Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
313
Views
0
Helpful
4
Replies

Is there a way to hard select IKE parameters on an ASA?

Go to solution
Youreateapot418
Level 1
Level 1

‎03-20-2025 02:57 PM

We have noticed on the ASA that the IKE parameters are declared in a Global list. 

I'm assuming during phase one, each setting would be tested for "best fit", selected, then move into phase 2.

Is there a way to hard code the Phase one settings (encryption, hash etc...) instead of it having to go through the list of different options?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Youreateapot418

‎03-21-2025 01:11 AM

@Youreateapot418 it doesn't need to match lifetime.

"A match exists when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the ASA uses the shorter lifetime. For IKEv2 the lifetime is not negotiated but managed locally between each peer, making it possible to configure lifetime independently on each peer."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/vpn/asa-922-vpn-config/vpn-ike.html

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎03-21-2025 12:08 AM

@Youreateapot418 no you cannot, you define IKE policies (IKEv1/IKEv2) with the setting and a priority. The ASA/FTD checks the policy with the lowest priority number first. If there is no match, it checks the policy with the next highest priority number, and so on until all policies have been evaluated.

0 Helpful

Go to solution
Youreateapot418
Level 1
Level 1
In response to Rob Ingram

‎03-21-2025 01:04 AM

That's what I thought... however, if you have say for:

priority 1 = sha512 , aes 256 gcm, timeout 86400 seconds

priority 2 = sha512 , aes 256 gcm, timeout 28800 seconds

The far end say they have only the option for:

sha512 , aes 256 gcm, timeout 28800 seconds...

But when the tunnel comes up, it has passed phase1 and brought up phase 2 using our priority 1 option. 

Do timers have to be the same when used in the negotiation?

Or is it something on the far end which (i.e. they are accepting the timeout of 86400 and it's not even attempting to check our priority 2 setting?) 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Youreateapot418

‎03-21-2025 01:11 AM

@Youreateapot418 it doesn't need to match lifetime.

"A match exists when both policies from the two peers contain the same encryption, hash, authentication, and Diffie-Hellman parameter values. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy the initiator sent. If the lifetimes are not identical, the ASA uses the shorter lifetime. For IKEv2 the lifetime is not negotiated but managed locally between each peer, making it possible to configure lifetime independently on each peer."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/vpn/asa-922-vpn-config/vpn-ike.html

 

0 Helpful

Go to solution
Youreateapot418
Level 1
Level 1
In response to Rob Ingram

‎03-21-2025 02:30 AM

This is exactly the info I was looking for, thank you Rob!

0 Helpful
Customers Also Viewed These Support Documents