Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
6
Replies

Router in 2 FlexVPNs with non intersecting proposals

Go to solution
Maxim Denisov
Level 3
Level 3

‎12-12-2019 01:36 AM

Hello,

I'm trying to put a IOS XE router in two different FlexVPNs whose proposals not intersecting. The router has one WAN interface with one public IP so I can't distinguish policies by IP or VRF. Is it possible to configure different proposals for each neighbour in this case?

Regards,
Maxim

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to Maxim Denisov

‎12-12-2019 02:48 AM

Not possible.

The best thing you can do is if it's just your Hub that is connecting to the foreign network using DES, then don't modify the proposal on your spoke routers, therefore they would never negotiate with the Hub using DES, only the stronger algorithms you support.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎12-12-2019 01:58 AM

Hi,

The IKE proposals are not tied to specific peers. So you can just define multiple algorithms and the peers will negotiate, obviously there needs to be at least one common proposal.

 

HTH

0 Helpful

Go to solution
Maxim Denisov
Level 3
Level 3
In response to Rob Ingram

‎12-12-2019 02:04 AM

Hi,
I know I can extend my proposal but I don't want to permit weaker ciphers on my network. I need to connect to a FlexVPN with DES allowed. There is no way except modifying proposal?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Maxim Denisov

‎12-12-2019 02:20 AM

What exactly is your use case? Are all your FlexVPN routers going to connect to this new peer using DES or just the hub?? The IKEv2 policy which references the proposal only supports matching on local address not remote, there is no other option.

If you specify the algorithms in the proposal in order of strongest to weakest, the peers that support the strongest algorithms will negotiate with that, only the peer that supports DES would negotiate with that algorithm.
0 Helpful

Go to solution
Maxim Denisov
Level 3
Level 3
In response to Rob Ingram

‎12-12-2019 02:39 AM - edited ‎12-12-2019 02:41 AM

There is my network where I don't want to permit weaker ciphers, I'm configuring the hub. I need to connect to foreign network which permits DES. I'd like to receive AES encrypted traffic from my network and route it to foreign network encrypted with DES. I know that proposals are ordered, I have read IKEv2 documentation but hoped there is a way to distinguish between neighbours using only one IP.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Maxim Denisov

‎12-12-2019 02:48 AM

Not possible.

The best thing you can do is if it's just your Hub that is connecting to the foreign network using DES, then don't modify the proposal on your spoke routers, therefore they would never negotiate with the Hub using DES, only the stronger algorithms you support.
0 Helpful

Go to solution
Maxim Denisov
Level 3
Level 3
In response to Rob Ingram

‎12-12-2019 02:53 AM

Thank you, I thought the same but I control HUBs only, spokes in my network belongs to customers and controlled by respective local engineers.
0 Helpful
Customers Also Viewed These Support Documents