Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
654
Views
5
Helpful
4
Replies

Phase One Lan 2 Lan Questions on ASA version 9+

Go to solution
Hawk
Level 1
Level 1

‎08-06-2018 07:11 AM - edited ‎08-06-2018 07:19 AM

I have some questions on how phase 1 operates on an ASA.  We use an ASA in our data center for vpn only & there are currently 27 actives tunnels that are up.  Using the command "show vpn-sessiondb l2l" I can see that there are a variety of encryption & hash settings in use for phase 1 & 2 (see below).  Also when viewing the "crypto ike" policies on the running config I see 3 policies configured.  None of these policies seem to be linked to anything else in the running config.  I included the outputs for a few of the tunnels & the crypto ike policies (which I believe are phase 1 settings) configured on the ASA below.  Can anyone kindly answer my questions below?

 

1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and  IPsec phase 2?

2) In the output of 'show run' are crypto ikev policies the phase 1 settings?

3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?

4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?

 

 

 

mtlvpnfw1/pri/act# show vpn-sessiondb l2l

 

Session Type: LAN-to-LAN

Connection   : 1.1.1.1
Index        : 1638                   IP Addr      : 1.1.1.1
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (1)AES256
Hashing      : IKEv1: (1)SHA1  IPsec: (1)SHA1
Bytes Tx     : 1458728370             Bytes Rx     : 485490206
Login Time   : 14:47:08 EDT Wed Jul 11 2018
Duration     : 25d 19h:01m:10s

 

Connection   : 2.2.2.2
Index        : 2291                   IP Addr      : 2.2.2.2
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256  IPsec: (9)AES256
Hashing      : IKEv1: (1)SHA1  IPsec: (9)SHA1
Bytes Tx     : 1345775011             Bytes Rx     : 1147052255
Login Time   : 17:23:43 EDT Thu Jul 12 2018
Duration     : 24d 16h:24m:35s

 

Connection   : 3.3.3.3
Index        : 3944                   IP Addr      : 3.3.3.3
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)3DES  IPsec: (3)AES256
Hashing      : IKEv1: (1)MD5  IPsec: (3)SHA1
Bytes Tx     : 150288073              Bytes Rx     : 316990518
Login Time   : 05:14:42 EDT Tue Jul 17 2018
Duration     : 20d 4h:33m:36s

 

########################################################################

 

mtlvpnfw1/pri/act# show run

 

crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-06-2018 07:25 AM

1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and  IPsec phase 2?

Yes

 

2) In the output of 'show run' are crypto ikev policies the phase 1 settings?

Yes

 

3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?

Checks their first ike policy against all your ike policies one by one till a match is found. IF no match, then checks their second ike policy against all yours in order and so on till a match is found. 

 

4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?

Only 1 per peer. This is the agreed upon based on the 'negotiation' explained #3.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎08-06-2018 07:25 AM

1) In the output of 'show vpn-sessiondb l2l' is IKEv1 phase 1 and  IPsec phase 2?

Yes

 

2) In the output of 'show run' are crypto ikev policies the phase 1 settings?

Yes

 

3) Since there are 3 crypto ike policies configured how does the ASA agree on phase 1 settings with a remote peer when the two sides are trying establish a tunnel?

Checks their first ike policy against all your ike policies one by one till a match is found. IF no match, then checks their second ike policy against all yours in order and so on till a match is found. 

 

4) Does only one crypto ike policy get used on a single lan 2 lan tunnel or can a tunnel use more than one policy at a time?

Only 1 per peer. This is the agreed upon based on the 'negotiation' explained #3.

0 Helpful

Go to solution
Hawk
Level 1
Level 1
In response to Rahul Govindan

‎08-06-2018 07:35 AM

Rahul do the phase 1 settings on both sides (firewalls) have to match each other? If the remote side does not have phase 1 settings that match one of the policies configured on my ASA then I would need to create another crypto ike policy that matches the remote peer correct? What about for phase 2? If the remote peer does not have the same phase 2 settings I would need to create a matching crypto ipsec transform set with a new crypto map policy?
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to Hawk

‎08-06-2018 07:40 AM

You are correct. Phase 1 and Phase 2 settings have to match on both sides. The only difference would be the crypto ACL (also called interesting traffic or local/remote proxies). This should be a mirror image of whats configured on the other side. Their source network would be your destination and vice versa. 

Go to solution
Hawk
Level 1
Level 1
In response to Rahul Govindan

‎08-06-2018 08:37 AM

Thanks for your help

0 Helpful
Customers Also Viewed These Support Documents