Solved: IPsec policy from CLI-- commands & syntax...

jmaxwellUSAF · ‎01-16-2023

Hello.

On an ASA 5525, is...

#crypto ipsec ikev2 ipsec-proposal PROPOSAL-1
#protocol esp encryption aes-256
#protocol esp integrity sha-512

...the same as...

#crypto ipsec ikev2 ipsec-proposal PROPOSAL-1
#crypto ipsec ikev2 transform-set VENDOR1 esp-aes-256 esp-sha-hmac

?

In "#crypto ipsec ikev2 transform-set VENDOR1 esp-aes-256 esp-sha-hmac" where is / where should be input, the data "sha-512"?

Does the above "VENDOR1" associate with anything else in the config?

Thank you!

Rob Ingram · ‎01-16-2023

@jmaxwellUSAF on an ASA - crypto ipsec ikev2 ipsec-proposal PROPOSAL-1 defines the encryption/integrity algorithms to establish the IPSec SA.

crypto ipsec ikev2 transform-set VENDOR1 esp-aes-256 esp-sha-hmac is incorrect as @MHM Cisco World said. When using IKEv1 you use the transform-set syntax but in IKEv2 you use ipsec-proposal (as per first example)....both establish IPSec SA.

You reference the IKEv2 proposal under the crypto map or under the IPSec profile, which is then referenced under the VTI.

crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL-1

or

crypto ipsec profile IPSEC_PROFILE
 set ikev2 ipsec-proposal PROPOSAL-1

It is not the same as IKEv1 Policy (to establish IKE SA), the following establishes IKEv2 SA on the ASA.

crypto ikev2 policy 5
 encryption aes-256
 integrity sha512 sha384
 group 19 14
 prf sha512 sha384
 lifetime seconds 86400

View solution in original post

MHM Cisco World · ‎01-16-2023

crypto ipsec ikev2 ipsec-proposal PROPOSAL-1 <<- this command I think is typo wrong, I think it proposal not ipsec-proposal

and this command after correction is same as
crypto isakmp policy <<- phase1 of IKEv1 for router
crypto ikev1 policy <<- phase1 of IKEv1 of ASA

MHM Cisco World · ‎01-16-2023

Yes @Rob Ingram correct me, there are two command
crypto ipsec ikev2 ipsec-proposal <<- this for phase2 in ASA
crypto ikev2 proposal <<- this for phase1 in Router

Rob Ingram · ‎01-16-2023

@MHM Cisco World

Correct, "crypto ipsec ikev2 ipsec-proposal" is used on the ASA to establish IPSec SA

almost correct for IOS router, there no "ipsec" syntax in the command, which defines the algorithms used for SA_INIT (phase 1) to establish IKE SA.

crypto ikev2 proposal PROP-1
 encryption aes-cbc-256
 integrity sha512 sha384
 group 19 14
!
crypto ikev2 policy IKEV2_POLICY
 proposal PROP-1

This can be confusing with the use of "proposal" on the different platforms.

MHM Cisco World · ‎01-16-2023

Yes a lot, IKEv1 vs IKEv2 then the command is different for each platform.
thanks for you note.

balaji.bandi · ‎01-16-2023

You need to provide what device is this ASA or Router, some time some old device does not support some features.

and you looking VTI tunnel ? or only 1 Tunnel ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jmaxwellUSAF · ‎01-16-2023

ASA 5525

Rob Ingram · ‎01-16-2023

@jmaxwellUSAF on an ASA - crypto ipsec ikev2 ipsec-proposal PROPOSAL-1 defines the encryption/integrity algorithms to establish the IPSec SA.

crypto ipsec ikev2 transform-set VENDOR1 esp-aes-256 esp-sha-hmac is incorrect as @MHM Cisco World said. When using IKEv1 you use the transform-set syntax but in IKEv2 you use ipsec-proposal (as per first example)....both establish IPSec SA.

You reference the IKEv2 proposal under the crypto map or under the IPSec profile, which is then referenced under the VTI.

crypto map CMAP 10 set ikev2 ipsec-proposal PROPOSAL-1

or

crypto ipsec profile IPSEC_PROFILE
 set ikev2 ipsec-proposal PROPOSAL-1

It is not the same as IKEv1 Policy (to establish IKE SA), the following establishes IKEv2 SA on the ASA.

crypto ikev2 policy 5
 encryption aes-256
 integrity sha512 sha384
 group 19 14
 prf sha512 sha384
 lifetime seconds 86400