Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
770
Views
0
Helpful
5
Replies

Two VPN SiteTOSite with different Encryption Algo

Go to solution
foued kh
Level 1
Level 1

‎06-25-2018 01:48 AM - edited ‎03-12-2019 05:24 AM

Hi Team,

I Have a site to site connect to another site of our office with encryption algorithm  IKE Policy :

- Authentication : pre-share

- encryption : aes-192

- DH : 2

 

I have to add a new site to site connection to another site but this time, the customer from the other side have sent to me the encryption algorithm  IKE Policy :

- Authentication : pre-share

- encryption : aes-256

- DH : 5

 

So, I created the new connection and suddenly the first connection is down. After check, I found that the DH of the first connection has cchanged to DH : 5.

Is there any solution please.

 

regards,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
foued kh
Level 1
Level 1
In response to Rob Ingram

‎06-26-2018 01:19 AM

Thank you for your feedback Sir.
I have resolved the problem by adding the two IKEv1 Policy, the CLI show command is as below :

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

 

The two VPN Connections are up now by adding the two IKEv1 policy in the same field :

 

111.PNG

 

Regards,

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎06-25-2018 02:12 AM

Hi, What hardware is this on? Cisco ASA or Router?
Please upload the configuration on the device that is already working and an example what you added/changed.
0 Helpful

Go to solution
foued kh
Level 1
Level 1
In response to Rob Ingram

‎06-25-2018 02:21 AM

Thank you for responding ,

In fact, I work with an ASA5515-x.
The existing VPN STS is as below :

 

111.png

The IKE Policy credentiels are :

111.png

The second VPN STS that I have to add is as below :

111.png

Regards,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to foued kh

‎06-25-2018 09:18 AM

Your first screenshot only shows there to be 1 IKE policy, can you confirm that both IKEv1 policies are assigned?

 

What is the output from the CLI? There should be at least 2 IKEv1 policies, one with Group 2 and the other with Group 5.

 

crypto ikev1 policy 5
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400

 

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

 

0 Helpful

Go to solution
foued kh
Level 1
Level 1
In response to Rob Ingram

‎06-26-2018 01:19 AM

Thank you for your feedback Sir.
I have resolved the problem by adding the two IKEv1 Policy, the CLI show command is as below :

crypto ikev1 policy 1
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 2
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400

 

The two VPN Connections are up now by adding the two IKEv1 policy in the same field :

 

111.PNG

 

Regards,

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to foued kh

‎06-26-2018 02:44 AM

The commands you entered via ASDM are the same as the CLI commands I provided, just a different way of inputting into the ASA.

Glad I could assist in helping you resolve this!
0 Helpful
Customers Also Viewed These Support Documents