ipsec option on lan to lan firewall

Network Pro · ‎05-24-2013

Hi,

coould anyone please tell me whats the advantage of enabling "ipsec Protocol" option Default group policy ? Should this be enabled or disabled ? i find that sometimes while not enabling i get QM FSM error message

Thanks

Network Pro · ‎05-28-2013

any thoughts please?

Andrew Phirsov · ‎05-28-2013

Could you cliarify what exactly you mean?

Network Pro · ‎05-28-2013

Hi,

I have attached screenshot of it. Just wondering what is the difference by enabling / disabaling it as i am able to get the tunnel up only by enabling it at certain times

Andrew Phirsov · ‎05-28-2013

Translated to the CLI-language, the comand looks like this (in version 8.4):

vpn-tunnel-protocol ikev1

vpn-tunnel-protocol controlls what type of connections acceptable for specific group-policy.

available options:

vpn-tunnel-protocol ssl-clientless ssl-client ikev1 ikev2

So, if you don't enalbe this option, regular ipsec/ikev1 connections won't be accepted (won't work) for the peers/users, wich belong to the corresponding group policy. In most cases it should be enabled.

Network Pro · ‎05-28-2013

Thanks Andrew but isnt this the command to enable ikev1

crypto ikev1 policy 1 ?

i thought be default it runs on IKEv1 ? if not what is the command to enable IKEV2 ?

and when i enable the above command, i see the corresponding CLI command as vpn-tunnel-protocol l2tp

Andrew Phirsov · ‎05-28-2013

No, it's totally different. IKE may be enabled on the interface, but when user connects, ASA tries to find to wich group-policy the user belongs. And, if for that group policy regular IKE is not allowed, the session will not establish.

It's just allowes more control when dealing with types of connections for specific users.

Say you've got two users. One of them will belong to group policy GP1, and other for GP2

In this case, if you have this config:

group-policy GP1 attributes

vpn-tunnel-protocol ikev1

group-policy GP2 attributes

vpn-tunnel-protocol ssl-clientless

users from GP2 won't be able to connect using regular cisco vpn-client (ipsec only), but will be able to connect to the ssl-vpn portal. Users from GP1 will be able to connect with regular ipsec client.

Network Pro · ‎05-28-2013

i am running an older version 8.2.0 where i dont have vpn tunnel protocol ssl-clientless. In my version i have tunnel-groups defined which says "L2tp/ipsec, ipsec, Clietless SSL VPN or SSL VPN Client". I have one group policy defeined thats has IPSEC and L2TP/IPSEC selected and i am having problems with this. probably i should select only IPSEC from your explanation above ?

Is that correct?

Thanks

Andrew Phirsov · ‎05-28-2013

You can select all of them (you have to enalbe ipsec, if you're using cisco vpn-client, outhers - optional), and there won't be any problem, as long as the rest of your VPN configuration is correct)

Network Pro · ‎05-28-2013

do you know what is the command to enablve ikev2 on 5505 ?

Andrew Phirsov · ‎05-28-2013

In global config mode:

#crypto ikev2 enable if_name

Plus, under group policy there should be this:

vpn-tunnel-protocol ikev1 ikev2