cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1414
Views
0
Helpful
6
Replies

Router in 2 FlexVPNs with non intersecting proposals

Maxim Denisov
Level 3
Level 3

Hello,

I'm trying to put a IOS XE router in two different FlexVPNs whose proposals not intersecting. The router has one WAN interface with one public IP so I can't distinguish policies by IP or VRF. Is it possible to configure different proposals for each neighbour in this case?

Regards,
Maxim

1 Accepted Solution

Accepted Solutions

Not possible.

The best thing you can do is if it's just your Hub that is connecting to the foreign network using DES, then don't modify the proposal on your spoke routers, therefore they would never negotiate with the Hub using DES, only the stronger algorithms you support.

View solution in original post

6 Replies 6

Hi,

The IKE proposals are not tied to specific peers. So you can just define multiple algorithms and the peers will negotiate, obviously there needs to be at least one common proposal.

 

HTH

Hi,
I know I can extend my proposal but I don't want to permit weaker ciphers on my network. I need to connect to a FlexVPN with DES allowed. There is no way except modifying proposal?

What exactly is your use case? Are all your FlexVPN routers going to connect to this new peer using DES or just the hub?? The IKEv2 policy which references the proposal only supports matching on local address not remote, there is no other option.

If you specify the algorithms in the proposal in order of strongest to weakest, the peers that support the strongest algorithms will negotiate with that, only the peer that supports DES would negotiate with that algorithm.

There is my network where I don't want to permit weaker ciphers, I'm configuring the hub. I need to connect to foreign network which permits DES. I'd like to receive AES encrypted traffic from my network and route it to foreign network encrypted with DES. I know that proposals are ordered, I have read IKEv2 documentation but hoped there is a way to distinguish between neighbours using only one IP.

Not possible.

The best thing you can do is if it's just your Hub that is connecting to the foreign network using DES, then don't modify the proposal on your spoke routers, therefore they would never negotiate with the Hub using DES, only the stronger algorithms you support.

Thank you, I thought the same but I control HUBs only, spokes in my network belongs to customers and controlled by respective local engineers.