08-06-2018 07:11 AM - edited 08-06-2018 07:19 AM
I have some questions on how phase 1 operates on an ASA. We use an ASA in our data center for vpn only & there are currently 27 actives tunnels that are up. Using the command "show vpn-sessiondb l2l" I can see that there are a variety of encryption & hash settings in use for phase 1 & 2 (see below). Also when viewing the "crypto ike" policies on the running config I see 3 policies configured. None of these policies seem to be linked to anything else in the running config. I included the outputs for a few of the tunnels & the crypto ike policies (which I believe are phase 1 settings) configured on the ASA below. Can anyone kindly answer my questions below?
1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and IPsec phase 2?
2) In the output of 'show run' are crypto ikev policies the phase 1 settings?
3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?
4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?
mtlvpnfw1/pri/act# show vpn-sessiondb l2l
Session Type: LAN-to-LAN
Connection : 1.1.1.1
Index : 1638 IP Addr : 1.1.1.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 1458728370 Bytes Rx : 485490206
Login Time : 14:47:08 EDT Wed Jul 11 2018
Duration : 25d 19h:01m:10s
Connection : 2.2.2.2
Index : 2291 IP Addr : 2.2.2.2
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (9)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (9)SHA1
Bytes Tx : 1345775011 Bytes Rx : 1147052255
Login Time : 17:23:43 EDT Thu Jul 12 2018
Duration : 24d 16h:24m:35s
Connection : 3.3.3.3
Index : 3944 IP Addr : 3.3.3.3
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (3)AES256
Hashing : IKEv1: (1)MD5 IPsec: (3)SHA1
Bytes Tx : 150288073 Bytes Rx : 316990518
Login Time : 05:14:42 EDT Tue Jul 17 2018
Duration : 20d 4h:33m:36s
########################################################################
mtlvpnfw1/pri/act# show run
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
Solved! Go to Solution.
08-06-2018 07:25 AM
1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and IPsec phase 2?
Yes
2) In the output of 'show run' are crypto ikev policies the phase 1 settings?
Yes
3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?
Checks their first ike policy against all your ike policies one by one till a match is found. IF no match, then checks their second ike policy against all yours in order and so on till a match is found.
4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?
Only 1 per peer. This is the agreed upon based on the 'negotiation' explained #3.
08-06-2018 07:25 AM
1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and IPsec phase 2?
Yes
2) In the output of 'show run' are crypto ikev policies the phase 1 settings?
Yes
3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?
Checks their first ike policy against all your ike policies one by one till a match is found. IF no match, then checks their second ike policy against all yours in order and so on till a match is found.
4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?
Only 1 per peer. This is the agreed upon based on the 'negotiation' explained #3.
08-06-2018 07:35 AM
08-06-2018 07:40 AM
You are correct. Phase 1 and Phase 2 settings have to match on both sides. The only difference would be the crypto ACL (also called interesting traffic or local/remote proxies). This should be a mirror image of whats configured on the other side. Their source network would be your destination and vice versa.
08-06-2018 08:37 AM
Thanks for your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide