Phase 1 Encryption Method in Config File

IT_-_Department · ‎04-05-2012

OK... I see the statement for the declaration of Encryption for Phase 2. It is clear in the Crypto Map section. Where in the config file is the Phase 1 encryption method defined for a given IPSec Tunnel?

Thanx

Jouni Forss · ‎04-05-2012

Hi,

From the ASA CLI you should be able to see all the phase 1 policies configured on the ASA with the command "show run crypto". They are at the very end.

Each of the policies have a priority number in which order they are checked when a VPN connection is being formed.

To my understanding none of them are locked to a certain VPN connection on your ASA. They are gone through with the other VPN device/client in the Phase1 negotiations until they find a policy match that both devices have.

In my 8.4(3) ASA I for example have the policies like this

crypto ikev1 policy 30

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 60

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

For the older software the format might be different.

Like

"crypto isakmp policy 10"

- Jouni

Richard Burts · ‎04-07-2012

Eric asked his question without telling us what platform he is asking about. Jouni has given a nice explanation for the ASA. If Eric was asking about an IOS device then the answer is that the phase 1 encryption is specified in the transform set.

HTH

Rick

HTH

Rick

Jouni Forss · ‎04-07-2012

Right you are

Think I've configured so many ASAs lately that I just presume everyone has one