07-09-2014 05:50 PM
Hi guy, for me, i don understand clearly relate to policy iskam in ASA. So i raise this topic up to ask
who experience more years with VPN. Assume that I already configure VPN site to site to my branch office in my ASA 5510. and my next goal is to configure VPN remote access for this ASA also. but what my question would to ask you is : in my vpn site to site, i created iskam policy already, so in my vpn remote access, need to create it again or not ?
07-09-2014 07:02 PM
Hi ,
IPSec is primary protocol used in L2L and Remote Access VPN deployment.
If you are using IPsec Remote Access VPN , you dont need to create new ISAKMP policies.
For SSL based Remote Access VPN , ISAKMP policies are not needed as they are part of IPSec VPN.
Here is the document that you can refer :-
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/4-1/user/guide/CSMUserGuide_wrapper/vpipsec.html
Regards,
Dinesh Moudgil
P.S Please rate helpful posts.
07-10-2014 12:10 AM
Hi, Actually, I configure remote access on protocol IPsec. so if in protocol ipsec, we have no need
to create iskam policy phase1 again right ??
07-10-2014 12:13 AM
Remember that IKEv1 policy defines:
- authentication method (PSK/RSA)
- encryption
- hashing
- DH group
If all of those agree for remote access and l2l then you do not need add new policies.
IKEv2 policies instead have sets of acceptable algorithms in a single policy (devices pick the "best" from proposed).
07-10-2014 01:33 AM
Hi,
If you are using IPSec as Remote Access VPN protocol , then you dont have to create new isakmp profiles unless the ones present are not negotiating with the client.
Hope that helps.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
07-10-2014 01:40 AM
yeah thank i will try with your exploitation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide