seconds

ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80

ISAKMP (0:1): Encryption algorithm offered does not match policy!

 

Go to solution
mautez_mah
Level 1
Level 1
In response to MHM Cisco World

‎04-22-2022 04:24 AM

@Francesco Molino @MHM Cisco World 
many Thanks guys for your response , 
so now in Phase 1 : I can many rows , each one had a different algorithm, once I create  a new peer , as long as it match one of row it should become up for this Phase, right ? 

what is the purpose of priority here , ? 


0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to mautez_mah

‎04-22-2022 04:54 AM

@mautez_mah When the 2 peers attempt communication, the peer that initiates the negotiation will send all its policies to the remote peer, and the remote peer will try to find a match. The remote peer looks for a match by comparing its own highest priority policy against the policies received from the other peer. The remote peer checks each of its policies in order of its priority (highest priority first) until a match is found. Think of priority as preferred.

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-key-exch-ipsec.html

 

If you control all VPN peers, ideally you'd standardise on the same algorithms, therefore less policies to exchange and process until a match is found.

Go to solution
MHM Cisco World
VIP
VIP
In response to mautez_mah

‎04-22-2022 05:00 AM

Which one routers begin match with depend on priority.

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to mautez_mah

‎04-22-2022 05:05 AM

If both routers have same policies configured, the highest priority is preferred. It goes over all policies 1 by 1 by priority order when they try to find a matching policy between them.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Customers Also Viewed These Support Documents